Bug 1274134 – "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon

Bug 1274134 - "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon

Summary:	"--insecure-registry" flag for "oc new-app" doesn't work without running dock...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build (Show other bugs)
Sub Component:
Version:	3.0.0
Hardware:	Unspecified All

Priority	unspecified Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Ben Parees
QA Contact:	Wenjing Zheng
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-21 23:34 EDT by Kenjiro Nakayama
Modified:	2015-11-23 09:25 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-23 09:25:44 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kenjiro Nakayama 2015-10-21 23:34:52 EDT

* env

$ oc version
oc v3.0.2.0-17-g701346b
kubernetes v1.1.0-alpha.0-1605-g44c91b1

* Issue
----
- We are using private docker registry.
- "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon on the client system.
- Users need/want to use "--insecure-registry" flag without docker daemon in their client system.
- Please see below:

* Running on client host (without running docker daemon)
~~~
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1022 10:03:18.172672    6613 newapp.go:245] No local Docker daemon detected: dial unix /var/run/docker.sock: no such file or directory
I1022 10:03:18.226302    6613 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
F1022 10:03:18.284600    6613 helpers.go:71] error: can't connect to "foo.bar.dockerregistry.com": error checking for V2 registry at https://foo.bar.dockerregistry.com/v2/: Get https://foo.bar.dockerregistry.com/v2/: x509: certificate signed by unknown authority
~~~

* Running on master host (with running docker daemon)
~~~
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1021 19:03:24.459017   71557 dockerimagelookup.go:47] checking local Docker daemon for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.462624   71557 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.513746   71557 client.go:408] Getting repository foobar/hello-world from {https  <nil> foo.bar.dockerregistry.com   }
I1021 19:03:24.674610   71557 dockerimagelookup.go:161] found image: &dockerregistry.Image{Image:docker.Image{ID:"aa1a4579b39d8ada4141801bec3f49f7636b339c7b372a6eb03e243139a00450", Parent:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Comment:"", Created:time.Time{sec:63579787414, nsec:941021958, loc:(*time.Location)(0x393fdc0)}, Container:"70e55b11a4a466b2c7c94aa65fb26f018e00c233bd4e650e8122a47ab255af6f", ContainerConfig:docker.Config{Hostname:"aa61f9423ec3", Domainname:"", User:"", Memory:0, MemorySwap:0, CPUShares:0, CPUSet:"", AttachStdin:false, AttachStdout:false, AttachStderr:false, PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}(nil), Tty:false, OpenStdin:false, StdinOnce:false, Env:[]string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, Cmd:[]string{"/bin/sh", "-c", "#(nop) CMD [\"echo\" \"Hello\"]"}, DNS:[]string(nil), Image:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Volumes:map[string]struct {}(nil), VolumesFrom:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string(nil), NetworkDisabled:false, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"License":"GPLv2", "Vendor":"CentOS"}}, DockerVersion:"1.8.1", Author:"", Config:(*docker.Config)(0xc2080c2ea0), Architecture:"amd64", Size:0, VirtualSize:0}, PullByID:false}
I1021 19:03:24.674898   71557 newapp.go:776] Code
I1021 19:03:24.674913   71557 newapp.go:777] Components foo.bar.dockerregistry.com/foobar/hello-world
I1021 19:03:24.674933   71557 newapp.go:468] found group: app.ComponentReferences{(*app.ComponentInput)(0xc20855fcb0)}
I1021 19:03:24.674947   71557 newapp.go:520] will include "foo.bar.dockerregistry.com/foobar/hello-world"
W1021 19:03:24.675039   71557 pipeline.go:246] A service will not be generated for DeploymentConfig "hello-world" because no exposed ports were detected. Use 'oc expose dc "hello-world" --port=[port]' to create a service.
imagestreams/hello-world
deploymentconfigs/hello-world
Run 'oc status' to view your app.
~~~

Comment 2 Kenjiro Nakayama 2015-10-21 23:37:09 EDT

* Root cause is here, InsecureRegistry option will not set if docker daemon is not running.

- ./pkg/cmd/cli/cmd/newapp.go
~~~~
        dockerClient, _, err := dockerutil.NewHelper().GetClient()
        if err == nil {
                if err = dockerClient.Ping(); err == nil {
                        config.SetDockerClient(dockerClient)
                }
        }
        if err != nil {
                glog.V(2).Infof("No local Docker daemon detected: %v", err)
        }
~~~

- ./pkg/generate/app/cmd/newapp.go
~~~
// SetDockerClient sets the passed Docker client in the application configuration
func (c *AppConfig) SetDockerClient(dockerclient *docker.Client) {
        c.dockerSearcher = app.DockerClientSearcher{
                Client:           dockerclient,
                RegistrySearcher: c.dockerRegistrySearcher(),
                Insecure:         c.InsecureRegistry,
        }
}
~~~~

Comment 3 Cesar Wong 2015-10-22 22:26:38 EDT

Kenjiro, the insecure registry option should be used in the registry client, even if the docker daemon is not set:

- ./pkg/generate/app/cmd/newapp.go
~~~
func (c *AppConfig) dockerRegistrySearcher() app.Searcher {
	return app.DockerRegistrySearcher{
		Client:        dockerregistry.NewClient(),
		AllowInsecure: c.InsecureRegistry,
	}
}

func (c *AppConfig) ensureDockerSearcher() {
	if c.dockerSearcher == nil {
		c.dockerSearcher = c.dockerRegistrySearcher()
	}
}
~~~

Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

Comment 4 Kenjiro Nakayama 2015-10-22 22:34:44 EDT

Cesar,

> Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

I have already told the customer the workaround (running docker daemon). So I will setup it by myself and inform you.
Please allow me some time.

Comment 5 Ben Parees 2015-10-23 14:56:35 EDT

https://github.com/openshift/origin/pull/5369

Comment 6 Kenjiro Nakayama 2015-10-24 05:28:35 EDT

Thank you. It looks like I don't need ot provide the information.

Comment 7 Ben Parees 2015-10-24 16:23:25 EDT

nope, should be fixed now.

Comment 13 Brenton Leanhardt 2015-11-23 09:25:44 EST

This fix is available in OpenShift Enterprise 3.1.

Note You need to log in before you can comment on or make changes to this bug.