Bug 1421954
Summary: | Pullthough failed with error manifest unknown when docker pull the images under openshift project | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Wang Haoran <haowang> |
Component: | Image Registry | Assignee: | Michal Minar <miminar> |
Status: | CLOSED ERRATA | QA Contact: | Wang Haoran <haowang> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.5.0 | CC: | aos-bugs, dyan, haowang, mfojtik, miminar, tdawson, yinzhou |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: Registry didn't consider insecure import policy of image stream tag when deciding whether to fall-back to insecure transport when serving blobs from external registries.
Consequence: Images imported from external insecure (no HTTPS or bad certificate) with --insecure flag applied could not be pulled through the integrated registry.
Fix: Registry now pays attention to insecure import policy of istags where the requested image is tagged.
Result: Registry allows to serve images from insecure external registries if they are tagged with insecure import policy.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-12 19:12:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Wang Haoran
2017-02-14 08:12:16 UTC
The registry in question [1] is insecure. To pull-through from it, it must have an insecure annotation. You can set it like this: oc annotate -n openshift is/python --overwrite 'openshift.io/image.insecureRepository=true' Once set, the pull should succeed for you. If I remember correct, this annotation is also used to import the tag from insecure registry previously and we changed to use importPolicy now in the spec,should we also also do pull-through using this "importPolicy" ? After set the annotate , the pull succeed: [root@host-8-175-193 ~]# oc annotate -n openshift is/python --overwrite 'openshift.io/image.insecureRepository=true' imagestream "python" annotated [root@host-8-175-193 ~]# docker pull 172.30.135.93:5000/openshift/python:latest Trying to pull repository 172.30.135.93:5000/openshift/python ... sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6: Pulling from 172.30.135.93:5000/openshift/python 7bd78273b666: Pull complete c196631bd9ac: Pull complete 83230913bf56: Pull complete 7096b2633b7a: Pull complete Digest: sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6 Status: Downloaded newer image for 172.30.135.93:5000/openshift/python:latest How about haowang's question on last comment ? > If I remember correct, this annotation is also used to import the tag from insecure registry previously and we changed to use importPolicy now in the spec,should we also also do pull-through using this "importPolicy" ? You're right, it's the same annotation documented at [1]. The documentation is out of date because it doesn't mention pull-through. I'll update it. [1] https://docs.openshift.org/latest/dev_guide/managing_images.html#insecure-registries I also believe there's a bug in import-image command. The `--insecure` flag should be propagated to the image stream being created. I'll fix that. Thanks for the bug report and verification. Opened a PR: https://github.com/openshift/origin/pull/13114 The PR is merged. I'm working on the docs PR. Confirmed with the latest origin ami , the issue has fixed, will verify it when the PR merged to OCP: openshift version openshift v1.5.0-alpha.3+2261a32-234 kubernetes v1.5.2+43a9be4 etcd 3.1.0 [root@ip-172-18-12-48 ~]# docker login -u zhouy -p Cl1h7y3uSaQChe0mN4MA2c1FHjog4WklHH4Pn5fKTlY -e dalda 172.30.103.111:5000 Flag --email has been deprecated, will be removed in 1.13. Login Succeeded [root@ip-172-18-12-48 ~]# docker pull 172.30.103.111:5000/openshift/rhel:latest Trying to pull repository 172.30.103.111:5000/openshift/rhel ... latest: Pulling from 172.30.103.111:5000/openshift/rhel fba561a35c19: Already exists Digest: sha256:1bc5a4c43bbb29a5a96a61896ff696933be3502e2f5fdc4cde02d9e101731fdd Is this for 3.5 or 3.6? The pull request was for origin/master, which is now 3.6. But the ticket says 3.5 for everything. PR: https://github.com/openshift/origin/pull/13274 This is for 3.5, should be merged today. Merged in 3.5. Confirmed with OCP3.5 , the issue has fixed: openshift version openshift v3.5.0.50 kubernetes v1.5.2+43a9be4 etcd 3.1.0 [root@ip-172-18-7-163 ~]# docker login -u zhouy -p B57RpPY-vl5xl_ju7Oq1O3xmYT_o6HcKKGxadQgd_Uc -e dalda 172.31.224.223:5000 Flag --email has been deprecated, will be removed in 1.13. Login Succeeded [root@ip-172-18-7-163 ~]# docker pull 172.31.224.223:5000/openshift/ruby:2.0 Trying to pull repository 172.31.224.223:5000/openshift/ruby ... sha256:9cfdf4b811ace13d4c555335b249ab831832a384113035512abc9d4d5cc59716: Pulling from 172.31.224.223:5000/openshift/ruby 7bd78273b666: Already exists c196631bd9ac: Already exists f6ae074f3e7f: Pull complete 27fca64257bd: Pull complete Digest: sha256:9cfdf4b811ace13d4c555335b249ab831832a384113035512abc9d4d5cc59716 Status: Downloaded newer image for 172.31.224.223:5000/openshift/ruby:2.0 Added doc text. Docs PR: https://github.com/openshift/openshift-docs/pull/3890 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |