Re: users Digest, Vol 100, Issue 10

2020-11-23 Thread Maciej Szulik 
Yeah, it's a known problem that we've faced with a certain 4.5
version, can't remember which.
It was fixed in later versions of oc, so you'll just need to make sure
you have latest 4.5 oc,
or 4.6 :)

On Sat, Nov 21, 2020 at 6:22 PM Russ Krichevskiy
 wrote:
>
> Got it. I was using older oc client version (4.5) with 4.6 cluster.
>
> On Sat, Nov 21, 2020 at 12:00 PM
>  wrote:
> >
> > Send users mailing list submissions to
> > users@lists.openshift.redhat.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> > or, via email, send a message with subject or body 'help' to
> > users-requ...@lists.openshift.redhat.com
> >
> > You can reach the person managing the list at
> > users-ow...@lists.openshift.redhat.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of users digest..."
> >
> >
> > Today's Topics:
> >
> >1. Master node replacement (VMware IPI) (Russ Krichevskiy)
> >
> >
> > --
> >
> > Message: 1
> > Date: Sat, 21 Nov 2020 10:54:17 -0500
> > From: Russ Krichevskiy 
> > To: users 
> > Subject: Master node replacement (VMware IPI)
> > Message-ID:
> > 
> > Content-Type: text/plain; charset="UTF-8"
> >
> > I am trying to replace a failed master node that did not reboot
> > properly during upgrade (4.6.3 to 4.6.4).
> > Referencing documentation here
> > https://docs.openshift.com/container-platform/4.6/backup_and_restore/replacing-unhealthy-etcd-member.html#restore-replace-stopped-etcd-member_replacing-unhealthy-etcd-member.
> > Deleted etcd member and machine config; brought up a new node and I
> > see it rebooted.  I added its new VSphereMachineProviderSpec and it
> > shows up as provisioned in openshift-machine-api. However, it will not
> > progress any further and will not join.
> >
> > csr-zfdkh   8h  kubernetes.io/kube-apiserver-client-kubelet
> > system:serviceaccount:openshift-machine-config-operator:node-bootstrapper
> >   Pending
> >
> > $ oc adm certificate approve csr-zfdkh
> > No resources found
> > error: no kind "CertificateSigningRequest" is registered for version
> > "certificates.k8s.io/v1" in scheme
> > "k8s.io/kubectl/pkg/scheme/scheme.go:28"
> >
> > Any pointers?
> >
> >
> >
> > --
> >
> > ___
> > users mailing list
> > users@lists.openshift.redhat.com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> >
> >
> > End of users Digest, Vol 100, Issue 10
> > **
> >
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: change in new-app behavior

2020-09-07 Thread Maciej Szulik 
On Fri, Sep 4, 2020 at 4:12 PM Ben Parees  wrote:
>> Hi,
>>
>> When I use an oc v4.3 client against a v4.3 server, I get:
>>
>> [zaphod@oc3027208274 tmp]$ oc new-app --name=special-sm 
>> kstephe/security-manager
>> --> Found image 8031044 (5 days old) in image stream 
>> "kstephe/security-manager" under tag "latest" for "kstephe/security-manager"
>>
>> * This image will be deployed in deployment config "special-sm"
>> * The image does not expose any ports - if you want to load balance or 
>> send traffic to this component
>>   you will need to create a service with 'oc expose dc/special-sm 
>> --port=[port]' later
>> * WARNING: Image "kstephe/security-manager:latest" runs as the 'root' 
>> user which may not be permitted by your cluster administrator
>>
>> --> Creating resources ...
>> imagestreamtag.image.openshift.io "special-sm:latest" created
>> deploymentconfig.apps.openshift.io "special-sm" created
>> --> Success
>> Run 'oc status' to view your app.
>> [zaphod@oc3027208274 tmp]$
>>
>> ..which creates a deployment config, as expected. However, when I use an 
>> oc v4.5 client against the same server, I get:
>>
>> [zaphod@oc6010654212 ~]$ oc new-app --name=special-sm 
>> kstephe/security-manager
>> --> Found image 8031044 (6 days old) in image stream 
>> "kstephe/security-manager" under tag "latest" for "kstephe/security-manager"
>>
>>
>> --> Creating resources ...
>> imagestreamtag.image.openshift.io "special-sm:latest" created
>> deployment.apps "special-sm" created
>> --> Success
>> Run 'oc status' to view your app.
>>
>> .which is creating a deployment. Why this change in behavior? Is there a 
>> shift in policy as of v4.5?
>
>
> yes it's a deliberate change to move towards deployments instead of 
> deploymentconfigs:
> https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-developer-experience
>
>
> you can pass --as-deployment-config to get the prior behavior.
>

To add more background, we've made that decision also to align with
what our web console is doing
for quite some time already to create deployments by default. We will
be steering users towards
deployments in the long run, you can read all the differences coming
from using one over the others
here: 
https://docs.openshift.com/container-platform/4.5/applications/deployments/what-deployments-are.html

Maciej

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: rebalancing workloads

2020-05-14 Thread Maciej Szulik 
On Wed, May 13, 2020 at 1:44 PM Samuel Martín Moro 
wrote:

> Hi,
>
> In Kubernetes, this would be the descheduler, that would automatically
> evict Pods, when able to re-schedule them onto a more suitable node.
> It was TP in 3.11, and came back in TP as of OCP 4.4, if I'm not mistaken :
>
> https://docs.openshift.com/container-platform/4.4/nodes/scheduling/nodes-descheduler.html#nodes-descheduler
>

That is correct, in 4.4 there's an optional operator you can install from
the marketplace which will
allow you to play with the descheduler.


>
>
> Regards.
>
> On Wed, May 13, 2020 at 12:46 PM Just Marvin <
> marvin.the.cynical.ro...@gmail.com> wrote:
>
>> Hi,
>>
>> If I add new nodes to an openshift v4 cluster, is there a command
>> that will trigger a workload rebalance to take advantage of the new node?
>> Or will I have to do something like delete existing pods so that the
>> scheduler recreates it and upon recreate, it puts it on the new nodes?
>>
>> Regards,
>> Marvin
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
> --
> Samuel Martín Moro
> {EPITECH.} 2011
>
> "Nobody wants to say how this works.
>  Maybe nobody knows ..."
>   Xorg.conf(5)
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Can't use the privileged scc in OpenShift 4.2.16

2020-02-12 Thread Maciej Szulik 
I think you might be hitting this issue
https://bugzilla.redhat.com/show_bug.cgi?id=1708202, a temporary workaround
is just like
you've noticed to create a copy of the SCC.

