Bug 1302549 - [platformmanagement_public_435] Unable to find a secret to match the registry server during import the imagestream with private docker image
[platformmanagement_public_435] Unable to find a secret to match the registry...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Image Registry (Show other bugs)
3.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Clayton Coleman
Wei Sun
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-28 02:01 EST by weiwei jiang
Modified: 2016-10-30 18:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:16:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description weiwei jiang 2016-01-28 02:01:16 EST
Description of problem:
After create a imagestreamimport with a private docker image, the master log display:
{imagestreamimports /v1, Kind=ImageStreamImport 0x45b0840 0xc2081b0880 0xc20810a650 {}}
I0128 00:41:38.507992   20064 importer.go:684] Falling back to an HTTP check for an insecure registry {https  <nil> test.com:80   }: Get https://test.com:80/v2/: tls: o
versized record received with length 20527
I0128 00:41:38.514300   20064 credentials.go:108] Unable to find a secret to match http://test.com:80/v2/test/busybox/tags/list (test.com:80/v2/test/busybox/tags/list)
I0128 00:41:38.514324   20064 importer.go:348] unable to access tags for repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:80", Name
space:"test", Name:"busybox", Tag:"", ID:""}, Registry:(*url.URL)(0xc20f0dcb80), Name:"test/busybox", Insecure:true, Tags:[]importer.importTag(nil), Digests:[]importer.
importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:"http://test.com:80/v2/test/busybox/tags/list", Err:(*errors.e
rrorString)(0xc20dece750)}
I0128 00:41:38.526301   20064 image_change_controller.go:47] Build image change controller detected ImageStream change 

--------------------------

And when check all the imagestream secrets of the imagestream:
# curl -k --cert /openshift.local.config/master/admin.crt  --key /openshift.local.config/master/admin.key https://127.0.0.1:8443/oapi/v1/namespaces/wjiang/imagestreams/bc/secrets
......
    {
      "metadata": {
        "name": "test",
        "namespace": "wjiang",
        "selfLink": "/api/v1/namespaces/wjiang/secrets/test",
        "uid": "5a1cb645-c56a-11e5-8b5f-0ef77b0359c5",
        "resourceVersion": "583",
        "creationTimestamp": "2016-01-28T02:53:47Z"
      },
      "data": {
        ".dockercfg": "eyJ0ZXN0LmNvbTo4MCI6eyJ1c2VybmFtZSI6InRlc3QiLCJwYXNzd29yZCI6InRlc3QiLCJlbWFpbCI6InRlc3RAcmVkaGF0LmNvbSIsImF1dGgiOiJkR1Z6ZERwMFpYTjAifX0="
      },
      "type": "kubernetes.io/dockercfg"
    }
  ]
}


# echo "eyJ0ZXN0LmNvbTo4MCI6eyJ1c2VybmFtZSI6InRlc3QiLCJwYXNzd29yZCI6InRlc3QiLCJlbWFpbCI6InRlc3RAcmVkaGF0LmNvbSIsImF1dGgiOiJkR1Z6ZERwMFpYTjAifX0="|base64 -d
{"test.com:80":{"username":"test","password":"test","email":"test@redhat.com","auth":"dGVzdDp0ZXN0"}}



Version-Release number of selected component (if applicable):
devenv-rhel7_3259

How reproducible:
always

Steps to Reproduce:
1. Setup a private docker registry
1> docker run -d registry:2
2> docker run -d -v /nginx.conf:/etc/nginx/conf.d/registry.conf -v /htpasswd:/etc/nginx/.htpasswd nginx
# cat nginx.conf 
server {
  listen 80;
  server_name test.com;
  add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
  location / {
     proxy_pass http://172.17.0.1:5000;
     auth_basic "Restricted";
     auth_basic_user_file /etc/nginx/.htpasswd;
  }
}
3> Add the insecure registry to /etc/sysconfig/docker & restart docker service
OPTIONS='--insecure-registry 172.30.0.0/16 --insecure-registry 172.17.0.0/16 --selinux-enabled'
2.Create a imagestreamimport 
# oc create -f isi
{
  "kind": "ImageStreamImport",
  "apiVersion": "v1",
  "metadata": {
    "name": "bc"
  },
  "spec":{
  "import": true,
  "repository": {
    "from": {"kind": "DockerImage", "name": "test.com:80/test/busybox"},
    "importPolicy": {"insecure": true }
  }}
}
3. Check the imagestream & check the master log (loglevel=5)

