Description of problem: Pullthough failed with error manifest unknown when docker pull the images under openshift project Version-Release number of selected component (if applicable): openshift v3.5.0.19+199197c kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: always Steps to Reproduce: 1.login using a normal user 2.docker login on the node with user/token $docker login <registry_service_ip>:5000 3.pull the image under openshift project using service ip $docker pull 172.30.91.135:5000/openshift/python:latest Actual results: Trying to pull repository 172.30.91.135:5000/openshift/python ... manifest unknown: manifest unknown Expected results: should succeed Additional info: oc get is python -o json : { "apiVersion": "v1", "kind": "ImageStream", "metadata": { "annotations": { "openshift.io/display-name": "Python", "openshift.io/image.dockerRepositoryCheck": "2017-02-13T05:55:03Z" }, "creationTimestamp": "2017-02-13T05:54:38Z", "generation": 2, "name": "python", "namespace": "openshift", "resourceVersion": "1570", "selfLink": "/oapi/v1/namespaces/openshift/imagestreams/python", "uid": "e776e8f7-f1b0-11e6-8745-fa163ef6a267" }, "spec": { "tags": [ { "annotations": { "description": "Build and run Python 2.7 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/2.7/README.md.", "iconClass": "icon-python", "openshift.io/display-name": "Python 2.7", "sampleRepo": "https://github.com/openshift/django-ex.git", "supports": "python:2.7,python", "tags": "builder,python", "version": "2.7" }, "from": { "kind": "DockerImage", "name": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-27-rhel7:latest" }, "generation": 2, "importPolicy": { "insecure": true }, "name": "2.7", "referencePolicy": { "type": "Source" } }, { "annotations": { "description": "Build and run Python 3.3 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.3/README.md.", "iconClass": "icon-python", "openshift.io/display-name": "Python 3.3", "sampleRepo": "https://github.com/openshift/django-ex.git", "supports": "python:3.3,python", "tags": "hidden,builder,python", "version": "3.3" }, "from": { "kind": "DockerImage", "name": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/python-33-rhel7:latest" }, "generation": 2, "importPolicy": { "insecure": true }, "name": "3.3", "referencePolicy": { "type": "Source" } }, { "annotations": { "description": "Build and run Python 3.4 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.4/README.md.", "iconClass": "icon-python", "openshift.io/display-name": "Python 3.4", "sampleRepo": "https://github.com/openshift/django-ex.git", "supports": "python:3.4,python", "tags": "builder,python", "version": "3.4" }, "from": { "kind": "DockerImage", "name": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-34-rhel7:latest" }, "generation": 2, "importPolicy": { "insecure": true }, "name": "3.4", "referencePolicy": { "type": "Source" } }, { "annotations": { "description": "Build and run Python 3.5 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.5/README.md.", "iconClass": "icon-python", "openshift.io/display-name": "Python 3.5", "sampleRepo": "https://github.com/openshift/django-ex.git", "supports": "python:3.5,python", "tags": "builder,python", "version": "3.5" }, "from": { "kind": "DockerImage", "name": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-35-rhel7:latest" }, "generation": 2, "importPolicy": { "insecure": true }, "name": "3.5", "referencePolicy": { "type": "Source" } }, { "annotations": { "description": "Build and run Python applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-python-container/blob/master/3.5/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of Python available on OpenShift, including major versions updates.", "iconClass": "icon-python", "openshift.io/display-name": "Python (Latest)", "sampleRepo": "https://github.com/openshift/django-ex.git", "supports": "python", "tags": "builder,python" }, "from": { "kind": "ImageStreamTag", "name": "3.5" }, "generation": 1, "importPolicy": { "insecure": true }, "name": "latest", "referencePolicy": { "type": "Source" } } ] }, "status": { "dockerImageRepository": "172.30.91.135:5000/openshift/python", "tags": [ { "items": [ { "created": "2017-02-13T05:55:03Z", "dockerImageReference": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-35-rhel7@sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6", "generation": 2, "image": "sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6" } ], "tag": "latest" }, { "items": [ { "created": "2017-02-13T05:55:03Z", "dockerImageReference": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-35-rhel7@sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6", "generation": 2, "image": "sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6" } ], "tag": "3.5" }, { "items": [ { "created": "2017-02-13T05:55:03Z", "dockerImageReference": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-34-rhel7@sha256:cef0f388871c6fe3c3ef564ee0c3933e1390539cd70a82972845a004f900503c", "generation": 2, "image": "sha256:cef0f388871c6fe3c3ef564ee0c3933e1390539cd70a82972845a004f900503c" } ], "tag": "3.4" }, { "items": [ { "created": "2017-02-13T05:55:03Z", "dockerImageReference": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/python-33-rhel7@sha256:097b44cdc0a79970a78b236fd60a8f5d39e0ea44a72fbd40632e718a4b71078e", "generation": 2, "image": "sha256:097b44cdc0a79970a78b236fd60a8f5d39e0ea44a72fbd40632e718a4b71078e" } ], "tag": "3.3" }, { "items": [ { "created": "2017-02-13T05:55:03Z", "dockerImageReference": "brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhscl/python-27-rhel7@sha256:e5c775d1ae2195f220ddd0f1d530438f912533183807faa749d9d8f61d49bbd8", "generation": 2, "image": "sha256:e5c775d1ae2195f220ddd0f1d530438f912533183807faa749d9d8f61d49bbd8" } ], "tag": "2.7" } ] } }
The registry in question [1] is insecure. To pull-through from it, it must have an insecure annotation. You can set it like this: oc annotate -n openshift is/python --overwrite 'openshift.io/image.insecureRepository=true' Once set, the pull should succeed for you.
