[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OCP: Failed to push image: unauthorized: authentication req, uired





On Thu, Oct 26, 2017 at 12:43 PM, Lionel Orellana <lionelve gmail com> wrote:
This works.Would have thought the api server address was added automatically to NO_PROXY?

it's supposed to be, but i do think there is a bug open where people have seen it not be added:
https://bugzilla.redhat.com/show_bug.cgi?id=1504464

 

-bash-4.2$ oc rsh docker-registry-1-9z8p2
sh-4.2$ export NO_PROXY=$NO_PROXY,172.23.192.1
sh-4.2$ oc whoami
system:serviceaccount:default:registry
sh-4.2$ 

On 26 October 2017 at 20:54, Ben Parees <bparees redhat com> wrote:


On Thu, Oct 26, 2017 at 11:50 AM, Lionel Orellana <lionelve gmail com> wrote:
I didn't put it there.

I another cluster this works.

-bash-4.2$ oc rsh docker-registry-9-c9mgd oc whoami
system:serviceaccount:default:registry

-bash-4.2$ oc rsh docker-registry-9-c9mgd which oc
/usr/bin/oc


ok, it looks like it was removed on 3.7.

Anyway you've certainly established there is a networking issue between your registry pod and the api server in your cluster
(but oddly not between other pods an the api server)  Adding the networking team to the thread.


 

On 26 October 2017 at 20:37, Ben Parees <bparees redhat com> wrote:


On Thu, Oct 26, 2017 at 10:53 AM, Lionel Orellana <lionelve gmail com> wrote:
Interestingly 

-bash-4.2$ oc rsh router-1-bf95x oc whoami
system:serviceaccount:default:router
-bash-4.2$ oc rsh docker-registry-1-9z8p2 oc whoami
Unable to connect to the server: Service Unavailable
command terminated with exit code 1

the registry image doesn't even contain an oc client binary (unless you put one there?) so i'm not sure what that is doing.

 

On 26 October 2017 at 19:50, Lionel Orellana <lionelve gmail com> wrote:
Well this works from one of the hosts (using a token from oc whoami)

curl -X GET -H "Authorization: Bearer $TOKEN" https://172.23.192.1/oapi/v1/users/~

In the error msg 

msg="invalid token: Get https://172.23.192.1:443/oapi/v1/users/~: Service Unavailable"

I wonder if the invalid toke part is the issue. 

On 26 October 2017 at 19:16, Ben Parees <bparees redhat com> wrote:


On Thu, Oct 26, 2017 at 8:11 AM, Lionel Orellana <lionelve gmail com> wrote:
Hi,

In a new OCP 3.6 installation I'm trying to deploy JBoss EAP 7.0 from the catalog. 

This is in a project for which I am the admin.

It's failing to push the image to the registry 

Pushing image docker-registry.default.svc:5000/bimorl/jboss-eap70:latest ...
Registry server Address: 
Registry server User Name: serviceaccount
Registry server Email: serviceaccount example org
Registry server Password: <<non-empty>>
error: build error: Failed to push image: unauthorized: authentication required

In the registry logs I see

172.23.140.1 - - [26/Oct/2017:05:08:19 +0000] "GET /openshift/token?account=serviceaccount&scope=repository%3Abimorl%2Fjboss-eap70%3Apush%2Cpull HTTP/1.1" 401 0 "" "docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(go-dockerclient)"
time="2017-10-26T05:08:19.116844289Z" level=debug msg="invalid token: Get https://172.23.192.1:443/oapi/v1/users/~: Service Unavailable" go.version=go1.7.6 http.request.host="docker-registry.default.svc:5000" http.request.id=467674a1-8618-4986-9e7f-b92a06afa43d http.request.method=GET http.request.remoteaddr="172.23.140.1:38284" http.request.uri="/openshift/token?account=serviceaccount&scope=repository%3Abimorl%2Fjboss-eap70%3Apush%2Cpull" http.request.useragent="docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 UpstreamClient(go-dockerclient)" instance.id=e5e8a55e-c3bc-4dfa-a706-e844ddbbdf44 openshift.logger=registry

sounds like your registry is unable to reach your api server.  I would check if other pods running within your cluster are able to access the api server (ie run oc client commands from within a pod, against the kubernetes service ip)

 

Any ideas?

Thanks



_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift






--
Ben Parees | OpenShift





--
Ben Parees | OpenShift





--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]