Actual results:
3. 
1> # oc describe is bc                                                                                                                            
Name:                   bc
Created:                34 minutes ago
Labels:                 <none>
Annotations:            openshift.io/image.dockerRepositoryCheck=2016-01-28T05:52:13Z
Docker Pull Spec:       <none>
Tags:                   <none>

2> 
{imagestreamimports /v1, Kind=ImageStreamImport 0x45b0840 0xc2081b0880 0xc20810a650 {}}
I0128 00:41:38.507992   20064 importer.go:684] Falling back to an HTTP check for an insecure registry {https  <nil> test.com:80   }: Get https://test.com:80/v2/: tls: o
versized record received with length 20527
I0128 00:41:38.514300   20064 credentials.go:108] Unable to find a secret to match http://test.com:80/v2/test/busybox/tags/list (test.com:80/v2/test/busybox/tags/list)
I0128 00:41:38.514324   20064 importer.go:348] unable to access tags for repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:80", Name
space:"test", Name:"busybox", Tag:"", ID:""}, Registry:(*url.URL)(0xc20f0dcb80), Name:"test/busybox", Insecure:true, Tags:[]importer.importTag(nil), Digests:[]importer.
importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:"http://test.com:80/v2/test/busybox/tags/list", Err:(*errors.e
rrorString)(0xc20dece750)}
I0128 00:41:38.526301   20064 image_change_controller.go:47] Build image change controller detected ImageStream change 



Expected results:
Should work well

Additional info:
Comment 1 weiwei jiang 2016-01-28 02:08:59 EST
Here is the result when access the registry api:
# curl http://test:test@test.com/v2/test/busybox/tags/list
{"name":"test/busybox","tags":["latest"]}
Comment 2 weiwei jiang 2016-01-29 03:46:47 EST
When I try to import imagestream which source is a https scheme private registry, also failed even I add insecure=true

{ ImageStreamImport}
&{imagestreamimports /v1, Kind=ImageStreamImport 0x45aa7c0 0xc2081b08e0 0xc20810a650 {}}
I0129 03:35:01.605214    4013 importer.go:684] Falling back to an HTTP check for an insecure registry {https  <nil> test.com:5000   }: Get https://test.com:5000/v2/: x5
09: certificate signed by unknown authority
I0129 03:35:01.608390    4013 importer.go:310] unable to access repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:5000", Namespace:"
test", Name:"busybox", Tag:"", ID:""}, Registry:(*url.URL)(0xc20a634780), Name:"test/busybox", Insecure:true, Tags:[]importer.importTag(nil), Digests:[]importer.importD
igest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:"https://test.com:5000/v2/", Err:x509.UnknownAuthorityError{cert:(*x5
09.Certificate)(0xc20b54d680), hintErr:error(nil), hintCert:(*x509.Certificate)(nil)}}
I0129 03:35:01.617447    4013 image_change_controller.go:47] Build image change controller detected ImageStream change


1. setup https docker registry 
1> docker run --entrypoint htpasswd registry:2 -Bbn test test > htpasswd
2> oadm ca create-server-cert --cert=server.crt --key=server.key --hostnames=test.com
3> add --insecure-registry test.com:5000 to /etc/sysconfig/docker
4> docker run -d --restart=always --name registry -v /htpasswd:/htpasswd -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/htpasswd -v /server.crt:/server.crt -v /server.key:/server.key -e REGISTRY_HTTP_TLS_CERTIFICATE=/server.crt -e REGISTRY_HTTP_TLS_KEY=/server.key registry:2

2. prepare testing data 
1> docker pull busybox
2> docker tag busybox:latest test.com:5000/test/busybox:latest
3> docker push test.com:5000/test/busybox (with user credentials)
4> # curl -k https://test:test@test.com:5000/v2/_catalog
{"repositories":["test/busybox"]}
5> # curl -k https://test:test@test.com:5000/v2/test/busybox/tags/list
{"name":"test/busybox","tags":["latest"]}

