Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1493213 - Builds fail with "authentication required" after upgrade
Builds fail with "authentication required" after upgrade
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.6.0
Unspecified Unspecified
unspecified Severity high
: ---
: 3.6.z
Assigned To: Simo Sorce
Chuan Yu
:
: 1538261 1550162 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-19 11:27 EDT by Steven Walter
Modified: 2018-07-18 21:58 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
During upgrades reconciliation happens only for cluster roles automatically. But this role needs to be adjusted in 3.6 due to enablement of API groups in this realease. The ansible upgrade code has been changed to take care of this role upgrade.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-07 02:11:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3190832 None None None 2017-09-20 11:28 EDT
Red Hat Knowledge Base (Solution) 3331671 None None None 2018-01-26 09:25 EST
Red Hat Product Errata RHSA-2017:3389 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update 2017-12-07 07:09:10 EST

  None (edit)
Description Steven Walter 2017-09-19 11:27:45 EDT 
Description of problem:
After upgrade from 3.5 to 3.6, builds fail with unauthorized: authentication required, when trying to pull from registry. When manually pulling with a user account (admin) to the node that should run the build, re-starting the build works. Service accounts do not appear to be able to pull the images from the registry.

Version-Release number of selected component (if applicable):
3.6

How reproducible:
Unconfirmed


Actual results:
pulling image error : unauthorized: authentication required
error: build error: unable to get 172.30.109.30:5000/openshift/a24-tc8-jdk8@sha256:269d6a4e72

[root]# docker login -u serviceaccount -p $(oc sa get-token deployer) 172.30.109.30:5000
Login Succeeded
[root]# docker pull  172.30.109.30:5000/openshift/a24-tc8-jdk8@sha256:acc6fc10a8ea90b49e56f3259162cf4a8e57cfa98ead03a81ace9b90a5e4b947
Trying to pull repository 172.30.109.30:5000/openshift/a24-tc8-jdk8 ...
unauthorized: authentication required
[root]# docker login -u serviceaccount -p $(oc sa get-token builder) 172.30.109.30:5000
Login Succeeded
[root]# docker pull  172.30.109.30:5000/openshift/a24-tc8-jdk8@sha256:acc6fc10a8ea90b49e56f3259162cf4a8e57cfa98ead03a81ace9b90a5e4b947
Trying to pull repository 172.30.109.30:5000/openshift/a24-tc8-jdk8 ...
unauthorized: authentication required


Expected results:
[root@master-1 cloud-user]# docker login -u serviceaccount -p $( oc sa get-token default ) 172.30.155.150:5000
Login Succeeded
[root@master-1 cloud-user]# docker pull 172.30.155.150:5000/openshift/python 
Using default tag: latest
Trying to pull repository 172.30.155.150:5000/openshift/python ... 
sha256:3c9b3aa7da699a02a9a3285b2c4f816fd4405f580f0120e2fbddb976c9299d22: Pulling from 172.30.155.150:5000/openshift/python
d55ab3b04d8b: Downloading [==============================================>    ] 67.04 MB/72.16 MB
b94f985aad49: Download complete 
6d71013e372d: Downloading [==================================================>] 68.66 MB/68.66 MB
3398045bac98: Download complete
Comment 6 Steven Walter 2017-09-20 11:32:09 EDT 
Customer was able to get builds working using workaround from github issue:

oc adm policy add-role-to-group system:image-puller system:serviceaccounts -n openshift
Comment 9 Simo Sorce 2017-10-03 08:43:00 EDT 
Upstream issue here :https://github.com/openshift/origin/pull/16465
Initial PR to deal with the issue here: https://github.com/openshift/openshift-ansible/pull/5617
Comment 10 Mo 2017-10-10 16:20:08 EDT 
*** Bug 1500225 has been marked as a duplicate of this bug. ***
Comment 11 Simo Sorce 2017-10-11 09:50:10 EDT 
A fix has been commit to openshift ansible for release 3.6:
https://github.com/openshift/openshift-ansible/pull/5649
Comment 13 Chuan Yu 2017-10-25 01:57:05 EDT 
Verified.

# openshift version
openshift v3.6.173.0.59
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

openshift-ansible-3.6.173.0.59-1
Comment 18 errata-xmlrpc 2017-12-07 02:11:23 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3389
Comment 19 Simo Sorce 2018-01-26 09:25:40 EST 
*** Bug 1538261 has been marked as a duplicate of this bug. ***
Comment 20 Ryan Howe 2018-02-28 11:50:32 EST 
*** Bug 1550162 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.