Description of problem: As per the official documentation, Builds and imagestream imports will automatically use the pull secret used to install the cluster if a pull secret is not explicitly set. Developers do not need to copy this pull secret into their namespace." [1] [1] https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-node-pull-secrets We've configured a node pull credential and for 'oc import-image' it works as expected, but if we're using Images from redhat.registry.io we got "unauthorized" message. Below are the test results: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ [quicklab@upi-0 ~]$ oc version Client Version: 4.5.7 Server Version: 4.5.7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ [quicklab@upi-0 ~]$ oc new-project test ~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~ quicklab@upi-0 ~]$ oc get all NAME READY STATUS RESTARTS AGE pod/testing-1-build 1/1 Running 0 33s NAME TYPE FROM LATEST buildconfig.build.openshift.io/testing Docker Dockerfile 1 NAME TYPE FROM STATUS STARTED DURATION build.build.openshift.io/testing-1 Docker Dockerfile Running 33 seconds ago NAME IMAGE REPOSITORY TAGS UPDATED imagestream.image.openshift.io/testing image-registry.openshift-image-registry.svc:5000/test/testing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ quicklab@upi-0 ~]$ oc get events LAST SEEN TYPE REASON OBJECT MESSAGE <unknown> Normal Scheduled pod/testing-1-build Successfully assigned test/testing-1-build to worker-0.sthakarenewocp4.lab.upshift.rdu2.redhat.com 18s Normal AddedInterface pod/testing-1-build Add eth0 [10.X.X.X] 17s Normal Pulling pod/testing-1-build Pulling image "quay.io/openshift-release-dev/ocp-v4.0-art- ---------------snip----------------------------- 13m Normal Created pod/testing-1-build Created container docker-build 13m Normal Started pod/testing-1-build Started container docker-build 13m Normal BuildStarted build/testing-1 Build test/testing-1 is now running 10m Normal BuildFailed build/testing-1 Build test/testing-1 failed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ quicklab@upi-0 ~]$ oc get all NAME READY STATUS RESTARTS AGE pod/testing-1-build 0/1 Error 0 13m NAME TYPE FROM LATEST buildconfig.build.openshift.io/testing Docker Dockerfile 1 NAME TYPE FROM STATUS STARTED DURATION build.build.openshift.io/testing-1 Docker Dockerfile Failed (DockerBuildFailed) 13 minutes ago 3m9s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~ [quicklab@upi-0 ~]$ oc logs pod/testing-1-build Caching blobs under "/var/cache/blobs". Pulling image registry.redhat.io/ubi8/nodejs-12:latest ... Getting image source signatures ---------snip------------------------------ Storing signatures STEP 1: FROM registry.redhat.io/ubi8/nodejs-12:latest error: build error: error creating build container: Error initializing source docker://registry.redhat.io/ubi8/nodejs-12:latest: unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Version-Release number of selected component (if applicable): 4.5.x How reproducible: 1. Try creating new-application without using pullsecrets in the new-projects. Steps to Reproduce: 1. create new project 2. Try to deploy new application 3. Application fails due to authentication issue with registry.redhat.com Actual results: Application fails due to authentication issue with registry.redhat.com if manual pullsecret is not created. Expected results: Application should use node pull secret as per new-feature mentioned in documentation. Additional info: https://access.redhat.com/solutions/5231531
The build pod cannot access registry.redhat.io. Moving to Build.
Root cause: Docker strategy options in the test build has the `forcePull: true` option. When forcePull: true is set, two pull actions happen: 1. An initial pull when builds detect that the base image is not present in buildah's image cache. This is always the case because at present builds do not have a caching mechanism. The initial pull has the node credentials merged in. 2. A secondary pull initiated by buildah. We are not including the node credentials here. Removing `forcePull: true` can work around the issue.
THX! I can confirm, removing forcePull works as workaround.
Verified in version: 4.7.0-0.nightly-2020-10-24-155529 Steps: [wewang@wangwen work]$ oc logs -f build/test-1 Receiving source from STDIN as file Dockerfile Caching blobs under "/var/cache/blobs". Pulling image registry.redhat.io/ubi8/nodejs-12:latest ... Getting image source signatures Copying blob sha256:35ad9b4fba1fa6b00a6f266303348dc0cf9a7c341616e800c2738030c0f64167 Copying blob sha256:da1cc572023a942fff15d59aefa5abbb59d2c24a03966db8074ef8f9bab277d4 Copying blob sha256:ec1681b6a383e4ecedbeddd5abc596f3de835aed6db39a735f62395c8edbff30 Copying blob sha256:5e2ae0c76e83847010202c40d0c7ebac953a6c7871efdea7602b41507b3d11f5 Copying blob sha256:c4d668e229cd131e0a8e4f8218dca628d9cf9697572875e355fe4b247b6aa9f0 Copying config sha256:8a961c0b3cbcc653bf39713aaf79a36d9921618e2a39fd7e5057cf70c203cf87 Writing manifest to image destination Storing signatures STEP 1: FROM registry.redhat.io/ubi8/nodejs-12:latest STEP 2: RUN echo "hello world" hello world
*** Bug 1897577 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633