This works.Would have thought the api server address was added automatically to NO_PROXY?
-bash-4.2$ oc rsh docker-registry-1-9z8p2 sh-4.2$ export NO_PROXY=$NO_PROXY,172.23.192.1 sh-4.2$ oc whoami system:serviceaccount:default:registry sh-4.2$ On 26 October 2017 at 20:54, Ben Parees <bpar...@redhat.com> wrote: > > > On Thu, Oct 26, 2017 at 11:50 AM, Lionel Orellana <lione...@gmail.com> > wrote: > >> I didn't put it there. >> >> I another cluster this works. >> >> -bash-4.2$ oc rsh docker-registry-9-c9mgd oc whoami >> system:serviceaccount:default:registry >> >> -bash-4.2$ oc rsh docker-registry-9-c9mgd which oc >> /usr/bin/oc >> >> > ok, it looks like it was removed on 3.7. > > Anyway you've certainly established there is a networking issue between > your registry pod and the api server in your cluster > (but oddly not between other pods an the api server) Adding the > networking team to the thread. > > > > >> >> On 26 October 2017 at 20:37, Ben Parees <bpar...@redhat.com> wrote: >> >>> >>> >>> On Thu, Oct 26, 2017 at 10:53 AM, Lionel Orellana <lione...@gmail.com> >>> wrote: >>> >>>> Interestingly >>>> >>>> -bash-4.2$ oc rsh router-1-bf95x oc whoami >>>> system:serviceaccount:default:router >>>> -bash-4.2$ oc rsh docker-registry-1-9z8p2 oc whoami >>>> Unable to connect to the server: Service Unavailable >>>> command terminated with exit code 1 >>>> >>> >>> the registry image doesn't even contain an oc client binary (unless you >>> put one there?) so i'm not sure what that is doing. >>> >>> >>> >>>> >>>> On 26 October 2017 at 19:50, Lionel Orellana <lione...@gmail.com> >>>> wrote: >>>> >>>>> Well this works from one of the hosts (using a token from oc whoami) >>>>> >>>>> curl -X GET -H "Authorization: Bearer $TOKEN" >>>>> https://172.23.192.1/oapi/v1/users/~ >>>>> >>>>> In the error msg >>>>> >>>>> msg="*invalid token*: Get https://172.23.192.1:443/oapi/v1/users/~ >>>>> <https://172.23.192.1/oapi/v1/users/~>: Service Unavailable" >>>>> >>>>> I wonder if the invalid toke part is the issue. >>>>> >>>>> On 26 October 2017 at 19:16, Ben Parees <bpar...@redhat.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Oct 26, 2017 at 8:11 AM, Lionel Orellana <lione...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> In a new OCP 3.6 installation I'm trying to deploy JBoss EAP 7.0 >>>>>>> from the catalog. >>>>>>> >>>>>>> This is in a project for which I am the admin. >>>>>>> >>>>>>> It's failing to push the image to the registry >>>>>>> >>>>>>> Pushing image docker-registry.default.svc:5000/bimorl/jboss-eap70:latest >>>>>>> ... >>>>>>> Registry server Address: >>>>>>> Registry server User Name: serviceaccount >>>>>>> Registry server Email: serviceacco...@example.org >>>>>>> Registry server Password: <<non-empty>> >>>>>>> error: build error: Failed to push image: unauthorized: >>>>>>> authentication required >>>>>>> >>>>>> >>>>>>> In the registry logs I see >>>>>>> >>>>>>> 172.23.140.1 - - [26/Oct/2017:05:08:19 +0000] "GET >>>>>>> /openshift/token?account=serviceaccount&scope=repository%3Ab >>>>>>> imorl%2Fjboss-eap70%3Apush%2Cpull HTTP/1.1" 401 0 "" "docker/1.12.6 >>>>>>> go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 >>>>>>> UpstreamClient(go-dockerclient)" >>>>>>> time="2017-10-26T05:08:19.116844289Z" level=debug msg="invalid >>>>>>> token: Get https://172.23.192.1:443/oapi/v1/users/~: *Service >>>>>>> Unavailable*" go.version=go1.7.6 >>>>>>> http.request.host="docker-registry.default.svc:5000" >>>>>>> http.request.id=467674a1-8618-4986-9e7f-b92a06afa43d >>>>>>> http.request.method=GET http.request.remoteaddr="172.23.140.1:38284" >>>>>>> http.request.uri="/openshift/token?account=serviceaccount&sc >>>>>>> ope=repository%3Abimorl%2Fjboss-eap70%3Apush%2Cpull" >>>>>>> http.request.useragent="docker/1.12.6 go/go1.8.3 >>>>>>> kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 >>>>>>> UpstreamClient(go-dockerclient)" >>>>>>> instance.id=e5e8a55e-c3bc-4dfa-a706-e844ddbbdf44 >>>>>>> openshift.logger=registry >>>>>>> >>>>>> >>>>>> sounds like your registry is unable to reach your api server. I >>>>>> would check if other pods running within your cluster are able to access >>>>>> the api server (ie run oc client commands from within a pod, against the >>>>>> kubernetes service ip) >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> users mailing list >>>>>>> users@lists.openshift.redhat.com >>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> >> > > > -- > Ben Parees | OpenShift > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