On Wed, Feb 12, 2020 at 10:49 AM Joel Pearson 
wrote:

> Hi Samuel,
>
> Thanks for pointing that out, didn't realise that privileged mode was a
> kubernetes specific thing as opposed to an openshift thing.  That'd explain
> why it barely gets a passing reference in the docs. I found some
> information on the kubernetes website:
> https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
>
> The cluster I was trying this out on is a lab cluster that only I use, but
> thanks for the tip about being careful copying scc's.
>
> Thanks,
>
> Joel
>
> On Wed, 12 Feb 2020 at 20:37, Samuel Martín Moro 
> wrote:
>
>> Hi,
>>
>>
>> In addition to granting your ServiceAccount with permissions to use the
>> privileged SCC, you should add some securityContext.privileged: true to
>> your Pod definition. Otherwise, the restricted SCC first matches your Pod
>> securityContext, privileged would not be considered.
>>
>> I  couldn't find this in 4.x docs, though you'ld have it in 3.11:
>>
>> https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html#grant-a-service-account-access-to-the-privileged-scc
>>
>>
>> Changing priorities could indeed be a way to work around this.
>> Though probably not something to recommend.
>>
>> If you made a copy of the existing privileged SCC, then there's good
>> chances you kept its lists of allowed users / groups.
>> This means that when Pods relying on those SA would next restart, while
>> not including a securityContext.privileged in their definition: they would
>> mistakenly start as root. Rolling this back could require chowning files
>> back on persistent volumes.
>>
>> While it is unlikely OpenShift core components would include
>> ServiceAccounts running both privileged and unprivileged Pods (not
>> certain/to check), it could still be a surprise for users in your cluster.
>> This is not a big deal, on a lab, if you're just testing something on
>> your own, ... though I would avoid this on real-life clusters, or warn
>> other admins at least, ideally make sure only your Jira SA may use that SCC.
>>
>>
>> Regards.
>>
>>
>> On Wed, Feb 12, 2020 at 4:36 AM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>> Hi,
>>>
>>> I have been trying to use the privileged scc in OpenShift 4.2.16
>>>
>>> I follow the normal way adding an scc to a service account.
>>>
>>> oc create sa jira
>>> oc adm policy add-scc-to-user privileged -z jira
>>>
>>> But it always ends up using the restricted scc. However, anyuid gets
>>> applied successfully.
>>>
>>> I read about SCC prioritisation
>>> 
>>>  and made
>>> a copy of privileged scc and set "priority: 10", and then I was able to use
>>> it.
>>>
>>> What is the proper way to use the privileged scc? Or is this by design?
>>>
>>> PS. I realise using privileged is not recommended, and in my case to
>>> make jira work I managed to use a customised version of anyuid that
>>> contained the AUDIT_WRITE capability so that "su" would work.  However, I
>>> figured it would be good to know why privileged kept getting overridden by
>>> "restricted"
>>>
>>> Thanks,
>>>
>>> Joel
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>> --
>> Samuel Martín Moro
>> {EPITECH.} 2011
>>
>> "Nobody wants to say how this works.
>>  Maybe nobody knows ..."
>>   Xorg.conf(5)
>>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: cronjobs - how does this work?

2019-11-20 Thread Maciej Szulik 
On Wed, Nov 20, 2019, 5:04 AM Just Marvin <
marvin.the.cynical.ro...@gmail.com> wrote:

> Hi,
>
>  I'm poring through the text at
> https://docs.openshift.com/container-platform/4.2/nodes/jobs/nodes-nodes-jobs.html#nodes-nodes-jobs-creating-cron_nodes-nodes-jobs
>  .
> Should I interpret spec.jobTemplate.spec.template.spec.containers.command
> as a command that exists within the container specified
> by cronjob.spec.jobTemplate.spec.template.spec.containers.image? I just
> tried spinning up an openjdk-11-rhel7 image (by itself, using new-app) and
> it refused to start up because it is coded to expect some main class /
> other entrypoint specified to it. If I wanted to run java code in a batch
> process, would this (or similar) containers be the right approach - i.e do
> a docker / s2i build with it to add in my code and have it be executed? In
> that case, should I simply not specify a command in the CronJob yaml,
> because the container is already geared to run the command I need on launch?
>

Yes, you don't need to specify command if one is already backed into the
image through any kind of build.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oc expose syntax

2019-03-18 Thread Maciej Szulik 
On Sun, Mar 17, 2019 at 9:16 PM Just Marvin <
marvin.the.cynical.ro...@gmail.com> wrote:

> Hi,
>
> The syntax info here (
> https://docs.openshift.com/container-platform/3.11/cli_reference/basic_cli_operations.html#expose
> ) has me puzzled:
>
(a) whats a generator, and why should I care about them?
>

Generator is an internal mechanism responsible for creating either service
or a route. You usually don't care about them as stated in the doc.

(b) where is the information on the "port" flag. The Redhat provided course
> material I'm taking says that it exists. Is there a place where the syntax
> is more comprehensively documented?
>

In most cases oc expose is smart enough to read that information when
needed, but in those rare cases where it fails it'll tell you to provide
the --port flag. You can always get more information about any command with
--help flag, like oc expose --help

Maciej
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: FYI: As of 4.0, all OKD images are being pushed to quay

2019-01-24 Thread Maciej Szulik 
Don't forget to replace COMPONENT with one of the valid components such as
hypershift or cli.
The list is here:
https://github.com/openshift/origin/blob/0a62a17d585336f8c977939baba39843e484c395/hack/lib/constants.sh#L302-L319

On Thu, Jan 24, 2019 at 12:28 PM Paolo Antinori  wrote:

> Hi Clayton, do we need special permission to access that content?
>
> Even after being logged in I get a 403
>
> [image: Screenshot from 2019-01-24 12-26-45.png]
>
> On Tue, 22 Jan 2019 at 22:33, Clayton Coleman  wrote:
>
>> As we've grown ever more images for 4.0 we are now publishing images
>> exclusively to quay for OKD builds.  A subset is still being mirrored to
>> docker but the 4.0 versions will be discontinued over time, so please don't
>> rely on them.
>>
>> All images published by CI for 4.0 onward are at:
>>
>> quay.io/openshift/origin-COMPONENT:v4.0
>>
>> I'll be decommissioning mirrors as teams move their example configs over
>> to quay.
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
> --
> Paolo Antinori
> Associate Manager Fuse - Middleware - Red Hat
> +39 02 360 476 06
> panti...@redhat.com
> IRC - paolo/pantinor
> */'paɔlɔ 'anti'nɔri/* 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: how to query openshift api-version ?

