Ah I think when I first installed the Origin cluster there were all these problems with the registry ip and the proxy so I created the registry form a yml file (to keep the ip consistent) and that yml file didn't set the proxy vars. These problems are gone now that the default registry is set to the service name instead of the ip. But it does mean proxy vars are added to the registry deployment.
On 27 October 2017 at 07:45, Lionel Orellana <lione...@gmail.com> wrote: > I have an Origin 3.6 cluster and the proxy vars are not set in the > registry pod at all. > > -bash-4.2$ oc rsh docker-registry-9-c9mgd env | grep PROXY > > -bash-4.2$ > > Whereas in the OCP 3.6 cluster they are. > > -bash-4.2$ oc rsh docker-registry-1-9z8p2 env | grep PROXY > NO_PROXY=.xxxxx,.cluster.local,.svc,172.19.10.100,172. > 19.10.202,172.19.10.203 > HTTP_PROXY=http://xxxxx > HTTPS_PROXY=http://xxxxxxx > > Instead of adding the api server address to NO_PROXY I might as well > remove all the proxy vars ? Why would the registry need a proxy anyway? > > On 26 October 2017 at 22:55, Ben Parees <bpar...@redhat.com> wrote: > >> >> >> On Thu, Oct 26, 2017 at 12:43 PM, Lionel Orellana <lione...@gmail.com> >> wrote: >> >>> This works.Would have thought the api server address was added >>> automatically to NO_PROXY? >>> >> >> it's supposed to be, but i do think there is a bug open where people have >> seen it not be added: >> https://bugzilla.redhat.com/show_bug.cgi?id=1504464 >> >> >> >>> >>> -bash-4.2$ oc rsh docker-registry-1-9z8p2 >>> sh-4.2$ export NO_PROXY=$NO_PROXY,172.23.192.1 >>> sh-4.2$ oc whoami >>> system:serviceaccount:default:registry >>> sh-4.2$ >>> >>> On 26 October 2017 at 20:54, Ben Parees <bpar...@redhat.com> wrote: >>> >>>> >>>> >>>> On Thu, Oct 26, 2017 at 11:50 AM, Lionel Orellana <lione...@gmail.com> >>>> wrote: >>>> >>>>> I didn't put it there. >>>>> >>>>> I another cluster this works. >>>>> >>>>> -bash-4.2$ oc rsh docker-registry-9-c9mgd oc whoami >>>>> system:serviceaccount:default:registry >>>>> >>>>> -bash-4.2$ oc rsh docker-registry-9-c9mgd which oc >>>>> /usr/bin/oc >>>>> >>>>> >>>> ok, it looks like it was removed on 3.7. >>>> >>>> Anyway you've certainly established there is a networking issue between >>>> your registry pod and the api server in your cluster >>>> (but oddly not between other pods an the api server) Adding the >>>> networking team to the thread. >>>> >>>> >>>> >>>> >>>>> >>>>> On 26 October 2017 at 20:37, Ben Parees <bpar...@redhat.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Oct 26, 2017 at 10:53 AM, Lionel Orellana <lione...@gmail.com >>>>>> > wrote: >>>>>> >>>>>>> Interestingly >>>>>>> >>>>>>> -bash-4.2$ oc rsh router-1-bf95x oc whoami >>>>>>> system:serviceaccount:default:router >>>>>>> -bash-4.2$ oc rsh docker-registry-1-9z8p2 oc whoami >>>>>>> Unable to connect to the server: Service Unavailable >>>>>>> command terminated with exit code 1 >>>>>>> >>>>>> >>>>>> the registry image doesn't even contain an oc client binary (unless >>>>>> you put one there?) so i'm not sure what that is doing. >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On 26 October 2017 at 19:50, Lionel Orellana <lione...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Well this works from one of the hosts (using a token from oc whoami) >>>>>>>> >>>>>>>> curl -X GET -H "Authorization: Bearer $TOKEN" >>>>>>>> https://172.23.192.1/oapi/v1/users/~ >>>>>>>> >>>>>>>> In the error msg >>>>>>>> >>>>>>>> msg="*invalid token*: Get https://172.23.192.1:443/oapi/v1/users/~ >>>>>>>> <https://172.23.192.1/oapi/v1/users/~>: Service Unavailable" >>>>>>>> >>>>>>>> I wonder if the invalid toke part is the issue. >>>>>>>> >>>>>>>> On 26 October 2017 at 19:16, Ben Parees <bpar...@redhat.com> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Oct 26, 2017 at 8:11 AM, Lionel Orellana < >>>>>>>>> lione...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> In a new OCP 3.6 installation I'm trying to deploy JBoss EAP 7.0 >>>>>>>>>> from the catalog. >>>>>>>>>> >>>>>>>>>> This is in a project for which I am the admin. >>>>>>>>>> >>>>>>>>>> It's failing to push the image to the registry >>>>>>>>>> >>>>>>>>>> Pushing image >>>>>>>>>> docker-registry.default.svc:5000/bimorl/jboss-eap70:latest >>>>>>>>>> ... >>>>>>>>>> Registry server Address: >>>>>>>>>> Registry server User Name: serviceaccount >>>>>>>>>> Registry server Email: serviceacco...@example.org >>>>>>>>>> Registry server Password: <<non-empty>> >>>>>>>>>> error: build error: Failed to push image: unauthorized: >>>>>>>>>> authentication required >>>>>>>>>> >>>>>>>>> >>>>>>>>>> In the registry logs I see >>>>>>>>>> >>>>>>>>>> 172.23.140.1 - - [26/Oct/2017:05:08:19 +0000] "GET >>>>>>>>>> /openshift/token?account=serviceaccount&scope=repository%3Ab >>>>>>>>>> imorl%2Fjboss-eap70%3Apush%2Cpull HTTP/1.1" 401 0 "" >>>>>>>>>> "docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.2.2.el7.x86_64 >>>>>>>>>> os/linux arch/amd64 UpstreamClient(go-dockerclient)" >>>>>>>>>> time="2017-10-26T05:08:19.116844289Z" level=debug msg="invalid >>>>>>>>>> token: Get https://172.23.192.1:443/oapi/v1/users/~: *Service >>>>>>>>>> Unavailable*" go.version=go1.7.6 >>>>>>>>>> http.request.host="docker-registry.default.svc:5000" >>>>>>>>>> http.request.id=467674a1-8618-4986-9e7f-b92a06afa43d >>>>>>>>>> http.request.method=GET http.request.remoteaddr="172.2 >>>>>>>>>> 3.140.1:38284" http.request.uri="/openshift/t >>>>>>>>>> oken?account=serviceaccount&scope=repository%3Abimorl%2Fjboss-eap70%3Apush%2Cpull" >>>>>>>>>> http.request.useragent="docker/1.12.6 go/go1.8.3 >>>>>>>>>> kernel/3.10.0-693.2.2.el7.x86_64 os/linux arch/amd64 >>>>>>>>>> UpstreamClient(go-dockerclient)" >>>>>>>>>> instance.id=e5e8a55e-c3bc-4dfa-a706-e844ddbbdf44 >>>>>>>>>> openshift.logger=registry >>>>>>>>>> >>>>>>>>> >>>>>>>>> sounds like your registry is unable to reach your api server. I >>>>>>>>> would check if other pods running within your cluster are able to >>>>>>>>> access >>>>>>>>> the api server (ie run oc client commands from within a pod, against >>>>>>>>> the >>>>>>>>> kubernetes service ip) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Any ideas? >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> users mailing list >>>>>>>>>> users@lists.openshift.redhat.com >>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ben Parees | OpenShift >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >>> >> >> >> -- >> Ben Parees | OpenShift >> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
