[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Access to private Docker Hub registry not working in OpenShift v3.7



Sorry, I didn't hit reply all, so my email only when to Ben.
This is to get my response onto the mailing list since I have a work
around that may be useful to others:


On 1 December 2017 at 13:26, Jim Barber <jim barber healthengine com au> wrote:
> On 1 December 2017 at 12:29, Ben Parees <bparees redhat com> wrote:
>>
>>
>> On Thu, Nov 30, 2017 at 8:45 PM, Jim Barber <jim barber healthengine com au>
>> wrote:
>>>
>>> Hi all.
>>>
>>> I have only very recently started investigating the use of OpenShift.
>>> One of my builds pulls a base Docker Image from our private Docker Hub
>>> repository.
>>> This was working fine in OpenShift v3.6.1, but when I tried OpenShift
>>> v3.7.0 I couldn't get it it to work.
>>> The build fails early with the following error:
>>>
>>>      error: build error: failed to pull image: API error (404):
>>> {"message":"pull access denied for *REDACTED*, repository does not
>>> exist or may require 'docker login'"}
>>>
>>> I am running this on my Windows 10 based desktop.
>>> Some details of the install:
>>>
>>>     PS ~> oc version
>>>     oc v3.7.0+7ed6862
>>>     kubernetes v1.7.6+a08f5eeb62
>>>     features: Basic-Auth
>>>
>>>     Server https://10.0.75.2:8443
>>>     openshift v3.7.0+7ed6862
>>>     kubernetes v1.7.6+a08f5eeb62
>>>
>>> And I am running Docker Community Edition Version 17.09.9-ce-win33
>>> (13620) from the stable channel.
>>>
>>> Steps I performed for both v3.6.1 and v.3.7.0 were as follows...
>>>
>>> - Bring up the cluster by running:
>>>
>>>     oc cluster up
>>>
>>> - Provide access to our private source code repository (this part
>>> works) like so:
>>>
>>>     oc secrets new-basicauth bitbucket --username=*REDACTED* --prompt
>>>     oc secrets link builder bitbucket
>>>
>>> - Allow my containers to use the root user by using the anyuid
>>> security context for a 'useroot' service account:
>>>
>>>     oc login -u system:admin
>>>     oc create serviceaccount useroot
>>>     oc adm policy add-scc-to-user anyuid -z useroot
>>>     oc login -u developer
>>>
>>> - Provide access to our private Docker Hub registry:
>>>
>>>     oc secrets new-dockercfg private-dockerhub
>>> --docker-server=https://index.docker.io/v1/
>>> --docker-username=*REDACTED* --docker-password=*REDACTED*
>>> --docker-email=*REDACTED*
>>>     oc secrets link builder private-dockerhub
>>>
>>>     Note: The 'oc secrets new private-dockerhub
>>> .dockerconfigjson=config.json' command does not work on Windows, so I
>>> have to use the 'oc secrets new-dockercfg' command shown above
>>> instead.
>>>     That's because the authentication details after performing a
>>> 'docker login' end up in the Windows Credential Store, so the file's
>>> contents look like:
>>>
>>>         PS ~\.docker> cat config.json
>>>         {
>>>                "auths": {
>>>                        "https://index.docker.io/v1/": {}
>>>                },
>>>                "HttpHeaders": {
>>>                        "User-Agent": "Docker-Client/17.09.0-ce (windows)"
>>>                },
>>>                "credsStore": "wincred"
>>>         }
>>>
>>> - Create the application:
>>>
>>>     oc new-app -f test-app.yaml
>>>
>>> I went back to version 3.6.1 and repeated the above steps again and it
>>> all worked as expected.
>>
>>
>> can you compare the secret yaml from 3.6.1 and 3.7.0 to see if they are the
>> same? (they should be).
>>
>
> Hi Ben.
>
> I used 'oc export secret private-dockerhub' and base64 decoded the
> data and was the same in both versions.
>
> However, I got it working just now.
> I spun up a Linux VM and performed a 'docker login' from there and
> copied the ~/.docker/config.json file back to my PC where I then
> imported it using:
>
>     oc secrets new private-dockerhub .dockerconfigjson=config.json
>
> Now when I export the secret, it is under:
>
>     data:
>       .dockerconfigjson:
>
> Instead of:
>
>     data:
>       .dockercfg:
>
> Did OpenShift 3.7 perhaps remove support for the old dockercfg format?
>
>
> For a Windows host such as mine, I didn't see an obvious way to sort
> this out with a single command; If you know of one I'm all ears :)
> A way I can achieve it without having to spin up a Linux VM is to
> generate the base64 string in PowerShell like so:
>
>     [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes('$DOCKERHUB_USER:$DOCKERHUB_PASSWORD'))
>
> Then take the base64 string result from the above command and create a
> config.json file manually with the following contents (replacing
> $BASE64__STRING):
>
>     {
>         "auths": {
>             "https://index.docker.io/v1/": {
>                 "auth": "$BASE64_STRING"
>             }
>         }
>     }
>
> Then import that.
>
> I believe this is an issue on MacOS too because it also puts the
> details into its credential store and so the necessary details aren't
> in the ~/.docker/config.json file.
> For MacOS (and Windows with something like Cygwin installed) you can
> get the base64 string by running:
>
>     echo -n '$DOCKERHUB_USER:$DOCKERHUB_PASSWD' | base64
>
>>
>> Also if you can run the build with loglevel 5 (oc start-build
>> --build-loglevel=5) and pastebin the full log that would be helpful.
>>
>
> Well I have it all working now, but if you really need this, I could
> break things again and do this if necessary.
>
>>
>> It might also help to see your test-app.yaml so we can see your
>> buildconfiguration.
>>
>
> Just for completeness I've run 'oc export bc --as-template test-app'
> so you can see the build configuration:
>
>     apiVersion: v1
>     kind: Template
>     metadata:
>       creationTimestamp: null
>       name: *REDACTED*
>     objects:
>     - apiVersion: v1
>       kind: BuildConfig
>       metadata:
>         annotations:
>           openshift.io/generated-by: OpenShiftNewApp
>         creationTimestamp: null
>         labels:
>           app: *REDACTED*
>         name: *REDACTED*
>       spec:
>         failedBuildsHistoryLimit: 5
>         nodeSelector: null
>         output:
>           to:
>             kind: ImageStreamTag
>             name: *REDACTED*:latest
>         postCommit: {}
>         resources: {}
>         runPolicy: Serial
>         source:
>           git:
>             ref: *REDACTED*
>             uri: https://bitbucket.org/*REDACTED*
>           sourceSecret:
>             name: bitbucket
>           type: Git
>         strategy:
>           dockerStrategy:
>             pullSecret:
>               name: private-dockerhub
>           type: Docker
>         successfulBuildsHistoryLimit: 5
>         triggers:
>         - type: ConfigChange
>       status:
>         lastVersion: 0
>
>>
>>>
>>> I've gone to 3.7.0 and repeated the above steps and it doesn't work.
>>>
>>> Note that each time I changed environments I started with a clean
>>> slate by running 'oc cluster down' and then doing a factory reset of
>>> my Docker installation.
>>> Then I configured Docker with the insecure-registry and changed its
>>> storage-driver to aufs to work around an issue I get when code is
>>> checked out of our repository.
>>>
>>> Regards,
>>>
>>> Jim Barber | Site Reliability Engineer
>>>
>>> _______________________________________________
>>> users mailing list
>>> users lists openshift redhat com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>>
>>
>> --
>> Ben Parees | OpenShift
>>
>
> Jim Barber | Site Reliability Engineer


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]