2018-08-02 Thread Maciej Szulik 
Already oc 3.10 contains the api-versions and api-resources subcommands.

On Thu, Aug 2, 2018 at 6:31 AM Nakayama Kenjiro 
wrote:

> "oc api-versions" is available on the latest binary. (For example, I
> tested with v3.11.0-alpha.0+bb11f51-481 as below).
> Having said that, both kubectl and oc api-versions should get same result,
> as both hit to https:///apis.
>
>   $ _output/local/bin/linux/amd64/oc api-versions
>   admissionregistration.k8s.io/v1beta1
>   apiextensions.k8s.io/v1beta1
>   apiregistration.k8s.io/v1
>   apiregistration.k8s.io/v1beta1
>   apps.openshift.io/v1
>   apps/v1
>   apps/v1beta1
>   apps/v1beta2
>   authentication.k8s.io/v1
>   authentication.k8s.io/v1beta1
>   authorization.k8s.io/v1
>   authorization.k8s.io/v1beta1
>   authorization.openshift.io/v1
>   autoscaling/v1
>   autoscaling/v2beta1
>   batch/v1
>   batch/v1beta1
>   build.openshift.io/v1
>   certificates.k8s.io/v1beta1
>   events.k8s.io/v1beta1
>   extensions/v1beta1
>   image.openshift.io/v1
>   monitoring.coreos.com/v1
>   network.openshift.io/v1
>   networking.k8s.io/v1
>   oauth.openshift.io/v1
>   policy/v1beta1
>   project.openshift.io/v1
>   quota.openshift.io/v1
>   rbac.authorization.k8s.io/v1
>   rbac.authorization.k8s.io/v1beta1
>   route.openshift.io/v1
>   security.openshift.io/v1
>   settings.k8s.io/v1alpha1
>   storage.k8s.io/v1
>   storage.k8s.io/v1beta1
>   template.openshift.io/v1
>   user.openshift.io/v1
>   v1
>
>   $ _output/local/bin/linux/amd64/oc version
>   oc v3.11.0-alpha.0+bb11f51-481
>   kubernetes v1.11.0+d4cacc0
>   features: Basic-Auth GSSAPI Kerberos SPNEGO
>
>
> On Thu, Aug 2, 2018 at 10:39 AM, Jack Hu  wrote:
>
>> Hi ,
>>
>> I know k8s has "kubectl api-versions " , but oc no such command , now
>> how to query openshift api-version ?
>>
>>
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
>
> --
> Kenjiro NAKAYAMA 
> GPG Key fingerprint = ED8F 049D E67A 727D 9A44  8E25 F44B E208 C946 5EB9
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: User "admin" cannot get securitycontextconstraints at the cluster scope

2018-08-02 Thread Maciej Szulik 
On Thu, Aug 2, 2018 at 3:16 AM Traiano Welcome  wrote:

> Hi
>
> I was working through the O'Reilly book "OpenShift for developers" but the
> example on page 75, where tomcat8 is run fails:
>
> - The container remains in crashloop backoff
> - The logs show the container is having permission issues:
>
> 
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
> WARNING: Unable to load server configuration from
> [/usr/local/tomcat/conf/server.xml]
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
> WARNING: Permissions incorrect, read permission is not allowed on the file.
> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina start
> SEVERE: Cannot start server. Server instance is not configured.
> 
>
> - This appears to be due to openshift/minishift not allowing containers to
> run as root
> - I try installing the anyuid addon and running this command:
> - oc adm policy add-scc-to-user anyuid -z default -n tomcat8
> - However it fails with this error despite the anyuid addon being applied:
>
> 
> Error from server (Forbidden): securitycontextconstraints "anyuid" is
> forbidden: User "admin" cannot get securitycontextconstraints at the
> cluster scope: User "admin" cannot get securitycontextconstraints at the
> cluster scope
> 
>

anyuid scc is to allow the container to run as root inside the container.
>From the description you've provided it looks like you're trying to contact
OpenShift API to get the list of SCC-s, in which case your container's
ServiceAccount must allow doing so. I'd recommend having a look at the
docs, which explain in greater details what SA are [1], and what SCC are
[2].

[1] https://docs.openshift.org/latest/dev_guide/service_accounts.html
[2]
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

Maciej



>
>
> How do I fix this?
>
> Thanks in advance,
> Traiano
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: error: {batch cronjobs} matches multiple kinds

2018-02-12 Thread Maciej Szulik 
Where you're seeing this error? What's the oc version you're using?

Maciej

On Sun, Feb 11, 2018 at 1:25 AM, John Mazzitelli  wrote:

> Did something change in the past 24 to 48 hours that might have caused
> this? This wasn't happening a few days ago:
>
> oc delete all,secrets,sa,templates,configmaps,daemonsets,clusterroles
> --selector=app=myapp -n default
> error: {batch  cronjobs} matches multiple kinds [batch/v1beta1,
> Kind=CronJob batch/v2alpha1, Kind=CronJob]
>
> (for the record, I don't even have cronjobs let alone some that would
> match that selector)
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Help using ImageStreams, DCs and ImagePullSecrets templates with a GitLab private registry (v3.6)

2018-01-08 Thread Maciej Szulik 
In short, there are two possible use-cases here.

The first, in which the authorization is performed under the same URL as
the pull:

1. IS stays the same, no need to modify anything.
2. Create a secret, eg:
oc secrets new-dockercfg  \
   --docker-server= \
   --docker-username= \
   --docker-password= \
   --docker-email=

3. Re-run the import:
  oc import-image 


The second, in which authorization is delegated to a different URL:
1. IS stays the same, no need to modify anything.
2. Create a secret as previously.
3. Create a 2nd secret again the authorization url. You can get it by
trying to curl the image
   data, eg. curl -v https:///v2// in
return you should
   see the HTTP/1.1 401 Unauthorized with information where to
authenticate, eg:
   WWW-Authenticate: Bearer realm="",service="docker-registry"
   use that auth URL for docker-server when creating the second secret.
4. Re-run import.

