Bug 1816534 - Importing images from artifactory registry failed with "! error: Import failed (Unauthorized): you may not have access to the Docker image "<registry-URL>/<image-name>:tag" [NEEDINFO]
Summary: Importing images from artifactory registry failed with "! error: Import faile...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Ricardo Maraschini
QA Contact: XiuJuan Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-24 08:58 UTC by Ashwini M. Khaire
Modified: 2020-08-04 18:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Allow imports to happen from registry whose credentials were provided during the cluster installation (https://issues.redhat.com/browse/DEVEXP-424) Reason: To make users life easier we need to leverage all pull secrets provided during the cluster installation so they don't need to recreate them on a namespace in order to have access to the registry. Result: Users can now import images from any registry using credentials provided during the cluster initialization.
Clone Of:
Environment:
Last Closed: 2020-08-04 18:06:46 UTC
Target Upstream Version:
obulatov: needinfo? (akhaire)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift openshift-apiserver pull 83 None closed Bug 1816534: DEVEXP-424: Leveraging node credentials during image stream import 2020-09-11 08:25:06 UTC
Red Hat Product Errata RHBA-2020:2409 None None None 2020-08-04 18:06:48 UTC

Description Ashwini M. Khaire 2020-03-24 08:58:52 UTC
Description of problem:

Importing images from the artifactory registry is failing with the below error :

$ oc import-image <registry-URL>/<image-name>:tag

~~~~~~~~
! error: Import failed (Unauthorized): you may not have access to the Docker image "<registry-URL>/<image-name>:tag"
      
         About an hour ago
~~~~~~~~

Version-Release number of selected component (if applicable):

$ oc version

oc v3.11.51
kubernetes v1.11.0+d4cacc0
features: Basic-Auth SSPI Kerberos SPNEGO

Server https://<server-URL>:443
openshift v3.11.141
kubernetes v1.11.0+d4cacc0

How reproducible:

Always

Steps to Reproduce:
1. Log in to the authenticated docker registry hosted by the artifactory :

   # docker login -u <username> -p <password> https://<docker-registry-URL>

2. Create a secret using .dockercfg file (or $HOME/.docker/config.json file) :

   $ oc create secret generic <pull_secret_name> --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson

OR create a secret as below :

   $ oc create secret docker-registry <pull-secret-name> --docker-server=<registry_server> --docker-username=<user_name> --docker-password=<password>

3. Link the created secret with the "default" serviceaccount :

   $ oc secrets link default <pull_secret_name> --for=pull

4. Try to import the image :

   $ oc import-image <registry-URL>/<image-name>:tag--confirm


Actual results:

$ oc import-image failed with below error :

~~~~~~~
! error: Import failed (Unauthorized): you may not have access to the Docker image "<registry-URL>/<image-name>:tag"
      
         About an hour ago
~~~~~~~

Expected results:

The image must be imported without error.

Additional info:

1. Referring to the external image registry hosted by artifactory.

2. Also, tried to import the image with the latest "oc" binary version which leads to same results.

~~~~~~~
$ oc version

Client Version: openshift-clients-4.2.1-201910220950
Kubernetes Version: v1.11.0+d4cacc0
~~~~~~~

3. All build and deployments pointing to this artifactory registry are able to pull the images. Only failing to import images from the artifactory.

Comment 1 Oleg Bulatov 2020-03-24 11:53:05 UTC
We are going to fix it in 4.5.

You need to create another secret for the token server.

For example, let's say the registry is registry-1.docker.io:

$ curl -sSI https://registry-1.docker.io/v2/ | grep -i www-authenticate
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"

We already know how to handle docker.io, but if we didn't, you would have to create a secret for auth.docker.io.

Ashwini, can you try this workaround?

Comment 2 Ashwini M. Khaire 2020-03-25 04:54:43 UTC
Hello Team,

After creating a secret for the token server the CU was able to import the image from the artifactory. Can you please provide some information on a below concern :

~~~~~~~
How this works for image pulls otherwise, do the build/pod/deployment configs just use the same token regardless of where they are sent for the token? 
~~~~~~~


Thanks,
Ashwini Khaire.

Comment 3 Oleg Bulatov 2020-03-25 09:38:34 UTC
Yes, that's limitation of current image imports. In 4.x we are going to change it and use for imports the same logic as for pods/builds.

Comment 6 XiuJuan Wang 2020-04-20 10:14:58 UTC
if the credentials for regsitry is included in pull-secret(under openshift-config project) secret, it could import images successfully from this registry under a common project and no need create addtional secret.

