Bug 1274134

Summary: "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon
Product: OpenShift Container Platform Reporter: Kenjiro Nakayama <knakayam>
Component: BuildAssignee: Ben Parees <bparees>
Status: CLOSED CURRENTRELEASE QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.0.0CC: aos-bugs, bparees, dmcphers, knakayam, wewang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: All   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-23 14:25:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kenjiro Nakayama 2015-10-22 03:34:52 UTC
* env

$ oc version
oc v3.0.2.0-17-g701346b
kubernetes v1.1.0-alpha.0-1605-g44c91b1

* Issue
- We are using private docker registry.
- "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon on the client system.
- Users need/want to use "--insecure-registry" flag without docker daemon in their client system.
- Please see below:

* Running on client host (without running docker daemon)
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1022 10:03:18.172672    6613 newapp.go:245] No local Docker daemon detected: dial unix /var/run/docker.sock: no such file or directory
I1022 10:03:18.226302    6613 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
F1022 10:03:18.284600    6613 helpers.go:71] error: can't connect to "foo.bar.dockerregistry.com": error checking for V2 registry at https://foo.bar.dockerregistry.com/v2/: Get https://foo.bar.dockerregistry.com/v2/: x509: certificate signed by unknown authority

* Running on master host (with running docker daemon)
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1021 19:03:24.459017   71557 dockerimagelookup.go:47] checking local Docker daemon for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.462624   71557 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.513746   71557 client.go:408] Getting repository foobar/hello-world from {https  <nil> foo.bar.dockerregistry.com   }
I1021 19:03:24.674610   71557 dockerimagelookup.go:161] found image: &dockerregistry.Image{Image:docker.Image{ID:"aa1a4579b39d8ada4141801bec3f49f7636b339c7b372a6eb03e243139a00450", Parent:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Comment:"", Created:time.Time{sec:63579787414, nsec:941021958, loc:(*time.Location)(0x393fdc0)}, Container:"70e55b11a4a466b2c7c94aa65fb26f018e00c233bd4e650e8122a47ab255af6f", ContainerConfig:docker.Config{Hostname:"aa61f9423ec3", Domainname:"", User:"", Memory:0, MemorySwap:0, CPUShares:0, CPUSet:"", AttachStdin:false, AttachStdout:false, AttachStderr:false, PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}(nil), Tty:false, OpenStdin:false, StdinOnce:false, Env:[]string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, Cmd:[]string{"/bin/sh", "-c", "#(nop) CMD [\"echo\" \"Hello\"]"}, DNS:[]string(nil), Image:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Volumes:map[string]struct {}(nil), VolumesFrom:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string(nil), NetworkDisabled:false, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"License":"GPLv2", "Vendor":"CentOS"}}, DockerVersion:"1.8.1", Author:"", Config:(*docker.Config)(0xc2080c2ea0), Architecture:"amd64", Size:0, VirtualSize:0}, PullByID:false}
I1021 19:03:24.674898   71557 newapp.go:776] Code
I1021 19:03:24.674913   71557 newapp.go:777] Components foo.bar.dockerregistry.com/foobar/hello-world
I1021 19:03:24.674933   71557 newapp.go:468] found group: app.ComponentReferences{(*app.ComponentInput)(0xc20855fcb0)}
I1021 19:03:24.674947   71557 newapp.go:520] will include "foo.bar.dockerregistry.com/foobar/hello-world"
W1021 19:03:24.675039   71557 pipeline.go:246] A service will not be generated for DeploymentConfig "hello-world" because no exposed ports were detected. Use 'oc expose dc "hello-world" --port=[port]' to create a service.
Run 'oc status' to view your app.

Comment 2 Kenjiro Nakayama 2015-10-22 03:37:09 UTC
* Root cause is here, InsecureRegistry option will not set if docker daemon is not running.

- ./pkg/cmd/cli/cmd/newapp.go
        dockerClient, _, err := dockerutil.NewHelper().GetClient()
        if err == nil {
                if err = dockerClient.Ping(); err == nil {
        if err != nil {
                glog.V(2).Infof("No local Docker daemon detected: %v", err)

- ./pkg/generate/app/cmd/newapp.go
// SetDockerClient sets the passed Docker client in the application configuration
func (c *AppConfig) SetDockerClient(dockerclient *docker.Client) {
        c.dockerSearcher = app.DockerClientSearcher{
                Client:           dockerclient,
                RegistrySearcher: c.dockerRegistrySearcher(),
                Insecure:         c.InsecureRegistry,

Comment 3 Cesar Wong 2015-10-23 02:26:38 UTC
Kenjiro, the insecure registry option should be used in the registry client, even if the docker daemon is not set:

- ./pkg/generate/app/cmd/newapp.go
func (c *AppConfig) dockerRegistrySearcher() app.Searcher {
	return app.DockerRegistrySearcher{
		Client:        dockerregistry.NewClient(),
		AllowInsecure: c.InsecureRegistry,

func (c *AppConfig) ensureDockerSearcher() {
	if c.dockerSearcher == nil {
		c.dockerSearcher = c.dockerRegistrySearcher()

Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

Comment 4 Kenjiro Nakayama 2015-10-23 02:34:44 UTC

> Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

I have already told the customer the workaround (running docker daemon). So I will setup it by myself and inform you.
Please allow me some time.

Comment 5 Ben Parees 2015-10-23 18:56:35 UTC

Comment 6 Kenjiro Nakayama 2015-10-24 09:28:35 UTC
Thank you. It looks like I don't need ot provide the information.

Comment 7 Ben Parees 2015-10-24 20:23:25 UTC
nope, should be fixed now.

Comment 13 Brenton Leanhardt 2015-11-23 14:25:44 UTC
This fix is available in OpenShift Enterprise 3.1.