Hope that helps,
Maciej





On Thu, Jan 4, 2018 at 2:53 PM, Alan Christie <
achris...@informaticsmatters.com> wrote:

> Thanks for your guidance so far Maciej but none of this is working for me.
> [1] doesn’t really help as I’m past that and, sadly the 1,500 lines and
> numerous of posts in issue 9584 [2] are exhausting to trawl though and
> still leave me with an inability to pull from GitLab using an image stream.
>
> Again, I have a working DC/IPS solution. I understand secrets, DCs and IPS
> but I still cannot get ImageStreams to work. I just get…
>
> *Internal error occurred: Get https://registry.gitlab.com/v2/myproject/
> <https://registry.gitlab.com/v2/myproject/>myimage.manifests/latest: denied:
> access forbidden.*
>
> I’m just about exhausted.
>
> So, if my setup is:
>
>- *OpenShift 3.6.1*
>- An image that's: *myproject/myimage:latest*
>- A registry that’s: *registry.gitlab.com <http://registry.gitlab.com>*
>- A pull secret that works for DC/IPS - i.e. I can pull the image from
>the private repo with my DC and the installed secret.
>
> What...
>
>- would my *ImageStream* yaml template or json look like?
>- would I need to change in my working DC yaml?
>- if any, are the crucial roles my OC user needs?
>
>
> On 3 Jan 2018, at 11:03, Maciej Szulik <maszu...@redhat.com> wrote:
>
> Have a look at [1] which should explain how to connect the IS with the
> secret. Additionally,
> there's [2] which explains problems when auth is delegated to a different
> uri.
>
> Maciej
>
>
> [1] https://docs.openshift.org/latest/dev_guide/managing_
> images.html#private-registries
> [2] https://github.com/openshift/origin/issues/9584
>
> On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie <
> achris...@informaticsmatters.com> wrote:
>
>> Hi all,
>>
>> I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret
>> (IPS) templates with OpenShift Origin v3.6 to spin-up my application from a
>> container image hosted on a private GitLab registry. But I want the
>> deployment to re-deploy when the GitLab image changes and to do this I
>> believe I need to employ an ImageStream.
>>
>> I’m, comfortable with each of these objects and have successfully used
>> ImageStreams and DCs with public DockerHub images (that was easy because
>> there are so many examples). But I’m stuck trying to pull an image using an
>> ImageStream from a private GitLab-hosted docker registry.
>>
>> The IPS seems to belong to the DC, so how do I get my ImageStream to use
>> it? My initial attempts have not been successful. All I get, after a number
>> of attempts at this, is the following error on the ImageScreen console...
>>
>> Internal error occurred: Get https://registry.gitlab.com/v2
>> /myproject/myimage/manifests/latest: denied: access forbidden.
>> Timestamp: 2017-12-28T14:27:12Z Error count: 2.
>>
>> Where “myproject” and “myimage” are my GitLab project and image names.
>>
>> My working DC/IPS combo looks something like this…
>>
>> […]
>> imagePullSecrets:
>> - name: gitlab-myproject
>> containers:
>>   - image: registry.gitlab.com/myproject/myimage:stable
>> name: myimage
>> […]
>>
>> But what would my DC/IPS/ImageStream objects look like?
>>
>> Thanks in advance.
>>
>> Alan Christie.
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Help using ImageStreams, DCs and ImagePullSecrets templates with a GitLab private registry (v3.6)

2018-01-03 Thread Maciej Szulik 
Have a look at [1] which should explain how to connect the IS with the
secret. Additionally,
there's [2] which explains problems when auth is delegated to a different
uri.

Maciej


[1]
https://docs.openshift.org/latest/dev_guide/managing_images.html#private-registries
[2] https://github.com/openshift/origin/issues/9584

On Wed, Jan 3, 2018 at 10:34 AM, Alan Christie <
achris...@informaticsmatters.com> wrote:

> Hi all,
>
> I’m successfully using a DeploymentConfig (DC) and an ImagePullSecret
> (IPS) templates with OpenShift Origin v3.6 to spin-up my application from a
> container image hosted on a private GitLab registry. But I want the
> deployment to re-deploy when the GitLab image changes and to do this I
> believe I need to employ an ImageStream.
>
> I’m, comfortable with each of these objects and have successfully used
> ImageStreams and DCs with public DockerHub images (that was easy because
> there are so many examples). But I’m stuck trying to pull an image using an
> ImageStream from a private GitLab-hosted docker registry.
>
> The IPS seems to belong to the DC, so how do I get my ImageStream to use
> it? My initial attempts have not been successful. All I get, after a number
> of attempts at this, is the following error on the ImageScreen console...
>
> Internal error occurred: Get https://registry.gitlab.com/
> v2/myproject/myimage/manifests/latest: denied: access forbidden.
> Timestamp: 2017-12-28T14:27:12Z Error count: 2.
>
> Where “myproject” and “myimage” are my GitLab project and image names.
>
> My working DC/IPS combo looks something like this…
>
> […]
> imagePullSecrets:
> - name: gitlab-myproject
> containers:
>   - image: registry.gitlab.com/myproject/myimage:stable
> name: myimage
> […]
>
> But what would my DC/IPS/ImageStream objects look like?
>
> Thanks in advance.
>
> Alan Christie.
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: External registry and image promotion across projects

2017-11-28 Thread Maciej Szulik 
Hey,
Can this blog post be any help to you:
https://blog.openshift.com/image-streams-faq/ ?
It explains a few points about managing image streams and tags. If you
further have
any questions I'd be happy to answer them :)

Maciej


On Mon, Nov 27, 2017 at 3:25 PM, Md Faizan Ali 
wrote:

> We are using Amazon's ECR as our registry and we have a git commit based
> tagging strategy for images. So far we were using ECS for managing
> containers and our images would flow in this manner:
>
> *create-image - > tag - $GIT_COMMIT - > Push to registry - > Deploy to
> integration environment -> test -> push the same tag to QA if tests
> succeeded -> test - > retag as RC and push to stage environment. *
>
> We are now moving to openshift and trying to map this strategy to
> openshift. We already have pipelines setup in Jenkins that are pushing our
> images to ECR. We want to be able to monitor ECR and promote images between
> projects. However,
>
> - Using openshift plugins in Jenkins, I do not see an option to map custom
> tags to image streams. My streams can monitor ECR and pull images if
> upstream image changes. But the tag remains static ( latest: keeps pointing
> to update image). Do not have an option to manage custom tags.
>
> - Also, do not see an option by which we can pass custom tags for
> deployment configs so that I can update deployment when a particular tagged
> image changes.
>
> Is there a way of managing this in openshift? Is there a better way of
> doing it? Please suggest.
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Change default registry to custom one

2017-11-28 Thread Maciej Szulik 
On Mon, Nov 27, 2017 at 1:35 PM, Łukasz Strzelec 
wrote:

> Hi,
>
> I'm looking for some kind of solution, that allows me to use my external
> registry as a default one in OpenShift.
>
> I have a Artifactory registry which is our production registry. I want to
> be able to build application in a way that I'm able with internal registry
> but whit small change. The last step, which is "push the image to registry"
> has  to be done against my external one.
>
> How can I solve this issue ?
>

Hey,
Working with your own registry should work without any problems. Just point
your Image Streams
to your external registry. The only downside is that you won't get the full
integration like it is with
the built-in registry. This means you need to ensure you have the necessary
push and pull secrets
when working with external registry, something that is handled ootb with
the internal registry.

HTH,
Maciej
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Force external image sync

2017-11-17 Thread Maciej Szulik 
Yes, oc import-image is for the ad-hoc imports. But if you're interested in
tweaking the re-sync interval
for the scheduled import look into master-config.yaml's Image Policy
Configuration section [1] and tweak
the value of ScheduledImageImportMinimumIntervalSeconds.

Maciej


[1]
https://docs.openshift.org/latest/install_config/master_node_configuration.html#master-config-image-policy-config


On Thu, Nov 16, 2017 at 10:37 AM, Lionel Orellana 
wrote:

> Seems like just re-importing the image does the trick.
>
> On 16 November 2017 at 20:29, Lionel Orellana  wrote:
>
>> Hi,
>>
>> I imported an image from an external private registry and set
>> *importPolicy.scheduled *on the resulting image stream tag to true. It
>> works nicely but it can take quite a few minutes for changes on the
>> external tag to be sync'ed back.
>>
>> Is there an oc command to force the sync?
>>
>> Thanks
>>
>> Lionel.
>>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: The easiest way to start Docker Registry in Origin

2017-06-29 Thread Maciej Szulik 
On Wed, Jun 28, 2017 at 11:53 AM, Frederic Giloux 
wrote:

> Hi Henryk
>
> If I correctly understand your use case I think that the easiest way is to
> create an imagestream foo and to use the pull-through feature:
> https://docs.openshift.org/latest/install_config/
> registry/extended_registry_configuration.html#middleware-
> repository-pullthrough
> https://docs.openshift.org/latest/dev_guide/managing_
> images.html#image-pull-policy
>
> Regards,
>
> Frédéric
>
> On Wed, Jun 28, 2017 at 11:29 AM, Henryk Konsek 
> wrote:
>
>> Hi,
>>
>> What would be the easiest way to start Docker Registry in OpenShift
>> Origin and tell OpenShift to look up for Docker images in it?
>>
>> What I would like to achieve is that when I execute "oc new-app foo",
>> OpenShift will try to look up for "foo" image in my local Origin registry
>> and then in DockerHub.
>>
>

Just install the integrated registry and all you're asking for will be
there: https://docs.openshift.org/latest/install_config/registry/index.html
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift 3 trainings/certification

2017-01-19 Thread Maciej Szulik 
There's one happening in less than a month in Warsaw, PL (sorry page in
Polish):

http://www.redhatonline.com/pl/seminar/red-hat-openshift-container-platform/




On Thu, Jan 19, 2017 at 2:26 PM, Marky Jackson 
wrote:

> This is taking place today: https://www.redhat.com/
> en/about/events/containers-enterprise-red-hat-virtual-event
>
> On Thu, Jan 19, 2017 at 5:21 AM, Krzysztof Sobkowiak <
> krzys.sobkow...@gmail.com> wrote:
>
>> Hi
>>
>> Do you know  good OpenShift courses/certification program?
>>
>> Kindly regards
>> Krzysztof
>>
>>
>> --
>> Krzysztof Sobkowiak (@ksobkowiak)
>>
>> JEE & OSS Architect, Integration Architect
>> Apache Software Foundation Member (http://apache.org/)
>> Apache ServiceMix Committer & PMC Member (http://servicemix.apache.org/)
>> Senior Solution Architect @ Capgemini SSC (http://www.capgeminisoftware.
>> pl/)
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
>
> --
> *Marky Jackson*
>
> DevTools Software Engineer, Taulia Inc.
>
> m: (408) 464 2965 | e: marky.jack...@taulia.com  hivani.kote...@taulia.com>
>  | w: www.taulia.com   |
> a: 201
> Mission St. Suite 900 San Francisco CA 94105
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to deploy container writing to filesystem

2017-01-10 Thread Maciej Szulik 
You're looking for hostPath [1], but for that you either need privileged SCC
or edit restricted one to allow hostDirVolumePlugin [2].

[1] http://kubernetes.io/docs/user-guide/volumes/#hostpath
[2]
https://docs.openshift.org/latest/admin_guide/manage_scc.html#use-the-hostpath-volume-plugin

On Tue, Jan 10, 2017 at 9:53 AM, Henryk Konsek  wrote:

> Hi,
>
> Is it possibile to easily deploy container into OpenShift 3 and grant this
> container write privileges to the whole file system?
>
> I know that I should be using volumes for this purpose, but I'm trying to
> understand what options do we have when we need to run Docker images that
> are not OS-friendly.
>
> Thanks!
> --
> Henryk Konsek
> https://linkedin.com/in/hekonsek
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Deployment error on node: Relabeling content in /usr is not allowed

2016-11-29 Thread Maciej Szulik 
OpenShift, by default does not allow running privileged containers, and
iirc guestbook does that:

Handler for POST /containers/create returned error: Relabeling content in
/usr is not allowed.