3. create imagestreamimport 
{
  "kind": "ImageStreamImport",
  "apiVersion": "v1",
  "metadata": {
    "name": "tete"
  },
  "spec":{
  "import": true,
  "repository": {
    "from": {"kind": "DockerImage", "name": "test.com:5000/test/busybox"},
    "importPolicy": {"insecure": true }
  }}
}

4. check the master log (loglevel=5)
{ ImageStreamImport}
&{imagestreamimports /v1, Kind=ImageStreamImport 0x45aa7c0 0xc2081b08e0 0xc20810a650 {}}
I0129 03:35:01.605214    4013 importer.go:684] Falling back to an HTTP check for an insecure registry {https  <nil> test.com:5000   }: Get https://test.com:5000/v2/: x5
09: certificate signed by unknown authority
I0129 03:35:01.608390    4013 importer.go:310] unable to access repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:5000", Namespace:"
test", Name:"busybox", Tag:"", ID:""}, Registry:(*url.URL)(0xc20a634780), Name:"test/busybox", Insecure:true, Tags:[]importer.importTag(nil), Digests:[]importer.importD
igest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &url.Error{Op:"Get", URL:"https://test.com:5000/v2/", Err:x509.UnknownAuthorityError{cert:(*x5
09.Certificate)(0xc20b54d680), hintErr:error(nil), hintCert:(*x509.Certificate)(nil)}}
I0129 03:35:01.617447    4013 image_change_controller.go:47] Build image change controller detected ImageStream change
Comment 3 Clayton Coleman 2016-01-30 15:36:41 EST
We weren't allowing insecure TLS connections, only HTTP connections.  Fixed in https://github.com/openshift/origin/pull/6800
Comment 4 Clayton Coleman 2016-01-30 15:37:14 EST
You may want to test this branch against your repo - it's surprisingly difficult to get good testing of insecure registries in a dev environment and it's possible the transport is still missing something.
Comment 5 weiwei jiang 2016-02-02 04:17:19 EST
(In reply to Clayton Coleman from comment #3)
> We weren't allowing insecure TLS connections, only HTTP connections.  Fixed
> in https://github.com/openshift/origin/pull/6800

Checked on devenv-rhel7_3301, dockerhub work well.
Comment 6 Clayton Coleman 2016-02-03 00:39:23 EST
Merged
Comment 7 weiwei jiang 2016-02-03 05:07:00 EST
Since devenv-rhel7_3320 is not QE_READY, and can not start openshift on it, so will delay checking this.