$oc new-project test
Now using project "test" on server "https://api.qe-groupd-0420.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app ruby~https://github.com/sclorg/ruby-ex.git

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

$ oc import-image ruby:test --from=registry.redhat.io/rhscl/ruby-25-rhel7:latest  --confirm 

imagestream.image.openshift.io/ruby imported

Name:			ruby
Namespace:		test
Created:		Less than a second ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2020-04-20T10:10:18Z
Image Repository:	image-registry.openshift-image-registry.svc:5000/test/ruby
Image Lookup:		local=false
Unique Images:		1
Tags:			1

test
  tagged from registry.redhat.io/rhscl/ruby-25-rhel7:latest

  * registry.redhat.io/rhscl/ruby-25-rhel7@sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5
      Less than a second ago

Image Name:	ruby:latest
Docker Image:	registry.redhat.io/rhscl/ruby-25-rhel7@sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5
Name:		sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5
Created:	Less than a second ago
Annotations:	image.openshift.io/dockerLayersOrder=ascending
Image Size:	185.4MB in 5 layers
Layers:		76.26MB	sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5
		1.62kB	sha256:cf5693de4d3cdd6f352978b87c8f89ead294eff44938598f57a91cf7a02417d2
		7.21MB	sha256:fd542ee251592bb3ed566aa42ccf98987a5607b64823720d19d68ae382e48bb0
		87.83MB	sha256:fc0a1c1e5719bb16c76e32ae3ddd97b827a51cd2f68ed0608ccebea0391c3549
		14.14MB	sha256:5d1682512f566ecfee97d01b662f4ff15b04d27424657760ac851359a36ce7b0
Image Created:	3 weeks ago
Author:		<none>
Arch:		amd64
Entrypoint:	container-entrypoint
Command:	/bin/sh -c $STI_SCRIPTS_PATH/usage
Working Dir:	/opt/app-root/src
User:		1001
Exposes Ports:	8080/tcp
Docker Labels:	architecture=x86_64
		authoritative-source-url=registry.access.redhat.com
		build-date=2020-03-27T11:24:44.523404
		com.redhat.build-host=cpt-1008.osbs.prod.upshift.rdu2.redhat.com
		com.redhat.component=rh-ruby25-container
		com.redhat.license_terms=https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI
		description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		distribution-scope=public
		io.k8s.description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		io.k8s.display-name=Ruby 2.5
		io.openshift.expose-services=8080:http
		io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
		io.openshift.tags=builder,ruby,ruby25,rh-ruby25
		io.s2i.scripts-url=image:///usr/libexec/s2i
		maintainer=SoftwareCollections.org <sclorg@redhat.com>
		name=rhscl/ruby-25-rhel7
		release=58
		summary=Platform for building and running Ruby 2.5 applications
		url=https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/ruby-25-rhel7/images/2.5-58
		usage=s2i build https://github.com/sclorg/s2i-ruby-container.git --context-dir=2.5/test/puma-test-app/ rhscl/ruby-25-rhel7 ruby-sample-app
		vcs-ref=a9b57bd34183848e5ed6502201843827840c3e1f
		vcs-type=git
		vendor=Red Hat, Inc.
		version=2.5
Environment:	PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
		container=oci
		SUMMARY=Platform for building and running Ruby 2.5 applications
		DESCRIPTION=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		STI_SCRIPTS_URL=image:///usr/libexec/s2i
		STI_SCRIPTS_PATH=/usr/libexec/s2i
		APP_ROOT=/opt/app-root
		HOME=/opt/app-root/src
		PLATFORM=el7
		BASH_ENV=/opt/app-root/etc/scl_enable
		ENV=/opt/app-root/etc/scl_enable
		PROMPT_COMMAND=. /opt/app-root/etc/scl_enable
		NODEJS_SCL=rh-nodejs10
		RUBY_MAJOR_VERSION=2
		RUBY_MINOR_VERSION=5
		RUBY_VERSION=2.5
		RUBY_SCL_NAME_VERSION=25
		RUBY_SCL=rh-ruby25
		IMAGE_NAME=rhscl/ruby-25-rhel7


$oc version 
Client Version: 4.5.0-202004180718-6b061e3
Server Version: 4.5.0-0.nightly-2020-04-18-184707
Kubernetes Version: v1.18.0-rc.1

Comment 8 errata-xmlrpc 2020-08-04 18:06:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.