Bug 1309195 - Cannot import image tag to imagestream
Cannot import image tag to imagestream
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry (Show other bugs)
3.2.0
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Maciej Szulik
Wang Haoran
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-17 02:34 EST by Wenjing Zheng
Modified: 2017-03-08 13 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When pinging the remote registry through https first we returned wrong error message to the caller. Consequence: When importing images from certain registries the import would fail due to not falling back properly to http. Fix: The image importer code currently returns appropriate code when it fails pinging remote registry. Result: When importing images the fallback path to http works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-22 17:37:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 7 Maciej Szulik 2016-02-19 12:45:36 EST
I've created https://github.com/openshift/origin/pull/7469 to address problem with insecure v1 registries.
Comment 9 openshift-github-bot 2016-02-20 00:39:43 EST
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/18f055cbd4771cdbfa332bb13a8803c01d36d5c7
Bug 1309195 - Return ErrNotV2Registry when falling back to http backend
Comment 17 Maciej Szulik 2016-02-23 10:02:52 EST
Here are the steps needed to work with the repository Brenton mentioned. Since this is secured repository with authentication we need to mark the registry as insecure (this will bypass checking certificate) and provide secrets to satisfy the authentication. Here are the steps to do so:

1. create the secret:
   a) oc login following instructions at https://api.qe.openshift.com/oauth/token/request
   b) get token with oc whoami -t
   c) docker login -u username -e email -p token registry.qe.openshift.com
     (in my case both username and email where my rh email, if in doubt check 
      oc whoam i)
   d) oc secrets new mysecret .dockerconfigjson=$HOME/.docker/config.json

2. create the image stream:

apiVersion: v1
kind: ImageStream
metadata:
  name: myis 
  annotations:
    openshift.io/image.insecureRepository: "true"
spec:
  dockerImageRepository: registry.qe.openshift.com/openshift3/php-55-rhel7

This should do the trick of importing images.
Comment 18 Brenton Leanhardt 2016-02-23 10:25:25 EST
Maciej,

Is there no way to specify a CA file today?  It seems like we should create a card for that if that's the case.
Comment 19 Maciej Szulik 2016-02-23 11:05:44 EST
Brenton, 

I'm not sure this is the right way to go. I'd rather admins deal with repos with self-signed certs at the operating system level by importing appropriate company-wide CA used for issuing those certs. Importing metadata will only allow seeing the image, for docker push/pull operation the CA needs to be on a node still.
Comment 22 Maciej Szulik 2016-09-08 03:30:26 EDT
Based on previous comment and the fact that I was able to access all the repos mentioned in this issue I'm moving this to QA.

Note You need to log in before you can comment on or make changes to this bug.