Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1489042 - [3.6][Backport] exposing docker-registry with a non tls-passthrough route does not work
[3.6][Backport] exposing docker-registry with a non tls-passthrough route doe...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry (Show other bugs)
3.6.1
Unspecified Unspecified
unspecified Severity medium
: ---
: 3.6.z
Assigned To: Michal Minar
Dongbo Yan
:
Depends On: 1471707
Blocks: 1489039
  Show dependency treegraph
 
Reported: 2017-09-06 11:48 EDT by Michal Minar
Modified: 2017-10-25 09:06 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The registry used to append forwarded target port to redirected location urls. Registry client gets confused by the received location containing superfluous port and cannot match it against the original host. This happened when exposed with tls-termination other than passthrough. Consequence: Client's new request to the target location lacks credentials. As a consequence, image push fails due to authorization error. Fix: Registry was rebased to newer version which fixes forwarding processing logic. Result: Registry now doesn't confuse its clients. Clients can push images successfully to the exposed registry using arbitrary tls-termination.
Story Points: ---
Clone Of: 1471707
Environment:
Last Closed: 2017-10-25 09:06:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3049 normal SHIPPED_LIVE OpenShift Container Platform 3.6, 3.5, and 3.4 bug fix and enhancement update 2017-10-25 11:57:15 EDT

  None (edit)
Comment 1 Michal Minar 2017-09-06 11:50:11 EDT 
PR https://github.com/docker/distribution/pull/2219 will be back-ported to fix the issue.
Comment 2 Michal Minar 2017-09-08 10:24:23 EDT 
Thomas found out that with the fix in question, :443 suffix added to registry names causes timeouts.

We need to make sure that our registry can be addressed both with&without the :443 suffix because many customers added it to their external registries as a work-around for the broken port forwarding.

This needs to be further investigated.
Comment 3 Michal Minar 2017-09-27 12:31:16 EDT 
I could not confirm the registry has issues with push-specs with or without the :443 on the latest master. Therefore, I'll continue with the back-port.
Comment 4 Ben Parees 2017-10-02 15:46:37 EDT 
Was this backport requested by a customer?  If not, why are we doing it?
Comment 6 Michal Minar 2017-10-03 06:00:48 EDT 
Back-port PR: https://github.com/openshift/ose/pull/883
Comment 8 Dongbo Yan 2017-10-13 04:02:53 EDT 
wait for available puddle
Comment 11 Dongbo Yan 2017-10-17 01:59:40 EDT 
Verified
$ ./oc version
oc v3.6.173.0.49
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://:8443
openshift v3.6.173.0.49
kubernetes v1.6.1+5115d708d7
Comment 13 errata-xmlrpc 2017-10-25 09:06:40 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3049
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.