Cause: Docker client libraries needed to be updated.
Consequence: OpenShift was unable to import an image from an authenticated v2 registry.
Fix: Docker client libraries were updated.
Result: OpenShift can now import an image from an authenticated v2 registry.
Description of problem:
When doing a docker build based on an image from the internal docker registry, the registry responds with the following message:
F0818 16:18:36.664505 1 builder.go:64] Build error: pulling with digest
reference failed from v2 registry
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a Docker file that uses an image. ex. FROM <anyimage>
2. Use oc new-app to create the previous container from step 1.
3. Create a new docker file that references the FROM line with the container from step 1. ex. FROM <image_from_step_1>
4. Use oc new-app to build the container from step 3.
5. Verify the error message, "pulling with digest
reference failed from v2 registry"
Builds fail when building containers based on images already in the registry.
Builds should succeed when building containers based on containers that are in the internal v3 docker registry.
We ran into this issue when building a few containers for our monitoring solution. We debugged this issue and according to Cesar,
"I found the issue is a Docker bug that seems to have been introduced in 1.7.1. The problem seems to be in the parsing of a Dockerfile FROM spec that includes a SHA digest. The lookup into the auth config map fails (most likely because it's not handling the ':' in the spec correctly) and then the right credentials are not passed to the registry. This only happens in 'docker build'. Other operations like 'docker pull' work because the credentials are handled differently."
"I found that the Docker issue we ran into has been fixed in more recent versions of Docker (starting with 1.8). At least part of the fix went into this commit: https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 which is tagged with 1.8."
The issue is with the format of the credential map passed to Docker from the client. It can be reproduced with images that have a sha digest or not. The fix in https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 should be all that's needed to fix this.
Fixed with https://github.com/openshift/origin/pull/4535
Verified this bug with openshift-126.96.36.1990-0.git.185.2f7757a.el7ose.x86_64, and PASS.
1. Create git repo, include a docker file, just like: https://github.com/jianlinliu/docker-build
2. Run "oc new-app https://github.com/jianlinliu/docker-build", this would trigger a docker build, it will push a new docker images into internal docker registry.
$ oc describe po docker-build-1-srs9t|grep "Image"
3. Create another git repo, include a docker file, that uses docker images generated from step 2 with "FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f", e.g: https://github.com/jianlinliu/docker-build1
4. Run "oc new-app https://github.com/jianlinliu/docker-build1", build and deploy successfully.
$ oc build-logs docker-build1-1
I0911 05:50:27.807942 1 docker.go:202] Cloning source from https://github.com/jianlinliu/docker-build1
Step 0 : FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f2
Step 1 : ADD test /opt/jialiu_test
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.