Description of problem: Importing images from the artifactory registry is failing with the below error : $ oc import-image <registry-URL>/<image-name>:tag ~~~~~~~~ ! error: Import failed (Unauthorized): you may not have access to the Docker image "<registry-URL>/<image-name>:tag" About an hour ago ~~~~~~~~ Version-Release number of selected component (if applicable): $ oc version oc v3.11.51 kubernetes v1.11.0+d4cacc0 features: Basic-Auth SSPI Kerberos SPNEGO Server https://<server-URL>:443 openshift v3.11.141 kubernetes v1.11.0+d4cacc0 How reproducible: Always Steps to Reproduce: 1. Log in to the authenticated docker registry hosted by the artifactory : # docker login -u <username> -p <password> https://<docker-registry-URL> 2. Create a secret using .dockercfg file (or $HOME/.docker/config.json file) : $ oc create secret generic <pull_secret_name> --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson OR create a secret as below : $ oc create secret docker-registry <pull-secret-name> --docker-server=<registry_server> --docker-username=<user_name> --docker-password=<password> 3. Link the created secret with the "default" serviceaccount : $ oc secrets link default <pull_secret_name> --for=pull 4. Try to import the image : $ oc import-image <registry-URL>/<image-name>:tag--confirm Actual results: $ oc import-image failed with below error : ~~~~~~~ ! error: Import failed (Unauthorized): you may not have access to the Docker image "<registry-URL>/<image-name>:tag" About an hour ago ~~~~~~~ Expected results: The image must be imported without error. Additional info: 1. Referring to the external image registry hosted by artifactory. 2. Also, tried to import the image with the latest "oc" binary version which leads to same results. ~~~~~~~ $ oc version Client Version: openshift-clients-4.2.1-201910220950 Kubernetes Version: v1.11.0+d4cacc0 ~~~~~~~ 3. All build and deployments pointing to this artifactory registry are able to pull the images. Only failing to import images from the artifactory.
We are going to fix it in 4.5. You need to create another secret for the token server. For example, let's say the registry is registry-1.docker.io: $ curl -sSI https://registry-1.docker.io/v2/ | grep -i www-authenticate Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io" We already know how to handle docker.io, but if we didn't, you would have to create a secret for auth.docker.io. Ashwini, can you try this workaround?
Hello Team, After creating a secret for the token server the CU was able to import the image from the artifactory. Can you please provide some information on a below concern : ~~~~~~~ How this works for image pulls otherwise, do the build/pod/deployment configs just use the same token regardless of where they are sent for the token? ~~~~~~~ Thanks, Ashwini Khaire.
Yes, that's limitation of current image imports. In 4.x we are going to change it and use for imports the same logic as for pods/builds.
if the credentials for regsitry is included in pull-secret(under openshift-config project) secret, it could import images successfully from this registry under a common project and no need create addtional secret. $oc new-project test Now using project "test" on server "https://api.qe-groupd-0420.qe.devcluster.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app ruby~https://github.com/sclorg/ruby-ex.git to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node $ oc import-image ruby:test --from=registry.redhat.io/rhscl/ruby-25-rhel7:latest --confirm imagestream.image.openshift.io/ruby imported Name: ruby Namespace: test Created: Less than a second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-04-20T10:10:18Z Image Repository: image-registry.openshift-image-registry.svc:5000/test/ruby Image Lookup: local=false Unique Images: 1 Tags: 1 test tagged from registry.redhat.io/rhscl/ruby-25-rhel7:latest * registry.redhat.io/rhscl/ruby-25-rhel7@sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5 Less than a second ago Image Name: ruby:latest Docker Image: registry.redhat.io/rhscl/ruby-25-rhel7@sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5 Name: sha256:a153706de58e820a42df863ade626238c46ab8733a40efd60dedbc7457b7fcb5 Created: Less than a second ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 185.4MB in 5 layers Layers: 76.26MB sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5 1.62kB sha256:cf5693de4d3cdd6f352978b87c8f89ead294eff44938598f57a91cf7a02417d2 7.21MB sha256:fd542ee251592bb3ed566aa42ccf98987a5607b64823720d19d68ae382e48bb0 87.83MB sha256:fc0a1c1e5719bb16c76e32ae3ddd97b827a51cd2f68ed0608ccebea0391c3549 14.14MB sha256:5d1682512f566ecfee97d01b662f4ff15b04d27424657760ac851359a36ce7b0 Image Created: 3 weeks ago Author: <none> Arch: amd64 Entrypoint: container-entrypoint Command: /bin/sh -c $STI_SCRIPTS_PATH/usage Working Dir: /opt/app-root/src User: 1001 Exposes Ports: 8080/tcp Docker Labels: architecture=x86_64 authoritative-source-url=registry.access.redhat.com build-date=2020-03-27T11:24:44.523404 com.redhat.build-host=cpt-1008.osbs.prod.upshift.rdu2.redhat.com com.redhat.component=rh-ruby25-container com.redhat.license_terms=https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. distribution-scope=public io.k8s.description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. io.k8s.display-name=Ruby 2.5 io.openshift.expose-services=8080:http io.openshift.s2i.scripts-url=image:///usr/libexec/s2i io.openshift.tags=builder,ruby,ruby25,rh-ruby25 io.s2i.scripts-url=image:///usr/libexec/s2i maintainer=SoftwareCollections.org <sclorg> name=rhscl/ruby-25-rhel7 release=58 summary=Platform for building and running Ruby 2.5 applications url=https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/ruby-25-rhel7/images/2.5-58 usage=s2i build https://github.com/sclorg/s2i-ruby-container.git --context-dir=2.5/test/puma-test-app/ rhscl/ruby-25-rhel7 ruby-sample-app vcs-ref=a9b57bd34183848e5ed6502201843827840c3e1f vcs-type=git vendor=Red Hat, Inc. version=2.5 Environment: PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci SUMMARY=Platform for building and running Ruby 2.5 applications DESCRIPTION=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. STI_SCRIPTS_URL=image:///usr/libexec/s2i STI_SCRIPTS_PATH=/usr/libexec/s2i APP_ROOT=/opt/app-root HOME=/opt/app-root/src PLATFORM=el7 BASH_ENV=/opt/app-root/etc/scl_enable ENV=/opt/app-root/etc/scl_enable PROMPT_COMMAND=. /opt/app-root/etc/scl_enable NODEJS_SCL=rh-nodejs10 RUBY_MAJOR_VERSION=2 RUBY_MINOR_VERSION=5 RUBY_VERSION=2.5 RUBY_SCL_NAME_VERSION=25 RUBY_SCL=rh-ruby25 IMAGE_NAME=rhscl/ruby-25-rhel7 $oc version Client Version: 4.5.0-202004180718-6b061e3 Server Version: 4.5.0-0.nightly-2020-04-18-184707 Kubernetes Version: v1.18.0-rc.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days