Bug 1385855
| Summary: | Cannot pull-through insecure imagestream | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Aaron Weitekamp <aweiteka> | ||||
| Component: | Image Registry | Assignee: | Alexey Gladkov <agladkov> | ||||
| Status: | CLOSED ERRATA | QA Contact: | ge liu <geliu> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.3.0 | CC: | agladkov, aos-bugs, mfojtik, tdawson, tomckay | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Importing an Docker image from a remote registry that is insecure, the "pull-through" capability is now working properly.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-01-18 12:43:10 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Accessing insecure registries is very common and the default for atomic registry is pull-through; this impacts Satellite-6 integration. If this bz could be raised in priority, that would be appreciated. Right now allowed to deal only with secure servers (HTTPS only). I think we can make it configurable. https://github.com/openshift/origin/pull/11690 PR landed. Now "docker pull" will work if you use --insecure flag. Verified on ose 3.4 env: [root@openshift-127 master]# openshift version openshift v3.4.0.23+24b1a58 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 [root@openshift-127 master]# [root@dhcp-137-141 /]# oc import-image myis --from=docker.io/openshift/mysql-55-centos7 --insecure=true --confirm The import completed successfully. Name: myis Created: 1 seconds ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2016-11-10T06:45:32Z Docker Pull Spec: 172.30.151.249:5000/lgproj/myis Tag Spec Created PullSpec Image latest docker.io/openshift/mysql-55-centos7 ! 1 seconds ago docker.io/openshift/mysql-55-centos7@sha256:2db2122537676f... <same> ! tag is insecure and can be imported over HTTP or self-signed HTTPS [root@dhcp-137-141 /]# docker pull docker.io/openshift/mysql-55-centos7 Using default tag: latest Trying to pull repository docker.io/openshift/mysql-55-centos7 ... latest: Pulling from docker.io/openshift/mysql-55-centos7 8d30e94188e7: Already exists 7d8ba3c583ed: Pull complete 74b7e339f70d: Pull complete d3c3f6da0310: Pull complete 7c51c206a5fd: Pull complete Digest: sha256:2db2122537676f12d2d6d7d4a0659a6ed8bd2c91019fbf9e3adcae918186c421 Status: Downloaded newer image for docker.io/openshift/mysql-55-centos7:latest [root@dhcp-137-141 /]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066 |
Created attachment 1211521 [details] cmds and logs Description of problem: Importing an image from a remote registry that is insecure, the "pull-through" capability does not work. With an argument "--insecure=true", the import command is misleading. Version-Release number of selected component (if applicable): v3.3.0 How reproducible: always Steps to Reproduce: 1. oc import-image MYIMG --from REMOTE_IMAGE --insecure 2. docker pull MYIMG Actual results: Docker reports "Retrying..." layer download Expected results: Download image from REMOTE_IMAGE registry. Additional info: See commands and log output attached