I'd suggest starting of with hello-openshift [1] which although creates
just a pod can be easily
turned into a deployment either manually or preferably using oc run, like
this:
oc run hello --image=openshift/hello-openshift

You can read about the security constraints in [2].

Maciej

[1] https://github.com/openshift/origin/tree/master/examples/hello-openshift
[2]
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

On Mon, Nov 28, 2016 at 9:38 PM, Ashby, Jason (IMS) 
wrote:

> Sorry all, for over-posting, I just need a little help getting my first
> OpenShift origin cluster running.  I’ve got a cluster consisting of two
> hosts: a master (CentOS 7) and a node (CentOS 7 Atomic) set up and
> communicating, but every time I fire off a deployment (I used the
> kubernetes/guestbook app to test), I get the following on the node:
>
>
>
>
>
> Nov 28 15:22:53 oshift-node-01 kernel: docker0: port 1(veth86f9a99)
> entered forwarding state
>
> Nov 28 15:22:54 oshift-node-01 openshift: I1128 15:22:54.195173   13633
> reconciler.go:254] MountVolume operation started for volume "
> kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-
> p37u0" (spec.Name: "deployer-token-p37u0") to pod
> "670f607d-b5a8-11a4-b673-005056b7468b" (UID: 
> "670f607d-b5a8-11a4-b673-005056b7468b").
> Volume is already mounted to pod, but remount was requested.
>
> Nov 28 15:22:54 oshift-node-01 openshift: I1128 15:22:54.206060   13633
> operation_executor.go:740] MountVolume.SetUp succeeded for volume "
> kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-
> p37u0" (spec.Name: "deployer-token-p37u0") pod 
> "670f607d-b5a8-11a4-b673-005056b7468b"
> (UID: "670f607d-b5a8-11a4-b673-005056b7468b").
>
> Nov 28 15:22:54 oshift-node-01 docker-current: 
> time="2016-11-28T15:22:54.598594417-05:00"
> level=info msg="{Action=create, LoginUID=4294967295, PID=13633}"
>
> Nov 28 15:22:54 oshift-node-01 systemd: Device
> dev-disk-by\x2duuid-ac161f25\x2d0ff5\x2d4ef0\x2d97dd\x2dc7f9f86647c0.device
> appeared twice with different sysfs paths /sys/devices/virtual/block/dm-5
> and /sys/devices/virtual/block/dm-6
>
> Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Mounting V4 Filesystem
>
> Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Ending clean mount
>
> Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Unmounting Filesystem
>
> Nov 28 15:22:54 oshift-node-01 docker-current: 
> time="2016-11-28T15:22:54.952177189-05:00"
> level=error msg="Handler for POST /containers/create returned error:
> Relabeling content in /usr is not allowed."
>
> Nov 28 15:22:54 oshift-node-01 openshift: E1128 15:22:54.953748   13633
> docker_manager.go:2094] container start failed: RunContainerError:
> runContainer: Error response from daemon: Relabeling content in /usr is not
> allowed.
>
> Nov 28 15:22:54 oshift-node-01 openshift: E1128 15:22:54.953845   13633
> pod_workers.go:183] Error syncing pod 670f607d-b5a8-11a4-b673-005056b7468b,
> skipping: *failed to "StartContainer" for "deployment" with
> RunContainerError: "runContainer: Error response from daemon: Relabeling
> content in /usr is not allowed."*
>
>
>
> It appears the node is having trouble running pods. I temporarily disabled
> SELinux on the node and restarted OpenShift, but the error still happens.
> So it doesn’t appear to be an SELinux thing.
>
>
>
> Google just points me to a Bugzilla
>  that says it was an
> issue with an older Docker (1.6) that’s now resolved.  I’m running the
> following which I believe is the default in Atomic:
>
>
>
> $ docker -v
>
> Docker version 1.10.3, build cb079f6-unsupported
>
>
>
> I’m running OpenShift Origin v1.3.1 on both nodes.
>
>
>
> Any ideas?
>
> --
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: is resourceVersion unique?

2016-11-09 Thread Maciej Szulik 
ResourceVersion is a resource specific field that identifies the internal
version of an object.
It can be used by clients to determine when objects have changed, because
the server
will change it every time an object is modified. So it has no meaning
across namespaces,
different kinds of resources, or different servers.

On Wed, Nov 9, 2016 at 10:57 PM, Andrew Lau  wrote:

> Is the resourceVersion unique across the whole cluster or just for the
> particular resource?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Any solution for Recurring Jobs (cron jobs) on origin1.3

2016-10-31 Thread Maciej Szulik 
On Thu, Oct 27, 2016 at 12:46 PM, Guillaume Coré  wrote:

> Also interested.
>
> Last time i checked was early september for OCP 3.3 release :
> https://mojo.redhat.com/docs/DOC-1094232
>
> The status was
>
> * Scheduled jobs are delayed to OCP 3.4
> * Status: Cron-like scheduling has been promised for k8s 1.3, but
> delayed to 1.4.
> Scheduled job PR : https://github.com/kubernetes/kubernetes/pull/11980
>
>
> Meaning you can still run jobs as described in the mojo doc or the
> official documentation, but you'll have to deal with the scheduling part
> outside openshift.
>
> Is it still true ?
>

For 1.3 - yes
For 1.4 - there's a scheduled job, see
https://docs.openshift.org/latest/dev_guide/scheduled_jobs.html

>
>
> Guillaume
>
> On 2016-10-27 12:29, Michail Kargakis wrote:
> > ccing Maciej who added scheduled jobs in 1.3
> >
> > On Thu, Oct 27, 2016 at 12:22 PM, Syam G Krishnan  > > wrote:
> >
> > Hi,
> >
> > What are the ways to run recurring jobs(cron jobs) on openshift?
> > The need is for running a script (which will do the backup of
> database)
> > inside a container and exits.
> >
> > thanks,
> >
> > --
> > Syam G Krishnan
> > GPG 4096R/FBB26E60
> > Red Hat India Pvt Ltd
> >
> >
> > ___
> > users mailing list
> > users@lists.openshift.redhat.com
> > 
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> > 
> >
> >
> >
> >
> > ___
> > users mailing list
> > users@lists.openshift.redhat.com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> >
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: prune images error - 503

2016-10-25 Thread Maciej Szulik 
Upon pruning images this command reaches out to registry to actually
remove them from there. Apparently, it has has problems reaching out
to your registry. There are two flags you might want to check out
--certificate-authority - which points to a CA when self-signed cert is used
--registry-url - to specify which registry to talk to.

