回复: Re: authentication required even for pulling images from private registry

[Yu Wei]

Image and pods are in the same project.

Jared
Interested in cloud computing,big data processing,linux

2017年10月19日 上午4:39于 Joel Pearson 写道：
Is the image in a different project that which you’re trying to run it in?

Ie the image lives in project a and you’re trying to run the pod in project b

In that scenario you need to grant some sort of permissions (image-pull or 
something).
On Thu, 19 Oct 2017 at 4:32 am, Yu Wei 
> wrote:

Hi,

I setup openshift origin cluster 3.6 and found a problem with private registry.

Image was failed to be pulled by work node with error as below,

rpc error: code = 2 desc = unauthorized: authentication required


However, the registry works well and I also could find the image via 
docker-console.

I installed the cluster via "Advanced installation". It seemed insecure 
registry is not enabled.


How could I check what's wrong in my env?



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
--
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 | w: 
agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: authentication required even for pulling images from private registry

[Joel Pearson]

Is the image in a different project that which you’re trying to run it in?

Ie the image lives in project a and you’re trying to run the pod in project
b

In that scenario you need to grant some sort of permissions (image-pull or
something).
On Thu, 19 Oct 2017 at 4:32 am, Yu Wei  wrote:

> Hi,
>
> I setup openshift origin cluster 3.6 and found a problem with private
> registry.
>
> Image was failed to be pulled by work node with error as below,
>
> rpc error: code = 2 desc = unauthorized: authentication required
>
>
> However, the registry works well and I also could find the image via
> docker-console.
>
> I installed the cluster via "Advanced installation". It seemed insecure
> registry is not enabled.
>
>
> How could I check what's wrong in my env?
>
>
>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

authentication required even for pulling images from private registry

[Yu Wei]

Hi,

I setup openshift origin cluster 3.6 and found a problem with private registry.

Image was failed to be pulled by work node with error as below,

rpc error: code = 2 desc = unauthorized: authentication required


However, the registry works well and I also could find the image via 
docker-console.

I installed the cluster via "Advanced installation". It seemed insecure 
registry is not enabled.


How could I check what's wrong in my env?



Thanks,

Jared, (韦煜）
Software developer
Interested in open source software, big data, Linux
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Origin router and X-Forwarded-For

[Marcello Lorenzi]

Hi Aleks,
I already configured the 4 values and if I miss the intermediate CA into
the destinationCACertificate field the Origin GUI shows to me a warning
related to the certificate. The export of the command is :

apiVersion: v1

kind: Route

metadata:

  creationTimestamp: null

  name: callcentergw-dev-external

spec:

  host: callcenter.fineco.it

  port:

targetPort: 443-tcp

  tls:

caCertificate: |-

  -BEGIN CERTIFICATE-

….

  -END CERTIFICATE-

  -BEGIN CERTIFICATE-

…

  -END CERTIFICATE-

certificate: |-

  -BEGIN CERTIFICATE-

…

  -END CERTIFICATE-

destinationCACertificate: |-

  -BEGIN CERTIFICATE-

…

  -END CERTIFICATE-

key: |-

  -BEGIN RSA PRIVATE KEY-

…

  -END RSA PRIVATE KEY-

termination: reencrypt

  to:

kind: Service

name: callcentergw-dev

weight: 100

  wildcardPolicy: None

status:

  ingress:

  - conditions:

- lastTransitionTime: 2017-10-18T07:54:22Z

  status: "True"

  type: Admitted

host: callcenter.test.local

routerName: router

wildcardPolicy: None


The second command results are the same in insecure and passing the cafile
formed by intermediate + root CA certificates.


* About to connect() to callcenter.test.local port 443 (#0)

*   Trying 192.168.10.10...

* Connected to callcenter.test.local (192.168.10.10) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /tmp/new-cac.crt

  CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

* Server certificate:

*   subject:
E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT

*   start date: Mar 31 11:54:54 2016 GMT

*   expire date: Mar 31 11:54:54 2018 GMT

*   common name: callcenter.test.local

*   issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it

> GET / HTTP/1.1

> User-Agent: curl/7.29.0

> Host: callcenter.test.local

> Accept: */*

>

< HTTP/1.1 302 Found

< Date: Wed, 18 Oct 2017 08:29:17 GMT

< Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips

< Location: https://callcenter.test.local/home

 < Content-Length: 228

< Content-Type: text/html; charset=iso-8859-1


Marcello





On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic 
wrote:

> Hi Marcello.
>
> on Dienstag, 17. Oktober 2017 at 09:11 was written:
>
> > Hi,
> > I'm using a re-encrypt configuration to preserve the x-forwrded-for
> information. The configuration is:
> >
> > Name:   callcentergw-dev-external
> > Namespace:  dev-shared
> > Created:17 hours ago
> > Labels: 
> > Annotations:
> > Requested Host: callcenter.test.local
> >   exposed on router router 17 hours ago
> > Path:   
> > TLS Termination:reencrypt
> > Insecure Policy:Redirect
> > Endpoint Port:  443-tcp
>
> > Service:callcentergw-dev
> > Weight: 100 (100%)
> > Endpoints:  10.131.0.138:443, 10.131.0.138:80
>
> I miss the destinationCACertificate maybe it's shown with export.
>
> oc export route -n dev-shared callcentergw-dev-external
>
> You can add in the GUI (=> Webinterface ) all four values under
> "Security" settings. There is a section "Certificates" .
>
> key: [as in edge termination]
> certificate: [as in edge termination]
> caCertificate: [as in edge termination]
> destinationCACertificate: ...
>
> Please can you also show us the output of
>
> curl -vk callcenter.test.local
>
> > Marcello
>
> Best Regards
> Aleks
>
> > Il 16 Ott 2017 20:45, "Aleksandar Lazic"  ha
> scritto:
>
> > Hi Marcello.
>
> >  on Montag, 16. Oktober 2017 at 15:23 was written:
>
>  >> Hi,
>  >> I have tried it and it worked fine but the problem is override the
>  >> default wildcard certificate and configure a different certificate,
>  >> because it's not possible to configure the intermediate CA chain into
>  >> the admin panel. I tried to configure the CA cert with the root CA and
>  >> the subordinate CA files and the router is ok but if I navigate the
>  >> new route I received a security error.
>
> >  do you use reencrypted or passthrough route
>
> >  please can you show us the output of.
>
> >  oc get route -n your-project
> >  oc describe route -n your-project your-route
>
> >  Best Regards
> >  Aleks
>
>
>  >> Marcello
>
>  >> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic 
> wrote:
>
>  >>
>  >> Hi Marcello Lorenzi.
>
>  >>  have you used -servername in s_client?
>
>  >>  The ssl solution is based on sni (
>  >> https://en.wikipedia.org/wiki/Server_Name_Indication )
>
>  >> Regards
>  >>  Aleks
>
>  >> on Donnerstag, 12. Oktober 2017 at 13:02 was written:
>
>
>
>  >> Hi All,
>  >>  thanks for the response and we checked the configuration. If I tried
>  >> to check the certificated