Sorry, I didn't hit reply all, so my email only when to Ben. This is to get my response onto the mailing list since I have a work around that may be useful to others:
On 1 December 2017 at 13:26, Jim Barber <[email protected]> wrote: > On 1 December 2017 at 12:29, Ben Parees <[email protected]> wrote: >> >> >> On Thu, Nov 30, 2017 at 8:45 PM, Jim Barber <[email protected]> >> wrote: >>> >>> Hi all. >>> >>> I have only very recently started investigating the use of OpenShift. >>> One of my builds pulls a base Docker Image from our private Docker Hub >>> repository. >>> This was working fine in OpenShift v3.6.1, but when I tried OpenShift >>> v3.7.0 I couldn't get it it to work. >>> The build fails early with the following error: >>> >>> error: build error: failed to pull image: API error (404): >>> {"message":"pull access denied for *REDACTED*, repository does not >>> exist or may require 'docker login'"} >>> >>> I am running this on my Windows 10 based desktop. >>> Some details of the install: >>> >>> PS ~> oc version >>> oc v3.7.0+7ed6862 >>> kubernetes v1.7.6+a08f5eeb62 >>> features: Basic-Auth >>> >>> Server https://10.0.75.2:8443 >>> openshift v3.7.0+7ed6862 >>> kubernetes v1.7.6+a08f5eeb62 >>> >>> And I am running Docker Community Edition Version 17.09.9-ce-win33 >>> (13620) from the stable channel. >>> >>> Steps I performed for both v3.6.1 and v.3.7.0 were as follows... >>> >>> - Bring up the cluster by running: >>> >>> oc cluster up >>> >>> - Provide access to our private source code repository (this part >>> works) like so: >>> >>> oc secrets new-basicauth bitbucket --username=*REDACTED* --prompt >>> oc secrets link builder bitbucket >>> >>> - Allow my containers to use the root user by using the anyuid >>> security context for a 'useroot' service account: >>> >>> oc login -u system:admin >>> oc create serviceaccount useroot >>> oc adm policy add-scc-to-user anyuid -z useroot >>> oc login -u developer >>> >>> - Provide access to our private Docker Hub registry: >>> >>> oc secrets new-dockercfg private-dockerhub >>> --docker-server=https://index.docker.io/v1/ >>> --docker-username=*REDACTED* --docker-password=*REDACTED* >>> --docker-email=*REDACTED* >>> oc secrets link builder private-dockerhub >>> >>> Note: The 'oc secrets new private-dockerhub >>> .dockerconfigjson=config.json' command does not work on Windows, so I >>> have to use the 'oc secrets new-dockercfg' command shown above >>> instead. >>> That's because the authentication details after performing a >>> 'docker login' end up in the Windows Credential Store, so the file's >>> contents look like: >>> >>> PS ~\.docker> cat config.json >>> { >>> "auths": { >>> "https://index.docker.io/v1/": {} >>> }, >>> "HttpHeaders": { >>> "User-Agent": "Docker-Client/17.09.0-ce (windows)" >>> }, >>> "credsStore": "wincred" >>> } >>> >>> - Create the application: >>> >>> oc new-app -f test-app.yaml >>> >>> I went back to version 3.6.1 and repeated the above steps again and it >>> all worked as expected. >> >> >> can you compare the secret yaml from 3.6.1 and 3.7.0 to see if they are the >> same? (they should be). >> > > Hi Ben. > > I used 'oc export secret private-dockerhub' and base64 decoded the > data and was the same in both versions. > > However, I got it working just now. > I spun up a Linux VM and performed a 'docker login' from there and > copied the ~/.docker/config.json file back to my PC where I then > imported it using: > > oc secrets new private-dockerhub .dockerconfigjson=config.json > > Now when I export the secret, it is under: > > data: > .dockerconfigjson: > > Instead of: > > data: > .dockercfg: > > Did OpenShift 3.7 perhaps remove support for the old dockercfg format? > > > For a Windows host such as mine, I didn't see an obvious way to sort > this out with a single command; If you know of one I'm all ears :) > A way I can achieve it without having to spin up a Linux VM is to > generate the base64 string in PowerShell like so: > > > [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes('$DOCKERHUB_USER:$DOCKERHUB_PASSWORD')) > > Then take the base64 string result from the above command and create a > config.json file manually with the following contents (replacing > $BASE64__STRING): > > { > "auths": { > "https://index.docker.io/v1/": { > "auth": "$BASE64_STRING" > } > } > } > > Then import that. > > I believe this is an issue on MacOS too because it also puts the > details into its credential store and so the necessary details aren't > in the ~/.docker/config.json file. > For MacOS (and Windows with something like Cygwin installed) you can > get the base64 string by running: > > echo -n '$DOCKERHUB_USER:$DOCKERHUB_PASSWD' | base64 > >> >> Also if you can run the build with loglevel 5 (oc start-build >> --build-loglevel=5) and pastebin the full log that would be helpful. >> > > Well I have it all working now, but if you really need this, I could > break things again and do this if necessary. > >> >> It might also help to see your test-app.yaml so we can see your >> buildconfiguration. >> > > Just for completeness I've run 'oc export bc --as-template test-app' > so you can see the build configuration: > > apiVersion: v1 > kind: Template > metadata: > creationTimestamp: null > name: *REDACTED* > objects: > - apiVersion: v1 > kind: BuildConfig > metadata: > annotations: > openshift.io/generated-by: OpenShiftNewApp > creationTimestamp: null > labels: > app: *REDACTED* > name: *REDACTED* > spec: > failedBuildsHistoryLimit: 5 > nodeSelector: null > output: > to: > kind: ImageStreamTag > name: *REDACTED*:latest > postCommit: {} > resources: {} > runPolicy: Serial > source: > git: > ref: *REDACTED* > uri: https://bitbucket.org/*REDACTED* > sourceSecret: > name: bitbucket > type: Git > strategy: > dockerStrategy: > pullSecret: > name: private-dockerhub > type: Docker > successfulBuildsHistoryLimit: 5 > triggers: > - type: ConfigChange > status: > lastVersion: 0 > >> >>> >>> I've gone to 3.7.0 and repeated the above steps and it doesn't work. >>> >>> Note that each time I changed environments I started with a clean >>> slate by running 'oc cluster down' and then doing a factory reset of >>> my Docker installation. >>> Then I configured Docker with the insecure-registry and changed its >>> storage-driver to aufs to work around an issue I get when code is >>> checked out of our repository. >>> >>> Regards, >>> >>> Jim Barber | Site Reliability Engineer >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >> >> >> -- >> Ben Parees | OpenShift >> > > Jim Barber | Site Reliability Engineer _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
