Maciej, In this case, Tony is trying to connect to the OpenShift registry, so the secret should exist; the dockercfg secret for the project's default service account.
Tony, two things that may be your issue: 1) You're using a route for your registry (docker-lab.example.net <http://docker-lab.example.net/>). The dockercfg secret will likely only have an entry for the ip address of the registry and not the route. (Maciej, maybe you know of a way to get the secrets to include an entry for the host of the route). Otherwise, you're better off specifying the service ip when invoking new-app. You can check what hosts are included in the dockercfg secret by doing 'oc describe secret/default-dockercfg-XXXX' where XXXX is whatever suffix is used in your project. 2) The image ref that you're using in your new-app invocation doesn't include a namespace. All images on the OpenShift registry will have a namespace and name like: [registry-host]:[port]/projectname/testwebapp:latest. Make sure you have the full spec for the image (from 'oc get is'). > On Aug 10, 2016, at 5:44 AM, Maciej Szulik <[email protected]> wrote: > > You need to follow the docs here: > https://docs.openshift.org/latest/dev_guide/managing_images.html#private-registries > > <https://docs.openshift.org/latest/dev_guide/managing_images.html#private-registries> > to setup the secret in the same project your ImageStream is created and then > re-import the image. > During import proper secrets will be picked automatically based on the urls > of the registry and your image metadata > should be downloaded to the server. This will handle the import part, now for > actually using an image from private > registry you need to follow this: > https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries > > <https://docs.openshift.org/latest/dev_guide/managing_images.html#allowing-pods-to-reference-images-from-other-secured-registries> > > Hope that helps, > Maciej > > On Tue, Aug 9, 2016 at 4:00 PM, Tony Saxon <[email protected] > <mailto:[email protected]>> wrote: > I'm not sure what I'm missing here. I have a private docker registry that is > set up securely and uses authentication. I followed the docs at > https://docs.openshift.org/latest/dev_guide/managing_images.html#using-image-pull-secrets > > <https://docs.openshift.org/latest/dev_guide/managing_images.html#using-image-pull-secrets> > to create the secret with the username and password to authenticate with the > docker registry. I verified that I can manually login to the docker registry > from the master and the nodes. However, when I go to deploy a new app based > on an image from the docker registry it seem to be failing to authenticate. > The command that I'm running to create the new app: > > oc new-app docker-lab.example.net:5000/testwebapp:latest > <http://docker-lab.example.net:5000/testwebapp:latest> > > It creates the imagestream and attempts to deploy the pod. I get the > following in the logs on the pod: > > # oc logs testwebapp-1-us1wu > Error from server: container "testwebapp" in pod "testwebapp-1-us1wu" is > waiting to start: image can't be pulled > > The logs on the docker registry show: > > time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context: > basic authentication challenge for realm \"Registry Realm\": invalid > authorization credential" go.version=go1.6.3 > http.request.host="docker-lab.example.net:5000 > <http://docker-lab.example.net:5000/>" http.request.id > <http://http.request.id/>=f5aeb8b9-ce4e-41b7-86a8-76e8c520bd22 > http.request.method=GET http.request.remoteaddr="192.168.122.158:54436 > <http://192.168.122.158:54436/>" http.request.uri="/v2/" > http.request.useragent="docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" instance.id > <http://instance.id/>=f0d70491-6e34-44eb-a51c-3b13eae8daa6 version=v2.5.0 > 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401 87 > "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported > kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" > time="2016-08-09T13:54:45Z" level=error msg="response completed with error" > auth.user.name <http://auth.user.name/>=tsaxon err.code="manifest unknown" > err.detail="unknown manifest name=testwebapp > revision=sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > err.message="manifest unknown" go.version=go1.6.3 > http.request.host="docker-lab.example.net:5000 > <http://docker-lab.example.net:5000/>" http.request.id > <http://http.request.id/>=130a9014-7c19-48f7-bef3-2b8cfe0470a0 > http.request.method=GET http.request.remoteaddr="192.168.122.158:54438 > <http://192.168.122.158:54438/>" > http.request.uri="/v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > http.request.useragent="docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" http.response.contenttype="application/json; charset=utf-8" > http.response.duration=6.174905ms http.response.status=404 > http.response.written=186 instance.id > <http://instance.id/>=f0d70491-6e34-44eb-a51c-3b13eae8daa6 vars.name > <http://vars.name/>=testwebapp > vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > version=v2.5.0 > 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET > /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3 > HTTP/1.1" 404 186 "" "docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" > time="2016-08-09T13:54:45Z" level=warning msg="error authorizing context: > basic authentication challenge for realm \"Registry Realm\": invalid > authorization credential" go.version=go1.6.3 > http.request.host="docker-lab.example.net:5000 > <http://docker-lab.example.net:5000/>" http.request.id > <http://http.request.id/>=0185e07b-f1c1-48e6-91ea-dede2339f087 > http.request.method=GET http.request.remoteaddr="192.168.122.158:54440 > <http://192.168.122.158:54440/>" http.request.uri="/v2/" > http.request.useragent="docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" instance.id > <http://instance.id/>=f0d70491-6e34-44eb-a51c-3b13eae8daa6 version=v2.5.0 > 192.168.122.158 - - [09/Aug/2016:13:54:45 +0000] "GET /v2/ HTTP/1.1" 401 87 > "" "docker/1.10.3 go/go1.4.2 git-commit/9419b24-unsupported > kernel/3.10.0-327.22.2.el7.x86_64 os/linux arch/amd64" > time="2016-08-09T13:54:46Z" level=error msg="response completed with error" > auth.user.name <http://auth.user.name/>=tsaxon err.code="manifest unknown" > err.detail="unknown manifest name=testwebapp > revision=sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > err.message="manifest unknown" go.version=go1.6.3 > http.request.host="docker-lab.example.net:5000 > <http://docker-lab.example.net:5000/>" http.request.id > <http://http.request.id/>=c1ab0cd7-42ac-4fef-b2c4-0f451976e302 > http.request.method=GET http.request.remoteaddr="192.168.122.158:54442 > <http://192.168.122.158:54442/>" > http.request.uri="/v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > http.request.useragent="docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" http.response.contenttype="application/json; charset=utf-8" > http.response.duration=6.28913ms http.response.status=404 > http.response.written=186 instance.id > <http://instance.id/>=f0d70491-6e34-44eb-a51c-3b13eae8daa6 vars.name > <http://vars.name/>=testwebapp > vars.reference="sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3" > version=v2.5.0 > 192.168.122.158 - - [09/Aug/2016:13:54:46 +0000] "GET > /v2/testwebapp/manifests/sha256:9799a25cd6fd7f7908bad740fc0c85823e38aa22afb22f687a5b8a3ed2bf9ec3 > HTTP/1.1" 404 186 "" "docker/1.10.3 go/go1.4.2 > git-commit/9419b24-unsupported kernel/3.10.0-327.22.2.el7.x86_64 os/linux > arch/amd64" > > Here are the service accounts showing that they have the image pull secret > added (docker-lab): > > [root@os-master ~]# oc get serviceaccounts > NAME SECRETS AGE > builder 3 21h > default 2 21h > deployer 3 21h > [root@os-master ~]# oc describe serviceaccounts default > Name: default > Namespace: testwebapp > Labels: <none> > > Image pull secrets: default-dockercfg-pfota > eip-docker > docker-lab > > Mountable secrets: default-token-xffu5 > default-dockercfg-pfota > > Tokens: default-token-vbcmc > default-token-xffu5 > > > > [root@os-master ~]# oc describe serviceaccounts builder > Name: builder > Namespace: testwebapp > Labels: <none> > > Image pull secrets: builder-dockercfg-7bjoo > docker-lab > > Mountable secrets: builder-token-wf31u > builder-dockercfg-7bjoo > eip-docker > > Tokens: builder-token-gi9o9 > builder-token-wf31u > > > > [root@os-master ~]# oc describe serviceaccounts deployer > Name: deployer > Namespace: testwebapp > Labels: <none> > > Image pull secrets: deployer-dockercfg-lfiuw > docker-lab > > Mountable secrets: deployer-token-9euo2 > deployer-dockercfg-lfiuw > eip-docker > > Tokens: deployer-token-9euo2 > deployer-token-mq6vw > > > Not sure what I could be missing. > > _______________________________________________ > users mailing list > [email protected] <mailto:[email protected]> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > <http://lists.openshift.redhat.com/openshiftmm/listinfo/users> > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
