1309195 – Cannot import image tag to imagestream

Bug 1309195 - Cannot import image tag to imagestream

Summary: Cannot import image tag to imagestream

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	3.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Maciej Szulik
QA Contact:	Wang Haoran
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-17 07:34 UTC by Wenjing Zheng
Modified:	2017-03-08 18:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: When pinging the remote registry through https first we returned wrong error message to the caller. Consequence: When importing images from certain registries the import would fail due to not falling back properly to http. Fix: The image importer code currently returns appropriate code when it fails pinging remote registry. Result: When importing images the fallback path to http works as expected.
Clone Of:
Environment:
Last Closed:	2016-11-22 22:37:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 7 Maciej Szulik 2016-02-19 17:45:36 UTC

I've created https://github.com/openshift/origin/pull/7469 to address problem with insecure v1 registries.

Comment 9 openshift-github-bot 2016-02-20 05:39:43 UTC

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/18f055cbd4771cdbfa332bb13a8803c01d36d5c7
Bug 1309195 - Return ErrNotV2Registry when falling back to http backend

Comment 17 Maciej Szulik 2016-02-23 15:02:52 UTC

Here are the steps needed to work with the repository Brenton mentioned. Since this is secured repository with authentication we need to mark the registry as insecure (this will bypass checking certificate) and provide secrets to satisfy the authentication. Here are the steps to do so:

1. create the secret:
   a) oc login following instructions at https://api.qe.openshift.com/oauth/token/request
   b) get token with oc whoami -t
   c) docker login -u username -e email -p token registry.qe.openshift.com
     (in my case both username and email where my rh email, if in doubt check 
      oc whoam i)
   d) oc secrets new mysecret .dockerconfigjson=$HOME/.docker/config.json

2. create the image stream:

apiVersion: v1
kind: ImageStream
metadata:
  name: myis 
  annotations:
    openshift.io/image.insecureRepository: "true"
spec:
  dockerImageRepository: registry.qe.openshift.com/openshift3/php-55-rhel7

This should do the trick of importing images.

Comment 18 Brenton Leanhardt 2016-02-23 15:25:25 UTC

Maciej,

Is there no way to specify a CA file today?  It seems like we should create a card for that if that's the case.

Comment 19 Maciej Szulik 2016-02-23 16:05:44 UTC

Brenton, 

I'm not sure this is the right way to go. I'd rather admins deal with repos with self-signed certs at the operating system level by importing appropriate company-wide CA used for issuing those certs. Importing metadata will only allow seeing the image, for docker push/pull operation the CA needs to be on a node still.

Comment 22 Maciej Szulik 2016-09-08 07:30:26 UTC

Based on previous comment and the fact that I was able to access all the repos mentioned in this issue I'm moving this to QA.

Note You need to log in before you can comment on or make changes to this bug.