Bug 1535783

Summary: Cannot login openshift container registry behind proxy
Product: OpenShift Container Platform Reporter: Dongbo Yan <dyan>
Component: InstallerAssignee: Fabian von Feilitzsch <fabian>
Status: CLOSED DUPLICATE QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, dyan, ghuang, jokerman, mmccomas
Target Milestone: ---Keywords: Regression, TestBlocker
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-25 15:05:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
log from dc/docker-registry none

Description Dongbo Yan 2018-01-18 05:59:07 UTC 
Created attachment 1382748 [details]
log from dc/docker-registry

Description of problem:
Launch an openshift cluster behind proxy, cannot login openshift container registry

Version-Release number of selected component (if applicable):
openshift v3.9.0-0.20.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.8

How reproducible:
ALways

Steps to Reproduce:
1.Launch an openshift cluster behind proxy
2.Wait registry pod is ready, login openshift container registry

Actual results:
cannot login openshift container registry
# docker login -u dyan -pGsiRdMqRIqzRNPP1VtA_EJu8ZUusBbLtmIABUFEsQ1Y 172.30.114.12:5000
Error response from daemon: Get https://172.30.114.12:5000/v1/users/: Forbidden

Expected results:
could login openshift container registry

Additional info:
could login openshift container registry successfully without proxy
Comment 1 Gan Huang 2018-01-18 06:15:43 UTC 
Check the proxy variables on the docker-registry.
# oc env dc/docker-registry --list |grep -i proxy
NO_PROXY=.cluster.local,.svc,169.254.169.254,172.16.120.100,172.16.120.162
HTTP_PROXY=http://xxx.redhat.com:3128
HTTPS_PROXY=http://xxx.redhat.com:3128

Once appending the cluster CIDR and service CIDR (`172.30.0.0/16,10.128.0.0/14`) to NO_PROXY, build can succeed.
# oc env  dc/docker-registry NO_PROXY=.cluster.local,.svc,169.254.169.254,172.16.120.100,172.16.120.162,172.30.0.0/16,10.128.0.0/14

Assigning to Installer component.
Comment 2 Scott Dodson 2018-01-18 15:27:17 UTC 
The docker registry service ip address is prone to change. To work around that we've configured environments to push to the registry via the service name.

Can you attempt to login to 'docker-registry.default.svc' rather than the service ip address? '.svc' should already be added to docker's NO_PROXY list in /etc/sysconfig/docker which will address this issue.
Comment 3 Gan Huang 2018-01-19 04:43:27 UTC 
Scott, `.svc` had been already added to docker's NO_PROXY. 

From the logs of docker-registry, it seems that docker-registry has to talk to 172.30.0.1 that lead the failure, I think this is the root cause.

We just need to make sure that cluster CIDR and service CIDR could be added to NO_PROXY by installer.
Comment 4 Dongbo Yan 2018-01-23 02:54:14 UTC 
During build process, failed to push image to docker-registry.default.svc:5000, throw the same error: Error response from daemon: Get /v1/users/: Forbidden.

In comment3 , ghuang has provided useful info
Comment 5 Scott Dodson 2018-01-23 18:17:46 UTC 
I believe this is same root cause as https://bugzilla.redhat.com/show_bug.cgi?id=1511870 with a proposed fix in https://github.com/openshift/openshift-ansible/pull/6215
Comment 6 Scott Dodson 2018-01-25 15:05:31 UTC 

*** This bug has been marked as a duplicate of bug 1527210 ***