1535783 – Cannot login openshift container registry behind proxy

Bug 1535783 - Cannot login openshift container registry behind proxy

Summary: Cannot login openshift container registry behind proxy

Keywords:
Status:	CLOSED DUPLICATE of bug 1527210
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.9.0
Assignee:	Fabian von Feilitzsch
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-18 05:59 UTC by Dongbo Yan
Modified:	2018-01-25 15:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-25 15:05:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
log from dc/docker-registry (2.47 KB, text/plain) 2018-01-18 05:59 UTC, Dongbo Yan	no flags	Details
View All

Description Dongbo Yan 2018-01-18 05:59:07 UTC

Created attachment 1382748 [details]
log from dc/docker-registry

Description of problem:
Launch an openshift cluster behind proxy, cannot login openshift container registry

Version-Release number of selected component (if applicable):
openshift v3.9.0-0.20.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.8

How reproducible:
ALways

Steps to Reproduce:
1.Launch an openshift cluster behind proxy
2.Wait registry pod is ready, login openshift container registry

Actual results:
cannot login openshift container registry
# docker login -u dyan -pGsiRdMqRIqzRNPP1VtA_EJu8ZUusBbLtmIABUFEsQ1Y 172.30.114.12:5000
Error response from daemon: Get https://172.30.114.12:5000/v1/users/: Forbidden

Expected results:
could login openshift container registry

Additional info:
could login openshift container registry successfully without proxy

Comment 1 Gan Huang 2018-01-18 06:15:43 UTC

Check the proxy variables on the docker-registry.
# oc env dc/docker-registry --list |grep -i proxy
NO_PROXY=.cluster.local,.svc,169.254.169.254,172.16.120.100,172.16.120.162
HTTP_PROXY=http://xxx.redhat.com:3128
HTTPS_PROXY=http://xxx.redhat.com:3128

Once appending the cluster CIDR and service CIDR (`172.30.0.0/16,10.128.0.0/14`) to NO_PROXY, build can succeed.
# oc env  dc/docker-registry NO_PROXY=.cluster.local,.svc,169.254.169.254,172.16.120.100,172.16.120.162,172.30.0.0/16,10.128.0.0/14

Assigning to Installer component.

Comment 2 Scott Dodson 2018-01-18 15:27:17 UTC

The docker registry service ip address is prone to change. To work around that we've configured environments to push to the registry via the service name.

Can you attempt to login to 'docker-registry.default.svc' rather than the service ip address? '.svc' should already be added to docker's NO_PROXY list in /etc/sysconfig/docker which will address this issue.

Comment 3 Gan Huang 2018-01-19 04:43:27 UTC

Scott, `.svc` had been already added to docker's NO_PROXY. 

From the logs of docker-registry, it seems that docker-registry has to talk to 172.30.0.1 that lead the failure, I think this is the root cause.

We just need to make sure that cluster CIDR and service CIDR could be added to NO_PROXY by installer.

Comment 4 Dongbo Yan 2018-01-23 02:54:14 UTC

During build process, failed to push image to docker-registry.default.svc:5000, throw the same error: Error response from daemon: Get /v1/users/: Forbidden.

In comment3 , ghuang has provided useful info

Comment 5 Scott Dodson 2018-01-23 18:17:46 UTC

I believe this is same root cause as https://bugzilla.redhat.com/show_bug.cgi?id=1511870 with a proposed fix in https://github.com/openshift/openshift-ansible/pull/6215

Comment 6 Scott Dodson 2018-01-25 15:05:31 UTC


*** This bug has been marked as a duplicate of bug 1527210 ***

Note You need to log in before you can comment on or make changes to this bug.