this looks like your main error: level=error msg="OpenShift access denied: User \"system:serviceaccount:slimmelden-dev:builder\" cannot get imagestreams/layers.image.openshift.io in project \"generic\""
looks like you're trying to reference images in one project, from a build in a different project. So you'll need to grant permissions to the builder SA to access the images in question. You can grant the system:image-pullers role. oc policy add-role-to-user system:image-pullers system:serviceaccount:slimmelden-dev:builder -n generic should do it. On Tue, May 22, 2018 at 6:49 PM, Dan Pungă <dan.pu...@gmail.com> wrote: > I've caught another error like this one and one of the docker-registry > pods gives some errors about authorization. > I've tried adding, inside the web-interface for the docker-registry, the > system:serviceaccount:slimmelde-dev:builder user to have pull access in > the generic project. > > The docs that I've found/read about the integrated registry only describe > direct access/manual to the registry: https://docs.openshift.org/ > latest/install_config/registry/accessing_registry.html > Any other place to look, for my type of usage? > > Thank you! > > Logs below: > > time="2018-05-22T22:05:55.649683785Z" level=error msg="error authorizing > context: authorization header required" go.version=go1.9.2 > http.request.host="docker-registry.default.svc:5000" http.request.id > =3528f4c9-f729-4bcc-abf4-ef5a271399ff http.request.method=GET > http.request.remoteaddr="10.128.2.1:42438" http.request.uri=/v2/ > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 > > time="2018-05-22T22:05:55.720645637Z" level=error msg="OpenShift access > denied: User \"system:serviceaccount:slimmelden-dev:builder\" cannot get > imagestreams/layers.image.openshift.io in project \"generic\"" > go.version=go1.9.2 http.request.host="docker-registry.default.svc:5000" > http.request.id=8f5bacf4-7d34-448a-8f9b-12cb65499f5b > http.request.method=GET http.request.remoteaddr="10.128.2.1:42442" > http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 > openshift.auth.user="system:serviceaccount:slimmelden-dev:builder" > vars.name=generic/ot-builder-npm-is vars.reference="sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > > time="2018-05-22T22:05:55.720783744Z" level=error msg="error authorizing > context: access denied" go.version=go1.9.2 > http.request.host="docker-registry.default.svc:5000" > http.request.id=8f5bacf4-7d34-448a-8f9b-12cb65499f5b > http.request.method=GET http.request.remoteaddr="10.128.2.1:42442" > http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 vars.name > =generic/ot-builder-npm-is vars.reference="sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > > time="2018-05-22T22:05:55.924000499Z" level=error msg="error authorizing > context: authorization header required" go.version=go1.9.2 > http.request.host="docker-registry.default.svc:5000" http.request.id > =5ac69bd6-f5f1-40cc-8f20-7bd3ed5dfb98 http.request.method=GET > http.request.remoteaddr="10.128.2.1:42444" http.request.uri=/v2/ > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 > > time="2018-05-22T22:05:55.997011922Z" level=error msg="OpenShift access > denied: User \"system:serviceaccount:slimmelden-dev:builder\" cannot get > imagestreams/layers.image.openshift.io in project \"generic\"" > go.version=go1.9.2 http.request.host="docker-registry.default.svc:5000" > http.request.id=a5327070-a760-441f-98b3-704cf181692c > http.request.method=GET http.request.remoteaddr="10.128.2.1:42448" > http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 > openshift.auth.user="system:serviceaccount:slimmelden-dev:builder" > vars.name=generic/ot-builder-npm-is vars.reference="sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > > time="2018-05-22T22:05:55.997142473Z" level=error msg="error authorizing > context: access denied" go.version=go1.9.2 > http.request.host="docker-registry.default.svc:5000" > http.request.id=a5327070-a760-441f-98b3-704cf181692c > http.request.method=GET http.request.remoteaddr="10.128.2.1:42448" > http.request.uri="/v2/generic/ot-builder-npm-is/manifests/sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > http.request.useragent="docker/1.13.1 go/go1.8.3 > kernel/3.10.0-862.2.3.el7.x86_64 os/linux arch/amd64 > UpstreamClient(go-dockerclient)" > instance.id=be8746aa-b85c-40fb-978f-040a25b6c1d1 vars.name > =generic/ot-builder-npm-is vars.reference="sha256: > 9efdf954ec62e662e67d3f1c71f9d46faf9c82c76f8513338c2a4b19b6f318b5" > > > > > > > > On 22.05.2018 19:49, Ben Parees wrote: > > > > On Tue, May 22, 2018 at 11:46 AM, Dan Pungă <dan.pu...@gmail.com> wrote: > >> Hello all! >> >> I'm experiencing a problem when trying to pull an image from Openshift's >> container registry. >> I've recently installed OpenshiftOrigin 3.9 with docker-registry deployed. >> >> I'm using 2 projects, one where "generic" images are built and one for >> "applications". When running a build in the "application" project that is >> based on an image from the "generic" project, the build process fails at >> times with errors such: >> >> Pulling image docker-registry.default.svc:50 >> 00/generic/ot-builder-maven-is@sha256:ff3a7e558a44adc6212bd8 >> 6dc3c0799537afd47f05be5678b0b986f7c7e3398c ... >> Checking for Docker config file for PULL_DOCKERCFG_PATH in path >> /var/run/secrets/openshift.io/pull >> Using Docker config file /var/run/secrets/openshift.io/pull/.dockercfg >> Step 1/11 : FROM docker-registry.default.svc:50 >> 00/generic/ot-builder-maven-is@sha256:ff3a7e558a44adc6212bd8 >> 6dc3c0799537afd47f05be5678b0b986f7c7e3398c >> Trying to pull repository >> docker-registry.default.svc:5000/generic/ot-builder-maven-is >> ... >> error: build error: unauthorized: authentication required >> >> The imagestream is there and the sha is the right one. This seems to >> happen at random and it goes away if I pause between build tries....so >> random. >> > > it might be enlightening to look at the logs from the registry pod(or pods > if you're running multiple replica instances) to see if it's getting errors > talking to the api server. > > I haven't done some through tests to see if it's the same behaviour for >> source imageStreams inside the same project... >> Any idea what to try? >> >> Not sure if this is related, but I was trying to login to the registry >> and trying to this from outside the cluster, I get >> Error response from daemon: Get https://docker-registry-defaul >> t......:5000/v2/: net/http: request canceled while waiting for >> connection (Client.Timeout exceeded while awaiting headers) >> This looks like timeout config/networking issues and I wonder if it's >> what causing the initial problem(even though the registry storage node, the >> registry pod and the application node where the build is executed are >> inside the same subnet). >> >> >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > Ben Parees | OpenShift > > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users