Bug 1274134 - "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon
Summary: "--insecure-registry" flag for "oc new-app" doesn't work without running dock...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.0.0
Hardware: Unspecified
OS: All
Target Milestone: ---
: ---
Assignee: Ben Parees
QA Contact: Wenjing Zheng
Depends On:
TreeView+ depends on / blocked
Reported: 2015-10-22 03:34 UTC by Kenjiro Nakayama
Modified: 2019-08-15 05:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-11-23 14:25:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Kenjiro Nakayama 2015-10-22 03:34:52 UTC
* env

$ oc version
oc v3.0.2.0-17-g701346b
kubernetes v1.1.0-alpha.0-1605-g44c91b1

* Issue
- We are using private docker registry.
- "--insecure-registry" flag for "oc new-app" doesn't work without running docker daemon on the client system.
- Users need/want to use "--insecure-registry" flag without docker daemon in their client system.
- Please see below:

* Running on client host (without running docker daemon)
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1022 10:03:18.172672    6613 newapp.go:245] No local Docker daemon detected: dial unix /var/run/docker.sock: no such file or directory
I1022 10:03:18.226302    6613 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
F1022 10:03:18.284600    6613 helpers.go:71] error: can't connect to "foo.bar.dockerregistry.com": error checking for V2 registry at https://foo.bar.dockerregistry.com/v2/: Get https://foo.bar.dockerregistry.com/v2/: x509: certificate signed by unknown authority

* Running on master host (with running docker daemon)
$ oc new-app --docker-image=foo.bar.dockerregistry.com/foobar/hello-world --loglevel=4 --insecure-registry
I1021 19:03:24.459017   71557 dockerimagelookup.go:47] checking local Docker daemon for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.462624   71557 dockerimagelookup.go:138] checking Docker registry for "foo.bar.dockerregistry.com/foobar/hello-world"
I1021 19:03:24.513746   71557 client.go:408] Getting repository foobar/hello-world from {https  <nil> foo.bar.dockerregistry.com   }
I1021 19:03:24.674610   71557 dockerimagelookup.go:161] found image: &dockerregistry.Image{Image:docker.Image{ID:"aa1a4579b39d8ada4141801bec3f49f7636b339c7b372a6eb03e243139a00450", Parent:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Comment:"", Created:time.Time{sec:63579787414, nsec:941021958, loc:(*time.Location)(0x393fdc0)}, Container:"70e55b11a4a466b2c7c94aa65fb26f018e00c233bd4e650e8122a47ab255af6f", ContainerConfig:docker.Config{Hostname:"aa61f9423ec3", Domainname:"", User:"", Memory:0, MemorySwap:0, CPUShares:0, CPUSet:"", AttachStdin:false, AttachStdout:false, AttachStderr:false, PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}(nil), Tty:false, OpenStdin:false, StdinOnce:false, Env:[]string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, Cmd:[]string{"/bin/sh", "-c", "#(nop) CMD [\"echo\" \"Hello\"]"}, DNS:[]string(nil), Image:"0f73ae75014f435e279d85ad31edc67e46c4a5d692b61840ff51e9d05f3b01ec", Volumes:map[string]struct {}(nil), VolumesFrom:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string(nil), NetworkDisabled:false, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"License":"GPLv2", "Vendor":"CentOS"}}, DockerVersion:"1.8.1", Author:"", Config:(*docker.Config)(0xc2080c2ea0), Architecture:"amd64", Size:0, VirtualSize:0}, PullByID:false}
I1021 19:03:24.674898   71557 newapp.go:776] Code
I1021 19:03:24.674913   71557 newapp.go:777] Components foo.bar.dockerregistry.com/foobar/hello-world
I1021 19:03:24.674933   71557 newapp.go:468] found group: app.ComponentReferences{(*app.ComponentInput)(0xc20855fcb0)}
I1021 19:03:24.674947   71557 newapp.go:520] will include "foo.bar.dockerregistry.com/foobar/hello-world"
W1021 19:03:24.675039   71557 pipeline.go:246] A service will not be generated for DeploymentConfig "hello-world" because no exposed ports were detected. Use 'oc expose dc "hello-world" --port=[port]' to create a service.
Run 'oc status' to view your app.

Comment 2 Kenjiro Nakayama 2015-10-22 03:37:09 UTC
* Root cause is here, InsecureRegistry option will not set if docker daemon is not running.

- ./pkg/cmd/cli/cmd/newapp.go
        dockerClient, _, err := dockerutil.NewHelper().GetClient()
        if err == nil {
                if err = dockerClient.Ping(); err == nil {
        if err != nil {
                glog.V(2).Infof("No local Docker daemon detected: %v", err)

- ./pkg/generate/app/cmd/newapp.go
// SetDockerClient sets the passed Docker client in the application configuration
func (c *AppConfig) SetDockerClient(dockerclient *docker.Client) {
        c.dockerSearcher = app.DockerClientSearcher{
                Client:           dockerclient,
                RegistrySearcher: c.dockerRegistrySearcher(),
                Insecure:         c.InsecureRegistry,

Comment 3 Cesar Wong 2015-10-23 02:26:38 UTC
Kenjiro, the insecure registry option should be used in the registry client, even if the docker daemon is not set:

- ./pkg/generate/app/cmd/newapp.go
func (c *AppConfig) dockerRegistrySearcher() app.Searcher {
	return app.DockerRegistrySearcher{
		Client:        dockerregistry.NewClient(),
		AllowInsecure: c.InsecureRegistry,

func (c *AppConfig) ensureDockerSearcher() {
	if c.dockerSearcher == nil {
		c.dockerSearcher = c.dockerRegistrySearcher()

Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

Comment 4 Kenjiro Nakayama 2015-10-23 02:34:44 UTC

> Would it be possible to try with the latest version of the origin oc binary as the client and --loglevel=8? We should have more information now, including whether the connection to the registry is made securely or insecurely.

I have already told the customer the workaround (running docker daemon). So I will setup it by myself and inform you.
Please allow me some time.

Comment 5 Ben Parees 2015-10-23 18:56:35 UTC

Comment 6 Kenjiro Nakayama 2015-10-24 09:28:35 UTC
Thank you. It looks like I don't need ot provide the information.

Comment 7 Ben Parees 2015-10-24 20:23:25 UTC
nope, should be fixed now.

Comment 13 Brenton Leanhardt 2015-11-23 14:25:44 UTC
This fix is available in OpenShift Enterprise 3.1.

Note You need to log in before you can comment on or make changes to this bug.