Description of problem: When "oadm diagnostics" is executed the images for the internal network diagnosis are being pulled from docker.io. For enterprise environments where public registries are blocked it is not possible to conduct the diagnostics without any other workaround. The images should be placed in the official RedHat registry and "oadm" in the OpenShift Container Platfrom should be adjusted accordingly. ,"containerStatuses":[{"name":"network-diag-test-pod-s5adu","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/openshift/hello-openshift","imageID":""}]}}]} Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Ravi, this diagnostic seems to be using busybox and hello-openshift images. Do we have RH-registry-supplied images that could be substituted on OCP? maybe rhel7 and ose-deployer?
*** Bug 1429244 has been marked as a duplicate of this bug. ***
busybox image is no longer used in the latest code and hello-openshift image is not present in redhat registry yet. We use hello-openshift image as test pod for network diagnostics (this was picked due to its small size) and this will be pulled on all nodes. 4 instances of hello-openshift image are run on each node to perform various networking checks. I will check if there is any existing small image in redhat registry that we can use as test pod or I will ask Justin's team if they can include this image as part of redhat registry.
Closing this as a duplicate of bug 1418857 as it was older - happy to do it the other way around if you prefer. I believe that the overhead of shipping an additional supported image for this purpose is a bit too much. The {ose,origin}-deployer image is not exactly small, but I think it's fair to assume it should be readily available on any node; that image has 'socat' on it, so I believe we could use it here for the simple use case at hand. Also we should make the image choice configurable via an option to address bug 1417641. *** This bug has been marked as a duplicate of bug 1418857 ***
Commenting here instead at https://bugzilla.redhat.com/show_bug.cgi?id=1418857 to keep the context. {ose,origin}-deployer image may not fit the bill. Probably I wasn't clear on my previous comment, small image is not the only criteria for the test pod. It has to listen on a port to service something so that we can expose a test service (used to run service connectivity checks). I had a chat with Samuel last friday and I'm hoping he is going to do the needful to get the image in redhat registry. For https://bugzilla.redhat.com/show_bug.cgi?id=1417641, test pod image is internal to diagnostics and making this as config will not give any additional value to the user and also this could lead to false diagnostics results when the custom test pod behaves incorrectly.
*** Bug 1418857 has been marked as a duplicate of this bug. ***
> It has to listen on a port to service something so that we can expose a test > service (used to run service connectivity checks). Sure, that's why I mentioned the presence of socat in these images. I think that running something like this should be enough for this use case: socat -T 1 -d tcp-l:8080,reuseaddr,fork,crlf \ system:"echo 'HTTP/1.0 200 OK'; echo 'Content-Type: text/plain'; echo; echo 'Hello OpenShift'" Another alternative could be to use the oc client in one of the images (e.g. the deployer) and run "oc observe" as entrypoint; this would serve HTTP on port 11251. > I had a chat with Samuel last friday and I'm hoping he is going to do the > needful to get the image in redhat registry. Considering the above: can't we just reuse one of the images we already provide and is likely to be already on the nodes? To ship an image in the redhat registry involves a bit more than just pushing it there... Note also that the diagnostics pod check already uses this approach and relies on the deployer image. In this case though it has its own command in there. The socat/oc options are admittedly a bit "obscure", so maybe we could add an option to the infra diagnostic-pod command to just start in hello-openshift listen and serve mode? > For https://bugzilla.redhat.com/show_bug.cgi?id=1417641, test pod image is > internal to diagnostics and making this as config will not give any > additional value to the user Well, it gives a bit of choice and it's useful for disconnected environments... > and also this could lead to false diagnostics results when the custom test pod > behaves incorrectly. So, the requirements of the image should be documented. The diagnostics command already has an --image option to select the DiagnosticPod image. This might be something to discuss in that other RFE, I just mentioned it here because we're changing the same code and it might be an opportunity to address both at the same time.
Yes, agreed. We can use origin-deployer image. Created https://github.com/openshift/origin/pull/14364 to fix these issues.
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/dfe3be110e0a90849d2bd979dfbf8cef27b39326 Bug 1439142 - Use openshift/origin-deployer image instead of openshift/hello-openshift as network diagnostic test pod. openshift/hello-openshift is not available in redhat registry. Now we use openshift/origin-deployer which already exists in redhat registry and should be present on all nodes.
this bug should be duplicated this https://bugzilla.redhat.com/show_bug.cgi?id=1421643 *** This bug has been marked as a duplicate of bug 1421643 ***