Bug 1678158
Summary: | Failed to use stage registry | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Zihan Tang <zitang> | ||||||||
Component: | Service Broker | Assignee: | Jesus M. Rodriguez <jesusr> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Zihan Tang <zitang> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | 3.9.0 | CC: | aos-bugs, chezhang, chuo, dyan, jesusr, jfan, jiazha, zitang | ||||||||
Target Milestone: | --- | Keywords: | TestBlocker | ||||||||
Target Release: | 3.9.z | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | |||||||||||
: | 1696113 (view as bug list) | Environment: | |||||||||
Last Closed: | 2019-07-24 08:00:13 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1696113 | ||||||||||
Attachments: |
|
Comment 2
Jesus M. Rodriguez
2019-02-19 19:23:25 UTC
Using 3.9 I was able to recreate the original error. 2019-02-20T16:39:50.88Z] [DEBUG] - Dao::BatchGetRaw [2019-02-20T16:39:50.881Z] [DEBUG] - Successfully loaded [ 0 ] objects from etcd dir [ /spec ] [2019-02-20T16:39:51.028Z] [WARNING] - registry: 0x1584a70 was unable to complete bootstrap - Get https://registry.access.stage.redhat.com/v1/search?q="*-apb": x509: certificate signed by unknown authority [2019-02-20T16:39:51.028Z] [ERROR] - Failed to bootstrap on startup! [2019-02-20T16:39:51.028Z] [ERROR] - all registries failed on bootstrap time="2019-02-20T16:39:51Z" level=error msg="unable to retrieve image names for registry rh - Get https://registry.access.stage.redhat.com/v1/search?q=\"*-apb\": x509: certificate signed by unknown authority" I will investigate. We are back porting the ability to skip TLS verification which is how we deal with internal registries like this without having the certificate. It is a configuration item. Jesus, Is it ready for now? If yes, could you tell me how to config it? Thanks! Patch posted to 3.9 branch: https://github.com/openshift/ansible-service-broker/pull/1194 We backported the SkipVerifyTLS option from 3.11 back to 3.9. It will be ready in a couple of days. Once it gets reviewed, merged. We can rebuild the packages. Then rebuild the images for QE. Jesus, do we need to doc this changes (backported the SkipVerifyTLS option from 3.11 back to 3.9) in related release doc? Probably not. I just removed it. Makes things simpler too. Could please take high priority to fix this? in v3.9, only stage registry can be used as downstream registry. This blocks errata testing. Thanks. I've retested and it works for me using `http://registry.access.stage.redhat.com` and `skip_verify_tls: true`. Broker version 1.1.20 being used. ============================================================ == Starting Ansible Service Broker... == ============================================================ [2019-07-02T19:31:16.971Z] [INFO] - Ansible Service Broker Version: 1.1.20 [2019-07-02T19:31:16.971Z] [NOTICE] - Initializing clients... [2019-07-02T19:31:16.972Z] [DEBUG] - Trying to connect to etcd [2019-07-02T19:31:16.972Z] [INFO] - == ETCD CX == [2019-07-02T19:31:16.972Z] [INFO] - EtcdHost: asb-etcd.ansible-service-broker.svc [2019-07-02T19:31:16.972Z] [INFO] - EtcdPort: 2379 [2019-07-02T19:31:16.972Z] [INFO] - Endpoints: [https://asb-etcd.ansible-service-broker.svc:2379] [2019-07-02T19:31:16.991Z] [INFO] - Etcd Version [Server: 3.3.8, Cluster: 3.3.0] [2019-07-02T19:31:16.996Z] [DEBUG] - Connecting to Cluster [2019-07-02T19:31:17.006Z] [INFO] - OpenShift version: v3.9.0+71543b2-33 [2019-07-02T19:31:17.009Z] [DEBUG] - plugin for the network - [2019-07-02T19:31:17.009Z] [NOTICE] - unable to retrieve the network plugin, defaulting to not joining networks - clusternetworks.network.openshift.io "default" not found [2019-07-02T19:31:17.009Z] [INFO] - Kubernetes version: v1.9.1+a0ce1bc657 [2019-07-02T19:31:17.009Z] [DEBUG] - Connecting Dao [2019-07-02T19:31:17.009Z] [DEBUG] - Connecting Registry [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get user from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get pass from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get org from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get images from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get namespaces from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get fail_on_error from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get black_list from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get auth_type from config [2019-07-02T19:31:17.01Z] [DEBUG] - Unable to get auth_name from config [2019-07-02T19:31:17.01Z] [INFO] - == REGISTRY CX == [2019-07-02T19:31:17.01Z] [INFO] - Name: rh [2019-07-02T19:31:17.01Z] [INFO] - Type: rhcc [2019-07-02T19:31:17.01Z] [INFO] - Url: http://registry.access.stage.redhat.com [2019-07-02T19:31:17.01Z] [WARNING] - skipping verification of registry TLS certificate per adapter configuration [2019-07-02T19:31:17.01Z] [DEBUG] - Creating filter for registry: rh [2019-07-02T19:31:17.01Z] [DEBUG] - whitelist: [.