Hide Forgot
* env $ oc version oc v3.0.2.0-17-g701346b kubernetes v1.1.0-alpha.0-1605-g44c91b1 * Issue ---- - We are using private docker registry. - "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon on the client system. - Users need/want to use "--insecure-registry" flag without docker daemon in their client system. - Please see below: * Running on client host (without running docker daemon) ~~~ $ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry I1022 10:03:18.172672 6613 newapp.go:245] No local Docker daemon detected: dial unix /var/run/docker.sock: no such file or directory I1022 10:03:18.226302 6613 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world" F1022 10:03:18.284600 6613 helpers.go:71] error: can't connect to "foo.bar.dockerregistry.com": error checking for V2 registry at https://foo.bar.dockerregistry.com/v2/: Get https://foo.bar.dockerregistry.com/v2/: x509: certificate signed by unknown authority ~~~ * Running on master host (with running docker daemon) ~~~ $ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry I1021 19:03:24.459017 71557 dockerimagelookup.go:47] checking local Docker daemon for "foo.bar.dockerregistry.com/foobar/hello-world" I1021 19:03:24.462624 71557 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world" I1021 19:03:24.513746 71557 client.go:408] Getting repository foobar/hello-world from {https <nil> foo.bar.dockerregistry.com } I1021 19:03:24.674610 71557 dockerimagelookup.go:161] found image: &dockerregistry.Image{Image:docker.Image{ID:"aa1a4579b39d8ada4141801bec3f49f7636b339c7b372a6eb03e243139a00450", Parent:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Comment:"", Created:time.Time{sec:63579787414, nsec:941021958, loc:(*time.Location)(0x393fdc0)}, Container:"70e55b11a4a466b2c7c94aa65fb26f018e00c233bd4e650e8122a47ab255af6f", ContainerConfig:docker.Config{Hostname:"aa61f9423ec3", Domainname:"", User:"", Memory:0, MemorySwap:0, CPUShares:0, CPUSet:"", AttachStdin:false, AttachStdout:false, AttachStderr:false, PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}(nil), Tty:false, OpenStdin:false, StdinOnce:false, Env:[]string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, Cmd:[]string{"/bin/sh", "-c", "#(nop) CMD [\"echo\" \"Hello\"]"}, DNS:[]string(nil), Image:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Volumes:map[string]struct {}(nil), VolumesFrom:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string(nil), NetworkDisabled:false, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"License":"GPLv2", "Vendor":"CentOS"}}, DockerVersion:"1.8.1", Author:"", Config:(*docker.Config)(0xc2080c2ea0), Architecture:"amd64", Size:0, VirtualSize:0}, PullByID:false} I1021 19:03:24.674898 71557 newapp.go:776] Code I1021 19:03:24.674913 71557 newapp.go:777] Components foo.bar.dockerregistry.com/foobar/hello-world I1021 19:03:24.674933 71557 newapp.go:468] found group: app.ComponentReferences{(*app.ComponentInput)(0xc20855fcb0)} I1021 19:03:24.674947 71557 newapp.go:520] will include "foo.bar.dockerregistry.com/foobar/hello-world" W1021 19:03:24.675039 71557 pipeline.go:246] A service will not be generated for DeploymentConfig "hello-world" because no exposed ports were detected. Use 'oc expose dc "hello-world" --port=[port]' to create a service. imagestreams/hello-world deploymentconfigs/hello-world Run 'oc status' to view your app. ~~~
* Root cause is here, InsecureRegistry option will not set if docker daemon is not running. - ./pkg/cmd/cli/cmd/newapp.go ~~~~ dockerClient, _, err := dockerutil.NewHelper().GetClient() if err == nil { if err = dockerClient.Ping(); err == nil { config.SetDockerClient(dockerClient) } } if err != nil { glog.V(2).Infof("No local Docker daemon detected: %v", err) } ~~~ - ./pkg/generate/app/cmd/newapp.go ~~~ // SetDockerClient sets the passed Docker client in the application configuration func (c *AppConfig) SetDockerClient(dockerclient *docker.Client) { c.dockerSearcher = app.DockerClientSearcher{ Client: dockerclient, RegistrySearcher: c.dockerRegistrySearcher(), Insecure: c.InsecureRegistry, } } ~~~~
Kenjiro, the insecure registry option should be used in the registry client, even if the docker daemon is not set: - ./pkg/generate/app/cmd/newapp.go ~~~ func (c *AppConfig) dockerRegistrySearcher() app.Searcher { return app.DockerRegistrySearcher{ Client: dockerregistry.NewClient(), AllowInsecure: c.InsecureRegistry, } } func (c *AppConfig) ensureDockerSearcher() { if c.dockerSearcher == nil { c.dockerSearcher = c.dockerRegistrySearcher() } } ~~~ Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.
Cesar, > Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely. I have already told the customer the workaround (running docker daemon). So I will setup it by myself and inform you. Please allow me some time.
https://github.com/openshift/origin/pull/5369
Thank you. It looks like I don't need ot provide the information.
nope, should be fixed now.
This fix is available in OpenShift Enterprise 3.1.