#openshift start
......
E0203 04:20:53.382960    5986 ensure.go:201] error waiting for policy cache to initialize: timed out waiting for the condition
E0203 04:20:53.383870    5986 ensure.go:164] Unable to create default security context constraint privileged.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.384535    5986 ensure.go:164] Unable to create default security context constraint nonroot.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.385204    5986 ensure.go:164] Unable to create default security context constraint hostmount-anyuid.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.385828    5986 ensure.go:164] Unable to create default security context constraint hostaccess.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.386443    5986 ensure.go:164] Unable to create default security context constraint restricted.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.387062    5986 ensure.go:164] Unable to create default security context constraint anyuid.  Got error: User "system:openshift-master" cannot create securitycontextconstraints at the cluster scope
E0203 04:20:53.387651    5986 ensure.go:105] Error adding service account roles to "default" namespace: User "system:openshift-master" cannot get namespaces in project "default"
E0203 04:20:53.388307    5986 ensure.go:52] Error creating namespace openshift-infra: User "system:openshift-master" cannot create namespaces at the cluster scope
2016-02-03 04:20:53.389162 I | skydns: ready for queries on cluster.local. for tcp4://0.0.0.0:53 [rcache 0]
2016-02-03 04:20:53.389177 I | skydns: ready for queries on cluster.local. for udp4://0.0.0.0:53 [rcache 0]
I0203 04:20:53.489446    5986 run_components.go:176] DNS listening at 0.0.0.0:53
I0203 04:20:53.490365    5986 start_master.go:508] Controllers starting (*)
I0203 04:20:53.633145    5986 start_node.go:180] Starting a node connected to https://172.18.3.132:8443
I0203 04:20:53.647910    5986 plugins.go:71] No cloud provider specified.
I0203 04:20:53.647932    5986 start_node.go:257] Starting node ip-172-18-3-132.ec2.internal (v1.1.1-385-g2fa2261)
F0203 04:20:53.656722    5986 run_components.go:405] Unable to initialize namespaces: unable to refresh the security allocation UID blocks: User "system:openshift-master" cannot list all namespaces in the cluster
Comment 8 weiwei jiang 2016-02-03 22:10:17 EST
(In reply to weiwei jiang from comment #0)
> Description of problem:
> After create a imagestreamimport with a private docker image, the master log
> display:
> {imagestreamimports /v1, Kind=ImageStreamImport 0x45b0840 0xc2081b0880
> 0xc20810a650 {}}
> I0128 00:41:38.507992   20064 importer.go:684] Falling back to an HTTP check
> for an insecure registry {https  <nil> test.com:80   }: Get
> https://test.com:80/v2/: tls: o
> versized record received with length 20527
> I0128 00:41:38.514300   20064 credentials.go:108] Unable to find a secret to
> match http://test.com:80/v2/test/busybox/tags/list
> (test.com:80/v2/test/busybox/tags/list)
> I0128 00:41:38.514324   20064 importer.go:348] unable to access tags for
> repository
> &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:
> 80", Name
> space:"test", Name:"busybox", Tag:"", ID:""},
> Registry:(*url.URL)(0xc20f0dcb80), Name:"test/busybox", Insecure:true,
> Tags:[]importer.importTag(nil), Digests:[]importer.
> importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil),
> Err:error(nil)}: &url.Error{Op:"Get",
> URL:"http://test.com:80/v2/test/busybox/tags/list", Err:(*errors.e
> rrorString)(0xc20dece750)}
> I0128 00:41:38.526301   20064 image_change_controller.go:47] Build image
> change controller detected ImageStream change 
> 
> --------------------------
> 
> And when check all the imagestream secrets of the imagestream:
> # curl -k --cert /openshift.local.config/master/admin.crt  --key
> /openshift.local.config/master/admin.key
> https://127.0.0.1:8443/oapi/v1/namespaces/wjiang/imagestreams/bc/secrets
> ......
>     {
>       "metadata": {
>         "name": "test",
>         "namespace": "wjiang",
>         "selfLink": "/api/v1/namespaces/wjiang/secrets/test",
>         "uid": "5a1cb645-c56a-11e5-8b5f-0ef77b0359c5",
>         "resourceVersion": "583",
>         "creationTimestamp": "2016-01-28T02:53:47Z"
>       },
>       "data": {
>         ".dockercfg":
> "eyJ0ZXN0LmNvbTo4MCI6eyJ1c2VybmFtZSI6InRlc3QiLCJwYXNzd29yZCI6InRlc3QiLCJlbWFp
> bCI6InRlc3RAcmVkaGF0LmNvbSIsImF1dGgiOiJkR1Z6ZERwMFpYTjAifX0="
>       },
>       "type": "kubernetes.io/dockercfg"
>     }
>   ]
> }
> 
> 
> # echo
> "eyJ0ZXN0LmNvbTo4MCI6eyJ1c2VybmFtZSI6InRlc3QiLCJwYXNzd29yZCI6InRlc3QiLCJlbWFp
> bCI6InRlc3RAcmVkaGF0LmNvbSIsImF1dGgiOiJkR1Z6ZERwMFpYTjAifX0="|base64 -d
> {"test.com:80":{"username":"test","password":"test","email":"test@redhat.
> com","auth":"dGVzdDp0ZXN0"}}
> 
> 
> 
> Version-Release number of selected component (if applicable):
> devenv-rhel7_3259
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. Setup a private docker registry
> 1> docker run -d registry:2
> 2> docker run -d -v /nginx.conf:/etc/nginx/conf.d/registry.conf -v
> /htpasswd:/etc/nginx/.htpasswd nginx
> # cat nginx.conf 
> server {
>   listen 80;
>   server_name test.com;
>   add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
>   location / {
>      proxy_pass http://172.17.0.1:5000;
>      auth_basic "Restricted";
>      auth_basic_user_file /etc/nginx/.htpasswd;
>   }
> }
> 3> Add the insecure registry to /etc/sysconfig/docker & restart docker
> service
> OPTIONS='--insecure-registry 172.30.0.0/16 --insecure-registry 172.17.0.0/16
> --selinux-enabled'
> 2.Create a imagestreamimport 
> # oc create -f isi
> {
>   "kind": "ImageStreamImport",
>   "apiVersion": "v1",
>   "metadata": {
>     "name": "bc"
>   },
>   "spec":{
>   "import": true,
>   "repository": {
>     "from": {"kind": "DockerImage", "name": "test.com:80/test/busybox"},
>     "importPolicy": {"insecure": true }
>   }}
> }
> 3. Check the imagestream & check the master log (loglevel=5)
> 
> Actual results:
> 3. 
> 1> # oc describe is bc                                                      
> 
> Name:                   bc
> Created:                34 minutes ago
> Labels:                 <none>
> Annotations:           
> openshift.io/image.dockerRepositoryCheck=2016-01-28T05:52:13Z
> Docker Pull Spec:       <none>
> Tags:                   <none>
> 
> 2> 
> {imagestreamimports /v1, Kind=ImageStreamImport 0x45b0840 0xc2081b0880
> 0xc20810a650 {}}
> I0128 00:41:38.507992   20064 importer.go:684] Falling back to an HTTP check
> for an insecure registry {https  <nil> test.com:80   }: Get
> https://test.com:80/v2/: tls: o
> versized record received with length 20527
> I0128 00:41:38.514300   20064 credentials.go:108] Unable to find a secret to
> match http://test.com:80/v2/test/busybox/tags/list
> (test.com:80/v2/test/busybox/tags/list)
> I0128 00:41:38.514324   20064 importer.go:348] unable to access tags for
> repository
> &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:
> 80", Name
> space:"test", Name:"busybox", Tag:"", ID:""},
> Registry:(*url.URL)(0xc20f0dcb80), Name:"test/busybox", Insecure:true,
> Tags:[]importer.importTag(nil), Digests:[]importer.
> importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil),
> Err:error(nil)}: &url.Error{Op:"Get",
> URL:"http://test.com:80/v2/test/busybox/tags/list", Err:(*errors.e
> rrorString)(0xc20dece750)}
> I0128 00:41:38.526301   20064 image_change_controller.go:47] Build image
> change controller detected ImageStream change 
> 
> 
> 
> Expected results:
> Should work well
> 
> Additional info:


Checked with devenv-rhel7_3325, still can reproduce this.
Comment 9 Clayton Coleman 2016-02-04 17:07:39 EST
I added a test but can't recreate this locally - can you provide the updated errors so I can see the output?
Comment 10 weiwei jiang 2016-02-15 00:39:41 EST
Checked with devenv-rhel7-3422, still can reproduce this issue.


The master log: (loglevel=5)

I0215 00:32:14.569221   22382 importer.go:308] importing remote Docker repository registry=https://test.com:80 repository=wjiang/busybox insecure=true
I0215 00:32:14.569790   22382 importer.go:695] Falling back to an HTTP check for an insecure registry {https  <nil> test.com:80   }: Get https://test.com:80/v2/: tls: oversized record received with length 20527
I0215 00:32:14.581835   22382 credentials.go:131] Unable to find a secret to match http://test.com:80/v2/wjiang/busybox/tags/list (test.com:80/v2/wjiang/busybox/tags/list)
I0215 00:32:14.581857   22382 importer.go:352] unable to access tags for repository &importer.importRepository{Ref:api.DockerImageReference{Registry:"test.com:80", Namespace:"wjiang", Name:"busybox", Tag:"", ID:
""}, Registry:(*url.URL)(0xc209374700), Name:"wjiang/busybox", Insecure:true, Tags:[]importer.importTag(nil), Digests:[]importer.importDigest(nil), MaximumTags:5, AdditionalTags:[]string(nil), Err:error(nil)}: &
url.Error{Op:"Get", URL:"http://test.com:80/v2/wjiang/busybox/tags/list", Err:(*errors.errorString)(0xc20de0d150)}
I0215 00:32:14.582228   22382 rest.go:241] create new stream: &api.ImageStream{TypeMeta:unversioned.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:api.ObjectMeta{Name:"tete", GenerateName:"", Namespace:"wjiang", S
elfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:unversioned.Time{Time:time.Time{sec:0, nsec:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*unversioned.Time)(nil), DeletionGracePeriod
Seconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string{"openshift.io/image.dockerRepositoryCheck":"2016-02-15T05:32:14Z"}}, Spec:api.ImageStreamSpec{DockerImageRepository:"", Tags:ma
p[string]api.TagReference(nil)}, Status:api.ImageStreamStatus{DockerImageRepository:"", Tags:map[string]api.TagEventList(nil)}}
I0215 00:32:14.591703   22382 image_change_controller.go:47] Build image change controller detected ImageStream change 
I0215 00:32:14.593420   22382 controller.go:89] Updated all DeploymentConfigs for trigger on ImageStream wjiang/tete