*-apb$] [2019-07-02T19:31:17.01Z] [DEBUG] - blacklist: [] [2019-07-02T19:31:17.01Z] [DEBUG] - Initializing WorkEngine The broker sees the following APBs in the list [2019-07-02T19:31:17.931Z] [DEBUG] - Filter applied against registry: rh [2019-07-02T19:31:17.931Z] [DEBUG] - APBs passing white/blacklist filter: [2019-07-02T19:31:17.932Z] [DEBUG] - -> rhv4-tech-preview/ovirt-flexvolume-driver-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> mobile-1-tech-preview/mobile-app-metrics-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> openshift3/mariadb-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> openshift4/mariadb-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> mobile-1-tech-preview/mobile-sync-app-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> mobile-1-tech-preview/mobile-unifiedpush-server-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> openshift4/mediawiki-apb [2019-07-02T19:31:17.932Z] [DEBUG] - -> mobile-1-tech-preview/mobile-developer-console-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> mobile-1-tech-preview/mobile-identity-management-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift4/postgres-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> codeready-workspaces-beta/server-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift4/mysql-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> rhpam-7/rhpam-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift3/automation-broker-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift3/mediawiki-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> cnv-tech-preview/kubevirt-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> cnv-tech-preview/import-vm-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift3/mysql-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift3/postgresql-apb [2019-07-02T19:31:17.933Z] [DEBUG] - -> openshift4/postgresql-apb Only a few are available, manyof the image urls return 404 Not Found. But that is a function of how the registry is filled not a broker issue. I have attached my broker-config and my broker log. Created attachment 1586856 [details] broker config Here is my broker configmap you can see the registry entry defined within. registry: - type: "rhcc" name: "rh" url: "http://registry.access.stage.redhat.com" org: tag: "v3.9" skip_verify_tls: true white_list: - ".*-apb$" Created attachment 1586857 [details]
my broker logs
This log shows the broker comes up and connects to the stage registry with the skip_verify_tls set to true.
@Jesue, your openshift version is v3.9.0+71543b2-33, it is too old. my cluster is: OpenShift version: v3.9.85 I try this again, the error is different again. My registry: registry: - type: rhcc name: rh url: https://registry.access.stage.redhat.com org: tag: v3.9 white_list: [.*-apb$] skip_verify_tls: true auth_type: "" auth_name: "" The asb log: [2019-07-03T03:34:02.658Z] [ERROR] - Image 'registry.access.stage.redhat.com/openshift4/mysql-apb:v3.9' may not exist in registry. [2019-07-03T03:34:02.658Z] [ERROR] - {"errors":[{"code":"UNSUPPORTED","message":"This repo requires terms acceptance and is only available on registry.redhat.io"}]} [2019-07-03T03:34:02.823Z] [ERROR] - Image 'registry.access.stage.redhat.com/openshift4/mediawiki-apb:v3.9' may not exist in registry. It should check image in .../openshift3/... not /openshift4/... and I config `org` to `openshift3` in registry: - type: rhcc name: rh url: https://registry.access.stage.redhat.com org: openshift3 tag: v3.9 white_list: [.*-apb$] skip_verify_tls: true auth_type: "" auth_name: "" but the org parameter not work for rhcc registry, still got the following error: [2019-07-03T03:52:32.813Z] [ERROR] - Image 'registry.access.stage.redhat.com/openshift4/mariadb-apb:v3.9' may not exist in registry. Created attachment 1586912 [details]
asb-log in v3.9.85
Add whitelist to registry config, it succeeds to use stage registry. registry: - type: rhcc name: rh url: https://registry.access.stage.redhat.com org: tag: v3.9.85 white_list: - openshift3/mediawiki-apb - openshift3/postgresql-apb - openshift3/mariadb-apb - openshift3/mysql-apb skip_verify_tls: true auth_type: "" auth_name: "" asb log: oc logs -f asb-1-pnzr8 | grep 'into Spec' [2019-07-03T06:06:57.207Z] [DEBUG] - Successfully converted Image registry.access.stage.redhat.com/openshift3/mariadb-apb:v3.9.85 into Spec [2019-07-03T06:06:57.332Z] [DEBUG] - Successfully converted Image registry.access.stage.redhat.com/openshift3/mysql-apb:v3.9.85 into Spec [2019-07-03T06:06:57.454Z] [DEBUG] - Successfully converted Image registry.access.stage.redhat.com/openshift3/mediawiki-apb:v3.9.85 into Spec [2019-07-03T06:06:57.578Z] [DEBUG] - Successfully converted Image registry.access.stage.redhat.com/openshift3/postgresql-apb:v3.9.85 into Spec Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1757 |