Bug 1245472
Summary: | Met "API error (403)" when pushing image with Docker credentials | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | chunchen <chunchen> |
Component: | Build | Assignee: | Cesar Wong <cewong> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | chunchen <chunchen> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.1.0 | CC: | agoldste, bparees, chunchen, dma, dmcphers, libra-bugs, mfojtik, wsun, wzheng, xiuwang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1224210 | Environment: | |
Last Closed: | 2015-11-23 14:24:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
chunchen
2015-07-22 07:18:34 UTC
I0722 02:13:57.969232 1 cfg.go:50] Problem accessing /var/run/secrets/openshift.io/push/.dockercfg: stat /var/run/secrets/openshift.io/push/.dockercfg: no such file or directory Looks like the issue with secrets and older versions of Docker. Please ensure that you have a recent 1.6.2 version Does pushing to the local registry work? It can be pushed to the local registry, the logs like below: I0722 03:24:56.089769 1 sti.go:269] Successfully built 172.30.234.245:5000/chunp/origin-ruby-sample:latest I0722 03:24:57.433893 1 cleanup.go:23] Removing temporary directory /tmp/sti374841799 I0722 03:24:57.433920 1 fs.go:99] Removing directory '/tmp/sti374841799' I0722 03:24:57.434480 1 cfg.go:78] Found Docker authentication configuration in '/root/.dockercfg' I0722 03:24:57.434495 1 cfg.go:46] PUSH_DOCKERCFG_PATH=/var/run/secrets/openshift.io/push/.dockercfg I0722 03:24:57.434501 1 cfg.go:78] Found Docker authentication configuration in '/var/run/secrets/openshift.io/push/.dockercfg' I0722 03:24:57.434799 1 cfg.go:64] Using serviceaccount user for Docker authentication I0722 03:24:57.434841 1 sti.go:145] Using provided push secret for pushing 172.30.234.245:5000/chunp/origin-ruby-sample:latest image I0722 03:24:57.434850 1 sti.go:148] Pushing 172.30.234.245:5000/chunp/origin-ruby-sample:latest image ... Image successfully pushed Digest: sha256:f8699168b06d66cc6b9bb03cfccdbdfdba2ef93cbc8e7f49dd554c85034fdd0a I0722 03:26:56.495641 1 sti.go:152] Successfully pushed 172.30.234.245:5000/chunp/origin-ruby-sample:latest This is working for me on Fedora but not on RHEL. RHEL is ignoring the --confirm-def-push=false flag. And there's a bug open for that: https://bugzilla.redhat.com/show_bug.cgi?id=1241952 The workaround for this is to edit /var/lib/docker/repositories-devicemapper: Change the value of "ConfirmDefPush" from true to false. Restart the Docker daemon. It is fixed in docker 1.7 for RHEL which will be released shortly. Given the workaround and that it will be fixed shortly, I'm lowering the severity. The issue is still reproduced when docker is 1.7.1 and the value of "ConfirmDefPush" is true [root@openshift-138 ~]# docker version Client version: 1.7.1 Client API version: 1.19 Package Version (client): docker-1.7.1-108.el7.x86_64 Go version (client): go1.4.2 Git commit (client): 3043001/1.7.1 OS/Arch (client): linux/amd64 Server version: 1.7.1 Server API version: 1.19 Package Version (server): docker-1.7.1-108.el7.x86_64 Go version (server): go1.4.2 Git commit (server): 3043001/1.7.1 OS/Arch (server): linux/amd64 --confirm-def-push is a custom addition to the RHEL Docker RPM. There is no ability currently for us to confirm that it's ok to push to the Hub in the Docker client API that we use when pushing after a completed build. I'm not sure there's anything we can do here. Andy, do we document somewhere that the --confirm-def-push needs to be turned off in order for push to docker hub to work? Cesar - I don't know offhand. chunchen looking at the history of this bug, not sure if there is really a bug anymore. The version of docker we have in RHEL requires you to have the --confirm-def-push=false flag set on the daemon so that we can push to the DockerHub. At some point that flag was broken and you had to manually edit the repositories-devicemapper file to get the same effect. That part of it should be fixed, but you still need to specify the flag. chunchen can you please try again with the --confirm-def-push=false flag set on your host's docker daemon? thanks. It works well with the --confirm-def-push=false flag set on docker daemon. I1027 06:55:55.713080 1 sti.go:296] Successfully built docker.io/chunyunchen/origin-ruby-sample-sti2:latest I1027 06:56:04.547556 1 cleanup.go:23] Removing temporary directory /tmp/s2i-build531069471 I1027 06:56:04.555606 1 fs.go:99] Removing directory '/tmp/s2i-build531069471' I1027 06:56:04.566829 1 sti.go:210] Using provided push secret for pushing docker.io/chunyunchen/origin-ruby-sample-sti2:latest image I1027 06:56:04.566852 1 sti.go:214] Pushing docker.io/chunyunchen/origin-ruby-sample-sti2:latest image ... I1027 07:00:27.301472 1 sti.go:230] Successfully pushed docker.io/chunyunchen/origin-ruby-sample-sti2:latest This fix is available in OpenShift Enterprise 3.1. |