The reproduced steps is:

1. Setup a private docker registry
1> docker run -d registry:2
2> docker run -d -v /nginx.conf:/etc/nginx/conf.d/registry.conf -v /htpasswd:/etc/nginx/.htpasswd nginx
# cat nginx.conf 
server {
  listen 80;
  server_name test.com;
  add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
  location / {
     proxy_pass http://172.17.0.1:5000;
     auth_basic "Restricted";
     auth_basic_user_file /etc/nginx/.htpasswd;
  }
}
3> Add the insecure registry to /etc/sysconfig/docker & restart docker service
OPTIONS='--insecure-registry 172.30.0.0/16 --insecure-registry 172.17.0.0/16 --selinux-enabled'
2.Create a imagestreamimport 
# oc create -f isi
{
  "kind": "ImageStreamImport",
  "apiVersion": "v1",
  "metadata": {
    "name": "bc"
  },
  "spec":{
  "import": true,
  "repository": {
    "from": {"kind": "DockerImage", "name": "test.com:80/test/busybox"},
    "importPolicy": {"insecure": true }
  }}
}
3. Check the imagestream & check the master log (loglevel=5)
Comment 11 Clayton Coleman 2016-02-15 11:18:43 EST
Ah, this is a known bug (you used "test.com:80" in your dockercfg).  Try updating your secret to use either "test.com" or "http://test.com:80".  The issue is https://github.com/kubernetes/kubernetes/issues/20667
Comment 12 weiwei jiang 2016-02-15 22:25:09 EST
Checked with devenv-rhel7_3433, and only work when using "http://test.com:80".

# oc secrets new-dockercfg test3  --docker-server=http://test.com:80 --docker-username=test --docker-password=test --docker-email=test@redhat.com
Comment 13 Paul Weil 2016-02-24 12:47:52 EST
(In reply to weiwei jiang from comment #12)
> Checked with devenv-rhel7_3433, and only work when using
> "http://test.com:80".
> 
> # oc secrets new-dockercfg test3  --docker-server=http://test.com:80
> --docker-username=test --docker-password=test --docker-email=test@redhat.com

Are you saying that this worked after changing the configuration as suggested or are you waiting for the next rebase/cherry-pick in order to test the referenced issue which looks like it has been merged?
Comment 14 weiwei jiang 2016-03-01 04:58:26 EST
(In reply to Paul Weil from comment #13)
> (In reply to weiwei jiang from comment #12)
> > Checked with devenv-rhel7_3433, and only work when using
> > "http://test.com:80".
> > 
> > # oc secrets new-dockercfg test3  --docker-server=http://test.com:80
> > --docker-username=test --docker-password=test --docker-email=test@redhat.com
> 
> Are you saying that this worked after changing the configuration as
> suggested or are you waiting for the next rebase/cherry-pick in order to
> test the referenced issue which looks like it has been merged?

This worked after changing the configuration as suggested.
and still wait for next rebase to have a try on this
Comment 15 Clayton Coleman 2016-03-17 11:18:46 EDT
Landed in the rebase.
Comment 16 weiwei jiang 2016-03-18 05:10:25 EDT
Checked with devenv-rhel7_3734, https://github.com/kubernetes/kubernetes/pull/21286 still not in the code.
Comment 17 Clayton Coleman 2016-03-24 15:51:44 EDT
This has been merged to master as of the rebase from 20160316.  So if it is not working, then it is broken.
Comment 18 weiwei jiang 2016-03-25 07:04:23 EDT
Checked with devenv-rhel7_3839, and found it work now.
I0325 06:58:27.963400   11696 credentials.go:150] Found secret to match http://test.com:80/v2/test/busybox/tags/list (test.com:80/test/busybox/tags/list):

Note You need to log in before you can comment on or make changes to this bug.