Bug 1657187
| Summary: | ose-docker-builder does not login to registry.redhat.io when doing builds | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Dmitry Zhukovski <dzhukous> | ||||
| Component: | Build | Assignee: | Ben Parees <bparees> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | wewang <wewang> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 3.11.0 | CC: | aabhishe, adeshpan, amurdaca, aos-bugs, bparees, gparente, jfoots, jokerman, kborup, mmccomas, mnoguera, ocasalsa, pamoedom, rbost, sgarciam, wzheng | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-13 09:37:06 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Dmitry Zhukovski
2018-12-07 11:53:40 UTC
Please also provide openshift exact version docker pull works fine and credentials are stored on the right paths as well, more information are coming from customer/consultant but I don't think it's a docker issue, rather an openshift misconfiguration or bug maybe. Please re-assign it to me otherwise. This is working as designed. To access the new registry you either need to setup appropriate credentials like for any other private registry, or you need to use pull through against an imagestream in a namespace that has credentials setup (see the out of box openshift namespace imagestreams). Or continue using registry.access.redhat.com. Node credentials are not used for build pulls. You must supply them in your namespace. > To access the new registry you either need to setup appropriate credentials like for any other private registry
FTR, this would be done like below and will be entered into red hat knowledgebase. Note the `docker login` steps and `oc create secret` can be abbreviate if you want to enter credentials into `oc create secret` directly without logging in via docker (e.g. if you do not have it avialable locally and only use `oc`):
# cat imagestream-and-bc.yaml
kind: "List"
apiVersion: "v1"
items:
- kind: "ImageStream"
apiVersion: "v1"
metadata:
labels:
app: "my-test"
template: "my-test"
name: "my-test"
- kind: "BuildConfig"
apiVersion: "v1"
metadata:
labels:
template: "my-test"
name: "my-test-build"
spec:
source:
binary: {}
type: Binary
strategy:
type: Docker
dockerStrategy:
dockerfilePath: .
triggers: []
output:
to:
kind: "ImageStreamTag"
name: "my-test:latest"
# cat Dockerfile
FROM registry.redhat.io/openshift3/ose
USER 1001
CMD ["/bin/ls"]
# oc new-project my-test
# oc create -f imagestream-and-bc.yaml
imagestream.image.openshift.io/my-test created
buildconfig.build.openshift.io/my-test-build created
# docker login registry.redhat.io
<enter credentials>
# oc create secret generic my-credentials --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson
# oc start-build my-test-build --from-dir=.
Uploading directory "." as binary input for the build ...
.
Uploading finished
build.build.openshift.io/my-test-build-2 started
# oc logs my-test-build-2-build
Step 1/5 : FROM registry.redhat.io/openshift3/ose
---> 96ee92cf05ea
Step 2/5 : USER 1001
---> Running in 6269bc22ba23
---> ebf4f076260b
...
Success from here on.
Created attachment 1555501 [details]
my-test-build pod objects
As an extra note, if I create an imagestream to point to the image, the build succeeds.
Basic instructions, working in Cluster A (the impossible thing which should be explained):
# cat imagestream-and-bc.yaml
kind: "List"
apiVersion: "v1"
items:
- kind: "ImageStream"
apiVersion: "v1"
metadata:
labels:
app: "my-test"
template: "my-test"
name: "my-test"
- kind: "BuildConfig"
apiVersion: "v1"
metadata:
labels:
template: "my-test"
name: "my-test-build"
spec:
source:
binary: {}
type: Binary
strategy:
type: Docker
dockerStrategy:
dockerfilePath: .
triggers: []
output:
to:
kind: "ImageStreamTag"
name: "my-test:latest"
# cat Dockerfile
FROM registry.redhat.io/openshift3/ose
USER 1001
CMD ["/bin/ls"]
# oc new-project my-test
# oc create -f imagestream-and-bc.yaml
imagestream.image.openshift.io/my-test created
buildconfig.build.openshift.io/my-test-build created
# oc start-build my-test-build --from-dir=.
Uploading directory "." as binary input for the build ...
.
Uploading finished
build.build.openshift.io/my-test-build-2 started
# oc logs my-test-build-1-build
Step 1/5 : FROM registry.redhat.io/openshift3/ose
---> 96ee92cf05ea
Step 2/5 : USER 1001
---> Running in 6269bc22ba23
---> ebf4f076260b
...
Success!
Extra step required in Cluster B. Any of them makes the build work:
- Option 1
# oc import-image rhel7-minimal --from registry.redhat.io/rhel7-minimal --reference-policy local --confirm
- Option 2
# oc create secret generic my-credentials --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson
# oc set build-secret --pull bc/my-test-build my-credentials
While I don't agree with the explanation of "from now on every single build or project must be tweaked to get images" as in the past it wasn't that way, the point here is to understand why Cluster A is working without such extra configuration.
Thanks in advance.
Correction to the previous update: # cat Dockerfile FROM registry.redhat.io/rhel7-minimal USER 1001 CMD ["/bin/ls"] I regret the noise, but it was working because the image was already pulled in the only single node in the cluster... my bad. Closing it again. |