Bug 1371031

Summary:	[atomic registry] instruction about docker login on web ui is not correct.
Product:	OpenShift Container Platform	Reporter:	Johnny Liu <jialiu>
Component:	Installer	Assignee:	Samuel Munilla <smunilla>
Status:	CLOSED ERRATA	QA Contact:	Johnny Liu <jialiu>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.3.0	CC:	abutcher, aos-bugs, aweiteka, bleanhar, jliggitt, jokerman, mmccomas, yapei
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-09-27 09:46:43 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Johnny Liu 2016-08-29 08:24:18 UTC

Description of problem:
prompt about docker login on registry console web UI is not correct.

Version-Release number of selected component (if applicable):
openshift3/registry-console:3.3 (57a566a04a79)
openshift-ansible-3.3.16-1.git.0.9ed3fd2.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.Run ansible installer to install standalone atomic registry.
  deployment_type=openshift-enterprise
  deployment_subtype=registry
  openshift_cockpit_deployer_prefix=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/

2. After installation, check registry console is created.
# oc get po
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-2-djlbn    1/1       Running   4          3h
registry-console-1-5esrx   1/1       Running   4          3h
router-1-ihf7r             1/1       Running   6          3h
# oc get route
NAME               HOST/PORT                                          PATH      SERVICES           PORT               TERMINATION
docker-registry    docker-registry-default.0829-90c.qe.rhcloud.com              docker-registry    5000-tcp           
registry-console   registry-console-default.0829-90c.qe.rhcloud.com             registry-console   registry-console   passthrough

3. Access https://registry-console-default.0829-90c.qe.rhcloud.com, log int web UI, get the following instruction:
Log into the registry:
$ sudo docker login -p EIfBxE_Jn0oEoX1FWampQT73UsFizxbnQDB8H1N5fp4 -e unused -u unused docker-registry-default.0829-90c.qe.rhcloud.com

4. On docker client, run the above command to log in.

Actual results:
Get the following error:
Error response from daemon: Unexpected status code [503] : <html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1">
  <style type="text/css">
  /*!
   * Bootstrap v3.3.5 (http://getbootstrap.com)
   * Copyright 2011-2015 Twitter, Inc.
   * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
   */
  /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
  html {
    font-family: sans-serif;
    -ms-text-size-adjust: 100%;
    -webkit-text-size-adjust: 100%;
  }
  body {
    margin: 0;
  }
  h1 {
    font-size: 1.9em;
    font-weight: 400;
    line-height: 1.3;
    margin: 0.68em 0;
  }
  @media (min-width: 768px) { 
    h1 {
      font-size: 2.15em;}
  }
  * {
    -webkit-box-sizing: border-box;
    -moz-box-sizing: border-box;
    box-sizing: border-box;
  }
  *:before,
  *:after {
    -webkit-box-sizing: border-box;
    -moz-box-sizing: border-box;
    box-sizing: border-box;
  }
  html {
    -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
  }
  body {
    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
    line-height: 1.66666667;
    font-size: 13px;
    color: #333333;
    background-color: #ffffff;
    margin: 4em 3em;
  }
  p {
    margin: 0 0 10px;
    font-size: 13px;
    font-weight: 300;
    line-height: 1.4;
  }
  @media (min-width: 768px) {
    p {
      font-size: 14px;
    }
  }
  </style>
  </head>
  <body>
    <div>
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>
    </div>
  </body>
</html>

Expected results:
Should suggest user to add docker-registry-default.0829-90c.qe.rhcloud.com:80 to insecure-registry option in docker config file, and prompt user to use 80 port to run docker login.

Additional info:

Comment 1 Brenton Leanhardt 2016-08-29 12:24:23 UTC

Aaron, could you provide your thoughts on this?  Do we need to clarify the instructions mentioned in the atomic registry console?

Comment 2 Aaron Weitekamp 2016-08-29 14:09:09 UTC

For the insecure install the ":80" string can be appended to to REGISTRY_HOST env var. When registry certs are added with a TLS passthrough route the port (":80") should be dropped at which point docker daemon/client uses :443. So it's a bit of a documentation issue when registry is secured.

Comment 3 Aaron Weitekamp 2016-08-29 14:10:54 UTC

Regarding "--insecure-registry" we have relied on docker's error message to instruct the end-user. If port :80 is used the end-user will get the correct message.

Comment 4 Aaron Weitekamp 2016-08-29 14:41:05 UTC

Upstream docs issue: https://github.com/openshift/openshift-docs/issues/2748

Comment 12 Scott Dodson 2016-09-05 03:03:56 UTC

https://github.com/openshift/openshift-ansible/pull/2409 secures the registry.

Comment 14 Johnny Liu 2016-09-05 08:46:36 UTC

Verified this bug with openshift-ansible-playbooks-3.3.22-1.git.0.6c888c2.el7.noarch, PASS.

Now when deployment_subtype=registry, a secure registry will be deployed, no need ":80", and docker push successfully.
# oc get route
NAME               HOST/PORT                                          PATH      SERVICES           PORT               TERMINATION
docker-registry    docker-registry-default.0905-ef2.qe.rhcloud.com              docker-registry    5000-tcp           passthrough
registry-console   registry-console-default.0905-ef2.qe.rhcloud.com             registry-console   registry-console   passthrough

Following web ui instruction, run
# docker login -p M9nJlQFXTIhS94c80evUiLkhHEwnhYwsot1590Yto_c -e unused -u unused docker-registry-default.0905-ef2.qe.rhcloud.com
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

Of course, firstly user have to copy remote's ca file to docker client machine.
(scp -r root@<atomic-registry-host>:/etc/docker/certs.d/<registry-route>/ /etc/docker/certs.d/

Comment 16 errata-xmlrpc 2016-09-27 09:46:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933