Re: Image pull error when using the integrated registry

[Ben Parees]

this looks like your main error:

level=error msg="OpenShift access denied: User
\"system:serviceaccount:slimmelden-dev:builder\"
cannot get imagestreams/layers.image.openshift.io in project \"generic\""

looks like you're trying to reference images in one project, from a build
in a different project.  So you'll need to grant permissions to the builder
SA to access the images in question.  You can grant the
system:image-pullers role.

oc policy add-role-to-user system:image-pullers
system:serviceaccount:slimmelden-dev:builder
-n generic

should do it.


On Tue, May 22, 2018 at 6:49 PM, Dan Pungă <dan.pu...@gmail.com> wrote:

> I've caught another error like this one and one of the docker-registry
> pods gives some errors about authorization.
> I've tried adding, inside the web-interface for the docker-registry, the
> system:serviceaccount:slimmelde-dev:builder user to have pull access in
> the generic project.
>
> The docs that I've found/read about the integrated registry only describe
> direct access/manual to the registry: https://docs.openshift.org/
> latest/install_config/registry/accessing_registry.html
> Any other place to look, for my type of usage?
>
> Thank you!
>
> Logs below:
>
> time="2018-05-22T22:05:55.649683785Z" level=error msg="error authorizing
> context: authorization header required" go.version=go1.9.2
> http.request.host="docker-registry.default.svc:5000" http.request.id
> =3528f4c9-f729-4bcc-abf4-ef5a271399ff http.request.method=GET
> http.request.remoteaddr="10.128.2.1:42438" http.request.uri=/v2/
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1
>
> time="2018-05-22T22:05:55.720645637Z" level=error msg="OpenShift access
> denied: User \"system:serviceaccount:slimmelden-dev:builder\" cannot get
> imagestreams/layers.image.openshift.io in project \"generic\""
> go.version=go1.9.2 http.request.host="docker-registry.default.svc:5000"
> http.request.id=8f5bacf4-7d34-448a-8f9b-12cb65499f5b
> http.request.method=GET http.request.remoteaddr="10.128.2.1:42442"
> http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1
> openshift.auth.user="system:serviceaccount:slimmelden-dev:builder"
> vars.name=generic/ot-builder-npm-is vars.reference="sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
>
> time="2018-05-22T22:05:55.720783744Z" level=error msg="error authorizing
> context: access denied" go.version=go1.9.2 
> http.request.host="docker-registry.default.svc:5000"
> http.request.id=8f5bacf4-7d34-448a-8f9b-12cb65499f5b
> http.request.method=GET http.request.remoteaddr="10.128.2.1:42442"
> http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 vars.name
> =generic/ot-builder-npm-is vars.reference="sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
>
> time="2018-05-22T22:05:55.924000499Z" level=error msg="error authorizing
> context: authorization header required" go.version=go1.9.2
> http.request.host="docker-registry.default.svc:5000" http.request.id
> =5ac69bd6-f5f1-40cc-8f20-7bd3ed5dfb98 http.request.method=GET
> http.request.remoteaddr="10.128.2.1:42444" http.request.uri=/v2/
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1
>
> time="2018-05-22T22:05:55.997011922Z" level=error msg="OpenShift access
> denied: User \"system:serviceaccount:slimmelden-dev:builder\" cannot get
> imagestreams/layers.image.openshift.io in project \"generic\""
> go.version=go1.9.2 http.request.host="docker-registry.default.svc:5000"
> http.request.id=a5327070-a760-441f-98b3-704cf181692c
> http.request.method=GET http.request.remoteaddr="10.128.2.1:42448"
> http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1
> openshift.auth.user="system:serviceaccount:slimmelden-dev:builder"
> vars.name=generic/ot-builder-npm-is vars.reference="sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
>
> time="2018-05-22T22:05:55.997142473Z" level=error msg="error authorizing
> context: access denied" go.version=go1.9.2 
> http.request.host="docker-registry.default.svc:5000"
> http.request.id=a5327070-a760-441f-98b3-704cf181692c
> http.request.method=GET http.request.remoteaddr="10.128.2.1:42448"
> http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
> http.request.useragent="docker/1.13.1 go/go1.8.3
> kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 
> UpstreamClient(go-dockerclient)"
> instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 vars.name
> =generic/ot-builder-npm-is vars.reference="sha256:
> 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5"
>
>
>
>
>
>
>
> On 22.05.2018 19:49, Ben Parees wrote:
>
>
>
> On Tue, May 22, 2018 at 11:46 AM, Dan Pungă <dan.pu...@gmail.com> wrote:
>
>> Hello all!
>>
>> I'm experiencing a problem when trying to pull an image from Openshift's
>> container registry.
>> I've recently installed OpenshiftOrigin 3.9 with docker-registry deployed.
>>
>> I'm using 2 projects, one where "generic" images are built and one for
>> "applications". When running a build in the "application" project that is
>> based on an image from the "generic" project, the build process fails at
>> times with errors such:
>>
>> Pulling image docker-registry.default.svc:50
>> 00/generic/ot-builder-maven-is@sha256:ff3a7e558a44adc6212bd8
>> 6dc3c0799537afd47f05be5678b0b986f7c7e3398c ...
>> Checking for Docker config file for PULL_DOCKERCFG_PATH in path
>> /var/run/secrets/openshift.io/pull
>> Using Docker config file /var/run/secrets/openshift.io/pull/.dockercfg
>> Step 1/11 : FROM docker-registry.default.svc:50
>> 00/generic/ot-builder-maven-is@sha256:ff3a7e558a44adc6212bd8
>> 6dc3c0799537afd47f05be5678b0b986f7c7e3398c
>> Trying to pull repository 
>> docker-registry.default.svc:5000/generic/ot-builder-maven-is
>> ...
>> error: build error: unauthorized: authentication required
>>
>> The imagestream is there and the sha is the right one. This seems to
>> happen at random and it goes away if I pause between build tries....so
>> random.
>>
>
> it might be enlightening to look at the logs from the registry pod(or pods
> if you're running multiple replica instances) to see if it's getting errors
> talking to the api server.
>
> I haven't done some through tests to see if it's the same behaviour for
>> source imageStreams inside the same project...
>> Any idea what to try?
>>
>> Not sure if this is related, but I was trying to login to the registry
>> and trying to this from outside the cluster, I get
>> Error response from daemon: Get https://docker-registry-defaul
>> t......:5000/v2/: net/http: request canceled while waiting for
>> connection (Client.Timeout exceeded while awaiting headers)
>> This looks like timeout config/networking issues and I wonder if it's
>> what causing the initial problem(even though the registry storage node, the
>> registry pod and the application node where the build is executed are
>> inside the same subnet).
>>
>>
>> _______________________________________________
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
>


-- 
Ben Parees | OpenShift

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users