Additionally you can increase the verbosity (--loglevel=7) and see the
communication
between oadm prune images and the server, including the registry. If still
experiencing
problems, please lemme know with that logs attached, so I could help more.

Maciej

On Tue, Oct 25, 2016 at 9:29 AM, Lionel Orellana  wrote:

> Hi.
>
> I'm trying to run
>
> oadm prune images --keep-tag-revisions=3 --keep-younger-than=24h --confirm
>
> but after a while I get
>
> error: error communicating with registry: unexpected status code 503
>
> I am able to prune builds and deployments. prune images without --confirm
> also returns Ok.
>
> I've been building a ~6GB image repeatedly in the last couple of days.
> Seems like it's struggling to delete some of those?
>
> Thanks
>
> Lionel
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Removing old images from docker registry

2016-09-26 Thread Maciej Szulik 
oadm prune is the recommended way, definitely. This will both clean the
OpenShift objects
and the data in the registry as well.

On Sat, Sep 24, 2016 at 3:00 PM, Miloslav Vlach 
wrote:

> Hi,
>
> my docker registry has too many space on the volume. How can I delete some
> images ? With oadm prune or directly via docker repository.
>
> Thanks Mila
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Problem authenticating to private docker registry

2016-08-10 Thread Maciej Szulik 
You need to follow the docs here:
https://docs.openshift.org/latest/dev_guide/managing_images.html#private-registries
to setup the secret in the same project your ImageStream is created and
then re-import the image.
During import proper secrets will be picked automatically based on the urls
of the registry and your image metadata
should be downloaded to the server. This will handle the import part, now
for actually using an image from private
registry you need to follow this:
https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

Hope that helps,
Maciej

On Tue, Aug 9, 2016 at 4:00 PM, Tony Saxon  wrote:

> I'm not sure what I'm missing here. I have a private docker registry that
> is set up securely and uses authentication. I followed the docs at
> https://docs.openshift.org/latest/dev_guide/managing_
> images.html#using-image-pull-secrets to create the secret with the
> username and password to authenticate with the docker registry. I verified
> that I can manually login to the docker registry from the master and the
> nodes. However, when I go to deploy a new app based on an image from the
> docker registry it seem to be failing to authenticate. The command that I'm
> running to create the new app:
>
> oc new-app docker-lab.example.net:5000/testwebapp:latest
>
> It creates the imagestream and attempts to deploy the pod. I get the
> following in the logs on the pod:
>
> # oc logs testwebapp-1-us1wu
> Error from server: container "testwebapp" in pod "testwebapp-1-us1wu" is
> waiting to start: image can't be pulled
>
> The logs on the docker registry show:
>
> time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context:
> basic authentication challenge for realm \"Registry Realm\": invalid
> authorization credential" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=f5aeb8b9-ce4e-41b7-86a8-76e8c520bd22
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54436"
> http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +] "GET /v2/ HTTP/1.1" 401
> 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported
> kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
> time="2016-08-09T13:54:45Z" level=error msg="response completed with
> error" auth.user.name=tsaxon err.code="manifest unknown"
> err.detail="unknown manifest name=testwebapp revision=sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> err.message="manifest unknown" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=130a9014-7c19-48f7-bef3-2b8cfe0470a0
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54438"
> http.request.uri="/v2/testwebapp/manifests/sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=6.174905ms http.response.status=404
> http.response.written=186 instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> vars.name=testwebapp vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3" version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +] "GET
> /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3 HTTP/1.1" 404 186 "" "docker/1.10.3
> go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64
> os/linux arch/amd64"
> time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context:
> basic authentication challenge for realm \"Registry Realm\": invalid
> authorization credential" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=0185e07b-f1c1-48e6-91ea-dede2339f087
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54440"
> http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +] "GET /v2/ HTTP/1.1" 401
> 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported
> kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
> time="2016-08-09T13:54:46Z" level=error msg="response completed with
> error" auth.user.name=tsaxon err.code="manifest unknown"
> err.detail="unknown manifest name=testwebapp revision=sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> err.message="manifest unknown" go.version=go1.6.3

Re: accessing secure registry on master isn't possible?

2016-04-08 Thread Maciej Szulik 
Have you checked with --insecure-flag as well, if the problem exists?

On Fri, Apr 8, 2016 at 11:17 AM, Den Cowboy  wrote:

> I'm using the ca.crt from /etc/origin/master/ca.crt and
> /etc/origin/node/ca.crt
>
> --
> Date: Fri, 8 Apr 2016 11:02:19 +0200
>
> Subject: Re: accessing secure registry on master isn't possible?
> From: maszu...@redhat.com
> To: dencow...@hotmail.com
> CC: users@lists.openshift.redhat.com
>
>
>
> On Fri, Apr 8, 2016 at 8:27 AM, Den Cowboy  wrote:
>
> Yes I performed the same steps on my master as on my nodes. This is the
> error:
> sudo docker login -u admin -e m...@mail.com \
> > -p token 172.30.xx.xx:5000
> Error response from daemon: invalid registry endpoint
> https://172.30.109.95:5000/v0/: unable to ping registry endpoint
> https://172.30.xx.xx:5000/v0/
> v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/:
> dial tcp 172.30.xx.xx:5000: i/o timeout
>  v1 ping attempt failed with error: Get
> https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o
> timeout. If this private registry supports only HTTP or HTTPS with an
> unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000`
> to the daemon's arguments. In the case of HTTPS, if you have access to the
> registry's CA certificate, no need for the flag; simply place the CA
> certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt
>
>
> Do you have the CA cert in /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt
> the log you're seeing is
> the usual log that happens when you're using self-singed certs for
> registry. Eventually make sure
> the above ca is the right one.
>
>
> While on all my 3 nodes:
>
> sudo docker login -u admin -e m...@mail.com \
> > -p token 172.30.xx.xx:5000
> WARNING: login credentials saved in /root/.docker/config.json
> Login Succeeded
>
> --
> Date: Thu, 7 Apr 2016 22:02:06 +0200
> Subject: Re: accessing secure registry on master isn't possible?
> From: maszu...@redhat.com
> To: dencow...@hotmail.com
> CC: users@lists.openshift.redhat.com
>
>
> Per
> https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry,
> step 11 and 12,
> I assume you've copied CA certificate to the Docker certificates directory
> on all nodes and restarted docker service,
> did you also do that on master as well. Without it any docker operation
> will fail with certificate check failure.
> What is the error you're seeing and what is the operation you're trying to
> do?
>
>
> On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy  wrote:
>
> I've created a secur registry on 1.1.6
> For the first time I've created my environment with 1 real master and 3
> nodes (one infra). (The reason for this is because I'm using the community
> ansible aws setup.
> 
> https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md
> Normally my master is also an unschedulable node. Now I've secured my
> registry.
> I'm able to login and push to the registry from my nodes but not from my
> master?
> Is this normal , if yes,  why is it that way?
> I don't think it's an issue because the images will always be pulled and
> pushed on my nodes because only there can run my containers but I want to
> know if it's a known thing.
>
> Thanks
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: accessing secure registry on master isn't possible?

2016-04-08 Thread Maciej Szulik 
On Fri, Apr 8, 2016 at 8:27 AM, Den Cowboy  wrote:

> Yes I performed the same steps on my master as on my nodes. This is the
> error:
> sudo docker login -u admin -e m...@mail.com \
> > -p token 172.30.xx.xx:5000
> Error response from daemon: invalid registry endpoint
> https://172.30.109.95:5000/v0/: unable to ping registry endpoint
> https://172.30.xx.xx:5000/v0/
> v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/:
> dial tcp 172.30.xx.xx:5000: i/o timeout
>  v1 ping attempt failed with error: Get
> https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o
> timeout. If this private registry supports only HTTP or HTTPS with an
> unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000`
> to the daemon's arguments. In the case of HTTPS, if you have access to the
> registry's CA certificate, no need for the flag; simply place the CA
> certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt
>
>
Do you have the CA cert in /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt the
log you're seeing is
the usual log that happens when you're using self-singed certs for
registry. Eventually make sure
the above ca is the right one.


> While on all my 3 nodes:
>
> sudo docker login -u admin -e m...@mail.com \
> > -p token 172.30.xx.xx:5000
> WARNING: login credentials saved in /root/.docker/config.json
> Login Succeeded
>
> --
> Date: Thu, 7 Apr 2016 22:02:06 +0200
> Subject: Re: accessing secure registry on master isn't possible?
> From: maszu...@redhat.com
> To: dencow...@hotmail.com
> CC: users@lists.openshift.redhat.com
>
>
> Per
> https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry,
> step 11 and 12,
> I assume you've copied CA certificate to the Docker certificates directory
> on all nodes and restarted docker service,
> did you also do that on master as well. Without it any docker operation
> will fail with certificate check failure.
> What is the error you're seeing and what is the operation you're trying to
> do?
>
>
> On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy  wrote:
>
> I've created a secur registry on 1.1.6
> For the first time I've created my environment with 1 real master and 3
> nodes (one infra). (The reason for this is because I'm using the community
> ansible aws setup.
> 
> https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md
> Normally my master is also an unschedulable node. Now I've secured my
> registry.
> I'm able to login and push to the registry from my nodes but not from my
> master?
> Is this normal , if yes,  why is it that way?
> I don't think it's an issue because the images will always be pulled and
> pushed on my nodes because only there can run my containers but I want to
> know if it's a known thing.
>
> Thanks
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to import private image from hub.docker to ImageStream ?

2016-02-23 Thread Maciej Szulik 



On 02/23/2016 01:56 PM, Stéphane Klein wrote:

I've tried to append :

```
# oc secrets add serviceaccount/default secrets/hub.docker.io --pull
# oc secrets add serviceaccount/default secrets/hub.docker.io --for=pull
# oc secrets add serviceaccount/default secrets/hub.docker.io
# oc secrets add serviceaccount/deployer secrets/hub.docker.io
```

I've always :

```
# oc import-image api
The import completed successfully.

Name:api
Created:3 hours ago
Labels:
Annotations:
openshift.io/image.dockerRepositoryCheck=2016-02-23T09:14:34Z
Docker Pull Spec:172.30.27.206:5000/foobar/api

TagSpecCreatedPullSpecImage
latestapi3 hours agoimport failed: you may not have
access to the Docker image "api"
```

Best regards,
Stéphane

2016-02-23 12:48 GMT+01:00 Stéphane Klein <cont...@stephane-klein.info>:


2016-02-23 11:05 GMT+01:00 Maciej Szulik <maszu...@redhat.com>:


Have you checked this doc:


https://docs.openshift.org/latest/architecture/core_concepts/builds_and_image_streams.html#private-registries




Thanks for this url :)

I've created my hub.docker.io secret with (I have replaced with my
credentials) :

```
oc secrets new-dockercfg SECRET --docker-server=DOCKER_REGISTRY_SERVER
--docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD
--docker-email=DOCKER_EMAIL
```

Now I've :

```
# oc get secret hub.docker.io -o json
{
 "kind": "Secret",
 "apiVersion": "v1",
 "metadata": {
 "name": "hub.docker.io",
 "namespace": "foobar-staging",
 "selfLink": "/api/v1/namespaces/foobar-staging/secrets/
hub.docker.io",
 "uid": "3b1b2aa4-da15-11e5-b613-080027143490",
 "resourceVersion": "19813",
 "creationTimestamp": "2016-02-23T10:07:22Z"
 },
 "data": {
 ".dockercfg": ".."
 },
 "type": "kubernetes.io/dockercfg"
}
```

When I execute :

```
# oc import-image api
The import completed successfully.

Name:api
Created:2 hours ago
Labels:
Annotations:
openshift.io/image.dockerRepositoryCheck=2016-02-23T09:14:34Z
Docker Pull Spec:172.30.27.206:5000/foobar-staging/api

TagSpecCreatedPullSpecImage
latestapi2 hours agoimport failed: you may not have
access to the Docker image "api"
```

Where is my mistake ? how can I say to my ImageStream to use my
hub.docker.io secret ?



It looks like there's an error in the image-import command if the
first import failed, I've created an issue to address that:
https://github.com/openshift/origin/issues/7555

Current workaround is to re-create the image stream and import should
pick the proper secret. Btw. make sure the server is either:
auth.docker.io/token or index.docker.io/v1/ otherwise it won't match
the server. The former is new auth endpoint, the latter is old one.

Maciej

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users