Bug 1371031 - [atomic registry] instruction about docker login on web ui is not correct.
Summary: [atomic registry] instruction about docker login on web ui is not correct.
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Samuel Munilla
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-29 08:24 UTC by Johnny Liu
Modified: 2016-09-27 09:46 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-09-27 09:46:43 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description Johnny Liu 2016-08-29 08:24:18 UTC
Description of problem:
prompt about docker login on registry console web UI is not correct.

Version-Release number of selected component (if applicable):
openshift3/registry-console:3.3 (57a566a04a79)

How reproducible:

Steps to Reproduce:
1.Run ansible installer to install standalone atomic registry.

2. After installation, check registry console is created.
# oc get po
NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-2-djlbn    1/1       Running   4          3h
registry-console-1-5esrx   1/1       Running   4          3h
router-1-ihf7r             1/1       Running   6          3h
# oc get route
NAME               HOST/PORT                                          PATH      SERVICES           PORT               TERMINATION
docker-registry    docker-registry-default.0829-90c.qe.rhcloud.com              docker-registry    5000-tcp           
registry-console   registry-console-default.0829-90c.qe.rhcloud.com             registry-console   registry-console   passthrough

3. Access https://registry-console-default.0829-90c.qe.rhcloud.com, log int web UI, get the following instruction:
Log into the registry:
$ sudo docker login -p EIfBxE_Jn0oEoX1FWampQT73UsFizxbnQDB8H1N5fp4 -e unused -u unused docker-registry-default.0829-90c.qe.rhcloud.com

4. On docker client, run the above command to log in.

Actual results:
Get the following error:
Error response from daemon: Unexpected status code [503] : <html>
    <meta name="viewport" content="width=device-width, initial-scale=1">
  <style type="text/css">
   * Bootstrap v3.3.5 (http://getbootstrap.com)
   * Copyright 2011-2015 Twitter, Inc.
   * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
  /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
  html {
    font-family: sans-serif;
    -ms-text-size-adjust: 100%;
    -webkit-text-size-adjust: 100%;
  body {
    margin: 0;
  h1 {
    font-size: 1.9em;
    font-weight: 400;
    line-height: 1.3;
    margin: 0.68em 0;
  @media (min-width: 768px) { 
    h1 {
      font-size: 2.15em;}
  * {
    -webkit-box-sizing: border-box;
    -moz-box-sizing: border-box;
    box-sizing: border-box;
  *:after {
    -webkit-box-sizing: border-box;
    -moz-box-sizing: border-box;
    box-sizing: border-box;
  html {
    -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
  body {
    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
    line-height: 1.66666667;
    font-size: 13px;
    color: #333333;
    background-color: #ffffff;
    margin: 4em 3em;
  p {
    margin: 0 0 10px;
    font-size: 13px;
    font-weight: 300;
    line-height: 1.4;
  @media (min-width: 768px) {
    p {
      font-size: 14px;
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>

Expected results:
Should suggest user to add docker-registry-default.0829-90c.qe.rhcloud.com:80 to insecure-registry option in docker config file, and prompt user to use 80 port to run docker login.

Additional info:

Comment 1 Brenton Leanhardt 2016-08-29 12:24:23 UTC
Aaron, could you provide your thoughts on this?  Do we need to clarify the instructions mentioned in the atomic registry console?

Comment 2 Aaron Weitekamp 2016-08-29 14:09:09 UTC
For the insecure install the ":80" string can be appended to to REGISTRY_HOST env var. When registry certs are added with a TLS passthrough route the port (":80") should be dropped at which point docker daemon/client uses :443. So it's a bit of a documentation issue when registry is secured.

Comment 3 Aaron Weitekamp 2016-08-29 14:10:54 UTC
Regarding "--insecure-registry" we have relied on docker's error message to instruct the end-user. If port :80 is used the end-user will get the correct message.

Comment 4 Aaron Weitekamp 2016-08-29 14:41:05 UTC
Upstream docs issue: https://github.com/openshift/openshift-docs/issues/2748

Comment 12 Scott Dodson 2016-09-05 03:03:56 UTC
https://github.com/openshift/openshift-ansible/pull/2409 secures the registry.

Comment 14 Johnny Liu 2016-09-05 08:46:36 UTC
Verified this bug with openshift-ansible-playbooks-3.3.22-1.git.0.6c888c2.el7.noarch, PASS.

Now when deployment_subtype=registry, a secure registry will be deployed, no need ":80", and docker push successfully.
# oc get route
NAME               HOST/PORT                                          PATH      SERVICES           PORT               TERMINATION
docker-registry    docker-registry-default.0905-ef2.qe.rhcloud.com              docker-registry    5000-tcp           passthrough
registry-console   registry-console-default.0905-ef2.qe.rhcloud.com             registry-console   registry-console   passthrough

Following web ui instruction, run
# docker login -p M9nJlQFXTIhS94c80evUiLkhHEwnhYwsot1590Yto_c -e unused -u unused docker-registry-default.0905-ef2.qe.rhcloud.com
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded

Of course, firstly user have to copy remote's ca file to docker client machine.
(scp -r root@<atomic-registry-host>:/etc/docker/certs.d/<registry-route>/ /etc/docker/certs.d/

Comment 16 errata-xmlrpc 2016-09-27 09:46:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.