If I remember correct, this annotation is also used to import the tag from insecure registry previously and we changed to use importPolicy now in the spec,should we also also do pull-through using this "importPolicy" ?
After set the annotate , the pull succeed: [root@host-8-175-193 ~]# oc annotate -n openshift is/python --overwrite 'openshift.io/image.insecureRepository=true' imagestream "python" annotated [root@host-8-175-193 ~]# docker pull 172.30.135.93:5000/openshift/python:latest Trying to pull repository 172.30.135.93:5000/openshift/python ... sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6: Pulling from 172.30.135.93:5000/openshift/python 7bd78273b666: Pull complete c196631bd9ac: Pull complete 83230913bf56: Pull complete 7096b2633b7a: Pull complete Digest: sha256:d29515ca391536dc6cb2cb1712fcb71c9b45a6858d8bc4aaf1b1d812353c02b6 Status: Downloaded newer image for 172.30.135.93:5000/openshift/python:latest How about haowang's question on last comment ?
> If I remember correct, this annotation is also used to import the tag from insecure registry previously and we changed to use importPolicy now in the spec,should we also also do pull-through using this "importPolicy" ? You're right, it's the same annotation documented at [1]. The documentation is out of date because it doesn't mention pull-through. I'll update it. [1] https://docs.openshift.org/latest/dev_guide/managing_images.html#insecure-registries I also believe there's a bug in import-image command. The `--insecure` flag should be propagated to the image stream being created. I'll fix that. Thanks for the bug report and verification.
Opened a PR: https://github.com/openshift/origin/pull/13114
The PR is merged. I'm working on the docs PR.
Confirmed with the latest origin ami , the issue has fixed, will verify it when the PR merged to OCP: openshift version openshift v1.5.0-alpha.3+2261a32-234 kubernetes v1.5.2+43a9be4 etcd 3.1.0 [root@ip-172-18-12-48 ~]# docker login -u zhouy -p Cl1h7y3uSaQChe0mN4MA2c1FHjog4WklHH4Pn5fKTlY -e dalda 172.30.103.111:5000 Flag --email has been deprecated, will be removed in 1.13. Login Succeeded [root@ip-172-18-12-48 ~]# docker pull 172.30.103.111:5000/openshift/rhel:latest Trying to pull repository 172.30.103.111:5000/openshift/rhel ... latest: Pulling from 172.30.103.111:5000/openshift/rhel fba561a35c19: Already exists Digest: sha256:1bc5a4c43bbb29a5a96a61896ff696933be3502e2f5fdc4cde02d9e101731fdd
Is this for 3.5 or 3.6? The pull request was for origin/master, which is now 3.6. But the ticket says 3.5 for everything.
PR: https://github.com/openshift/origin/pull/13274 This is for 3.5, should be merged today.
Merged in 3.5.
Confirmed with OCP3.5 , the issue has fixed: openshift version openshift v3.5.0.50 kubernetes v1.5.2+43a9be4 etcd 3.1.0 [root@ip-172-18-7-163 ~]# docker login -u zhouy -p B57RpPY-vl5xl_ju7Oq1O3xmYT_o6HcKKGxadQgd_Uc -e dalda 172.31.224.223:5000 Flag --email has been deprecated, will be removed in 1.13. Login Succeeded [root@ip-172-18-7-163 ~]# docker pull 172.31.224.223:5000/openshift/ruby:2.0 Trying to pull repository 172.31.224.223:5000/openshift/ruby ... sha256:9cfdf4b811ace13d4c555335b249ab831832a384113035512abc9d4d5cc59716: Pulling from 172.31.224.223:5000/openshift/ruby 7bd78273b666: Already exists c196631bd9ac: Already exists f6ae074f3e7f: Pull complete 27fca64257bd: Pull complete Digest: sha256:9cfdf4b811ace13d4c555335b249ab831832a384113035512abc9d4d5cc59716 Status: Downloaded newer image for 172.31.224.223:5000/openshift/ruby:2.0
Added doc text. Docs PR: https://github.com/openshift/openshift-docs/pull/3890
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884