Description of problem: prompt about docker login on registry console web UI is not correct. Version-Release number of selected component (if applicable): openshift3/registry-console:3.3 (57a566a04a79) openshift-ansible-3.3.16-1.git.0.9ed3fd2.el7.noarch How reproducible: Always Steps to Reproduce: 1.Run ansible installer to install standalone atomic registry. deployment_type=openshift-enterprise deployment_subtype=registry openshift_cockpit_deployer_prefix=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ 2. After installation, check registry console is created. # oc get po NAME READY STATUS RESTARTS AGE docker-registry-2-djlbn 1/1 Running 4 3h registry-console-1-5esrx 1/1 Running 4 3h router-1-ihf7r 1/1 Running 6 3h # oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION docker-registry docker-registry-default.0829-90c.qe.rhcloud.com docker-registry 5000-tcp registry-console registry-console-default.0829-90c.qe.rhcloud.com registry-console registry-console passthrough 3. Access https://registry-console-default.0829-90c.qe.rhcloud.com, log int web UI, get the following instruction: Log into the registry: $ sudo docker login -p EIfBxE_Jn0oEoX1FWampQT73UsFizxbnQDB8H1N5fp4 -e unused -u unused docker-registry-default.0829-90c.qe.rhcloud.com 4. On docker client, run the above command to log in. Actual results: Get the following error: Error response from daemon: Unexpected status code [503] : <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> /*! * Bootstrap v3.3.5 (http://getbootstrap.com) * Copyright 2011-2015 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */ html { font-family: sans-serif; -ms-text-size-adjust: 100%; -webkit-text-size-adjust: 100%; } body { margin: 0; } h1 { font-size: 1.9em; font-weight: 400; line-height: 1.3; margin: 0.68em 0; } @media (min-width: 768px) { h1 { font-size: 2.15em;} } * { -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box; } *:before, *:after { -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box; } html { -webkit-tap-highlight-color: rgba(0, 0, 0, 0); } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; line-height: 1.66666667; font-size: 13px; color: #333333; background-color: #ffffff; margin: 4em 3em; } p { margin: 0 0 10px; font-size: 13px; font-weight: 300; line-height: 1.4; } @media (min-width: 768px) { p { font-size: 14px; } } </style> </head> <body> <div> <h1>Application is not available</h1> <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p> </div> </body> </html> Expected results: Should suggest user to add docker-registry-default.0829-90c.qe.rhcloud.com:80 to insecure-registry option in docker config file, and prompt user to use 80 port to run docker login. Additional info:
Aaron, could you provide your thoughts on this? Do we need to clarify the instructions mentioned in the atomic registry console?
For the insecure install the ":80" string can be appended to to REGISTRY_HOST env var. When registry certs are added with a TLS passthrough route the port (":80") should be dropped at which point docker daemon/client uses :443. So it's a bit of a documentation issue when registry is secured.
Regarding "--insecure-registry" we have relied on docker's error message to instruct the end-user. If port :80 is used the end-user will get the correct message.
Upstream docs issue: https://github.com/openshift/openshift-docs/issues/2748
https://github.com/openshift/openshift-ansible/pull/2409 secures the registry.
Verified this bug with openshift-ansible-playbooks-3.3.22-1.git.0.6c888c2.el7.noarch, PASS. Now when deployment_subtype=registry, a secure registry will be deployed, no need ":80", and docker push successfully. # oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION docker-registry docker-registry-default.0905-ef2.qe.rhcloud.com docker-registry 5000-tcp passthrough registry-console registry-console-default.0905-ef2.qe.rhcloud.com registry-console registry-console passthrough Following web ui instruction, run # docker login -p M9nJlQFXTIhS94c80evUiLkhHEwnhYwsot1590Yto_c -e unused -u unused docker-registry-default.0905-ef2.qe.rhcloud.com WARNING: login credentials saved in /root/.docker/config.json Login Succeeded Of course, firstly user have to copy remote's ca file to docker client machine. (scp -r root@<atomic-registry-host>:/etc/docker/certs.d/<registry-route>/ /etc/docker/certs.d/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933