Bug 1469654
| Summary: | image pruning doesn't work from outside the cluster | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Anton Sherkhonov <asherkho> |
| Component: | Image Registry | Assignee: | Michal Minar <miminar> |
| Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.5.0 | CC: | aleks, aos-bugs, asherkho, aweiteka, bparees, dyan, eminguez, jokerman, mfojtik, mmccomas, pportant, pweil |
| Target Milestone: | --- | ||
| Target Release: | 3.7.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The `oadm prune images` used to print confusing errors (e.g. operation timeout). And several of its options were not documented. Also the help was misleading (e.g. --registry-url flag is necessary only when passed with --confirm).
Consequence: User did not know what to do when timeout occured. User wasn't able to find out the solution even in the documentation.
Fix: Errors are now printed with hint. Documentation has been updated, help has been amended.
Result: N00b should be able to prune images now. Even outside of OpenShift cluster.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-28 22:00:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Anton Sherkhonov
2017-07-11 15:11:53 UTC
Anton, for this purpose we offer `--registry-url` option for the `oadm prune images` command. Could you please try it and report back? `--registry-url` works, I still think this is a bug though: It is very inconsistent with other usages of `oc` command where you don't need anything except for master api endpoint. If you don't have `--registry-url` the commmand without `--confirm` works just fine, that suggests that it should work with `--confirm` as well. The error you get is "operation timed out" which doesn't make it easy to understand that you need `--registry-url`. There is nothing in the documentation to support that. So if "oc adm prune images" works from in the cluster, doesn't that mean it is accessing the registry via the internal service name? If so, why not always use the external service name, if it exists, and only use the internal service name when it doe s not exist? Then you would not need --registry url for internal vs external access, right? The `--registry-url` flag is covered in PR [1]. But I see that the section about `--registry-url` will need to be back-ported to earlier versions. I'll take care of it. [1] https://github.com/openshift/openshift-docs/pull/4471 > The error you get is "operation timed out" which doesn't make it easy to understand that you need `--registry-url`. There is nothing in the documentation to support that. This really isn't a good user experience. It will be fixed by this bz. > If you don't have `--registry-url` the commmand without `--confirm` works just fine, that suggests that it should work with `--confirm` as well. I'm not really sure about this point. The `--registry-url` isn't really needed for the dry-run. Would it be enough to just document this better in command's help? > If so, why not always use the external service name, if it exists, and only use the internal service name when it does not exist? Unfortunately, it's pretty hard to determine the working external url of the registry. We don't have a way to safely determine it. Recently, we started to allow for external registry name to propagate into image streams [2]. However, making use of it is still optional, which still makes the internal IP the safest option from inside of cluster. [2] https://github.com/openshift/origin/pull/14882 For the usage outside of cluster, I don't see a better option to `--registry-url`. Or making the URL discover-able from the master which has been discussed several times already. >> The error you get is "operation timed out" which doesn't make it easy to understand that you need `--registry-url`. There is nothing in the documentation to support that. > This really isn't a good user experience. It will be fixed by this bz. @michal, did this ever get fixed? > The `--registry-url` flag is covered in PR [1]. But I see that the section about `--registry-url` will need to be back-ported to earlier versions. I'll take care of it. did this documentation get backported? > I'm not really sure about this point. The `--registry-url` isn't really needed for the dry-run. Would it be enough to just document this better in command's help? yes, that seems reasonable, let's do that. I am lowering the severity of this bug as all I see are: 1) better error/timeout logic 2) some better docs 3) some better help text Certainly not a blocker. I don't think got fixed, the error is really not good user experience, we should probably improve it to "operation timed out while contacting registry XYZ". oadm prune help and error-reporting fixing PR: https://github.com/openshift/origin/pull/16655 The PR has been fixed. The only missing pieces are documentation back-port PRs [1] and [2] for the --registry-url flag. [1] https://github.com/openshift/openshift-docs/pull/5535 (OCP 3.5) [2] https://github.com/openshift/openshift-docs/pull/5536 (OCP 3.4) The documentation PRs have been merged as well. Verified # oc version oc v3.7.0-0.147.0 kubernetes v1.7.6+a08f5eeb62 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://:8443 openshift v3.7.0-0.143.2 kubernetes v1.7.0+80709908fd When prune images outside cluster without '--registry-url' flag will prompt error like below: # oadm prune images --keep-younger-than=0 --confirm error: failed to ping registry docker-registry.default.svc:5000: [Get https://docker-registry.default.svc:5000/: dial tcp: lookup docker-registry.default.svc on 10.72.17.5:53: no such host, Get http://docker-registry.default.svc:5000/: dial tcp: lookup docker-registry.default.svc on 10.72.17.5:53: no such host] * Please provide a reachable route to the integrated registry using --registry-url. Docs and help text look good, so move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |