Re: Problem authenticating to private docker registry

Wed, 10 Aug 2016 02:47:45 -0700 

You need to follow the docs here:
https://docs.openshift.org/latest/dev_guide/managing_images.html#private-registries
to setup the secret in the same project your ImageStream is created and
then re-import the image.
During import proper secrets will be picked automatically based on the urls
of the registry and your image metadata
should be downloaded to the server. This will handle the import part, now
for actually using an image from private
registry you need to follow this:
https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries

Hope that helps,
Maciej

On Tue, Aug 9, 2016 at 4:00 PM, Tony Saxon <tony.sa...@gmail.com> wrote:

> I'm not sure what I'm missing here. I have a private docker registry that
> is set up securely and uses authentication. I followed the docs at
> https://docs.openshift.org/latest/dev_guide/managing_
> images.html#using-image-pull-secrets to create the secret with the
> username and password to authenticate with the docker registry. I verified
> that I can manually login to the docker registry from the master and the
> nodes. However, when I go to deploy a new app based on an image from the
> docker registry it seem to be failing to authenticate. The command that I'm
> running to create the new app:
>
> oc new-app docker-lab.example.net:5000/testwebapp:latest
>
> It creates the imagestream and attempts to deploy the pod. I get the
> following in the logs on the pod:
>
> # oc logs testwebapp-1-us1wu
> Error from server: container "testwebapp" in pod "testwebapp-1-us1wu" is
> waiting to start: image can't be pulled
>
> The logs on the docker registry show:
>
> time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context:
> basic authentication challenge for realm \"Registry Realm\": invalid
> authorization credential" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=f5aeb8b9-ce4e-41b7-86a8-76e8c520bd22
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54436"
> http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401
> 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported
> kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
> time="2016-08-09T13:54:45Z" level=error msg="response completed with
> error" auth.user.name=tsaxon err.code="manifest unknown"
> err.detail="unknown manifest name=testwebapp revision=sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> err.message="manifest unknown" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=130a9014-7c19-48f7-bef3-2b8cfe0470a0
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54438"
> http.request.uri="/v2/testwebapp/manifests/sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=6.174905ms http.response.status=404
> http.response.written=186 instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> vars.name=testwebapp vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3" version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET
> /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3 HTTP/1.1" 404 186 "" "docker/1.10.3
> go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64
> os/linux arch/amd64"
> time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context:
> basic authentication challenge for realm \"Registry Realm\": invalid
> authorization credential" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=0185e07b-f1c1-48e6-91ea-dede2339f087
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54440"
> http.request.uri="/v2/" http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401
> 87 "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported
> kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64"
> time="2016-08-09T13:54:46Z" level=error msg="response completed with
> error" auth.user.name=tsaxon err.code="manifest unknown"
> err.detail="unknown manifest name=testwebapp revision=sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> err.message="manifest unknown" go.version=go1.6.3 http.request.host="
> docker-lab.example.net:5000" 
> http.request.id=c1ab0cd7-42ac-4fef-b2c4-0f451976e302
> http.request.method=GET http.request.remoteaddr="192.168.122.158:54442"
> http.request.uri="/v2/testwebapp/manifests/sha256:
> 9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3"
> http.request.useragent="docker/1.10.3 go/go1.4.2
> git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux
> arch/amd64" http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=6.28913ms http.response.status=404
> http.response.written=186 instance.id=f0d70491-6e34-44eb-a51c-3b13eae8daa6
> vars.name=testwebapp vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3" version=v2.5.0
> 192.168.122.158 - - [09/Aug/2016:13:54:46 +0000] "GET
> /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85
> 823e38aa22afb22f687a5b8a3ed2bf9ec3 HTTP/1.1" 404 186 "" "docker/1.10.3
> go/go1.4.2 git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64
> os/linux arch/amd64"
>
> Here are the service accounts showing that they have the image pull secret
> added (docker-lab):
>
> [root@os-master ~]# oc get serviceaccounts
> NAME       SECRETS   AGE
> builder    3         21h
> default    2         21h
> deployer   3         21h
> [root@os-master ~]# oc describe serviceaccounts default
> Name:           default
> Namespace:      testwebapp
> Labels:         <none>
>
> Image pull secrets:     default-dockercfg-pfota
>                         eip-docker
>                         docker-lab
>
> Mountable secrets:      default-token-xffu5
>                         default-dockercfg-pfota
>
> Tokens:                 default-token-vbcmc
>                         default-token-xffu5
>
>
>
> [root@os-master ~]# oc describe serviceaccounts builder
> Name:           builder
> Namespace:      testwebapp
> Labels:         <none>
>
> Image pull secrets:     builder-dockercfg-7bjoo
>                         docker-lab
>
> Mountable secrets:      builder-token-wf31u
>                         builder-dockercfg-7bjoo
>                         eip-docker
>
> Tokens:                 builder-token-gi9o9
>                         builder-token-wf31u
>
>
>
> [root@os-master ~]# oc describe serviceaccounts deployer
> Name:           deployer
> Namespace:      testwebapp
> Labels:         <none>
>
> Image pull secrets:     deployer-dockercfg-lfiuw
>                         docker-lab
>
> Mountable secrets:      deployer-token-9euo2
>                         deployer-dockercfg-lfiuw
>                         eip-docker
>
> Tokens:                 deployer-token-9euo2
>                         deployer-token-mq6vw
>
>
> Not sure what I could be missing.
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to