Bug 1890995 - wew-app should provide more insight into why image deployment failed [NEEDINFO]
Summary: wew-app should provide more insight into why image deployment failed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.7.0
Assignee: Sally
QA Contact: zhou ying
URL:
Whiteboard: LifecycleReset
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-23 13:44 UTC by Maciej Szulik
Modified: 2021-02-24 15:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:27:53 UTC
Target Upstream Version:
Embargoed:
mfojtik: needinfo?


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 691 0 None closed Bug 1890995: oc new-app: provide message for unauthorized error with image lookup 2021-01-13 05:49:03 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:28:20 UTC

Description Maciej Szulik 2020-10-23 13:44:50 UTC
I accidentally tried to deploy a private image from Quay and new-app didn't really tell me anything meaningful:

oc new-app --docker-image=quay.io/roddiekieley/podescape-io --loglevel=8
I1023 09:34:07.182112 2838550 loader.go:375] Config loaded from file: /home/thoraxe/.kube/config
I1023 09:34:07.184872 2838550 newapp.go:659] Docker client did not respond to a ping: Get http://unix.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied
I1023 09:34:07.185047 2838550 dockerimagelookup.go:87] checking remote registry for "quay.io/roddiekieley/podescape-io"
{{I1023 09:34:07.185696 2838550 request.go:1017] Request Body: {"kind":"ImageStreamImport","apiVersion":"image.openshift.io/v1","metadata":
{"name":"newapp","creationTimestamp":null}

,"spec":{"import":false,"images":[{"from":
{"kind":"DockerImage","name":"quay.io/roddiekieley/podescape-io"}

,"importPolicy":{},"referencePolicy":{"type":""}}]},"status":{}}}}
I1023 09:34:07.185764 2838550 round_trippers.go:420] POST https://api.cluster-380f.380f.example.opentlc.com:6443/apis/image.openshift.io/v1/namespaces/arcade/imagestreamimports
I1023 09:34:07.185775 2838550 round_trippers.go:427] Request Headers:
I1023 09:34:07.185783 2838550 round_trippers.go:431] Accept: application/json, /
I1023 09:34:07.185790 2838550 round_trippers.go:431] Content-Type: application/json
I1023 09:34:07.185803 2838550 round_trippers.go:431] User-Agent: oc/openshift (linux/amd64) kubernetes/bc08a48
I1023 09:34:07.185813 2838550 round_trippers.go:431] Authorization: Bearer <masked>
I1023 09:34:08.585892 2838550 round_trippers.go:446] Response Status: 201 Created in 1400 milliseconds
I1023 09:34:08.585935 2838550 round_trippers.go:449] Response Headers:
I1023 09:34:08.585948 2838550 round_trippers.go:452] Audit-Id: 54ddbce7-4575-4d02-b523-155e11735fea
I1023 09:34:08.585958 2838550 round_trippers.go:452] Cache-Control: no-cache, private
I1023 09:34:08.585967 2838550 round_trippers.go:452] Cache-Control: no-store
I1023 09:34:08.585981 2838550 round_trippers.go:452] Content-Type: application/json
I1023 09:34:08.585991 2838550 round_trippers.go:452] Date: Fri, 23 Oct 2020 13:34:08 GMT
I1023 09:34:08.586003 2838550 round_trippers.go:452] Content-Length: 860
{{I1023 09:34:08.586057 2838550 request.go:1017] Response Body: {"kind":"ImageStreamImport","apiVersion":"image.openshift.io/v1","metadata":{"name":"newapp","namespace":"arcade","selfLink":"/apis/image.openshift.io/v1/namespaces/arcade/imagestreamimports/newapp","uid":"8883f588-3ee4-4e16-9715-80fac9a79c48","creationTimestamp":"2020-10-23T13:34:07Z","managedFields":[{"manager":"oc","operation":"Update","apiVersion":"image.openshift.io/v1","time":"2020-10-23T13:34:07Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:images":{}}}}]},"spec":{"import":false,"images":[{"from":
{"kind":"DockerImage","name":"quay.io/roddiekieley/podescape-io"}

,"importPolicy":{},"referencePolicy":{"type":"Source"}}]},"status":{"images":[{"status":{"metadata":{},"status":"Failure","message":"you may not have access to the container image \"quay.io/roddiekieley/podescape-io:latest\"","reason":"Unauthorized","code":401},"tag":"latest"}]}}}}
{{I1023 09:34:08.592186 2838550 dockerimagelookup.go:230] image import failed: v1.ImageImportStatus{Status:v1.Status{TypeMeta:v1.TypeMeta
{Kind:"", APIVersion:""}

, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:"", Continue:"", RemainingItemCount*int64)(nil)}, Status:"Failure", Message:"you may not have access to the container image \"quay.io/roddiekieley/podescape-io:latest\"", Reason:"Unauthorized", Details*v1.StatusDetails)(nil), Code:401}, Image*v1.Image)(nil), Tag:"latest"}}}
F1023 09:34:08.592386 2838550 helpers.go:114] error: unable to locate any local docker images with name "quay.io/roddiekieley/podescape-io"

The 'oc new-app' command will match arguments to the following types:

1. Images tagged into image streams in the current project or the 'openshift' project
{{ - if you don't specify a tag, we'll add ':latest'}}
{{ 2. Images in the Docker Hub, on remote registries, or on the local Docker engine}}
{{ 3. Templates in the current project or the 'openshift' project}}
{{ 4. Git repository URLs or local paths that point to Git repositories}}

--allow-missing-images can be used to point to an image that does not exist yet.

See 'oc new-app -h' for examples.

 

At the time this image was private / required auth. You can see the HTTP status code was 401 unauthorized, but new-app didn't tell me that.

 

It would be nice if, in the case of a failure to interrogate the remote registry, new-app reported what happened. The status message is already there.


This was originally filled in here (https://issues.redhat.com/browse/RFE-1328).

Comment 1 Sally 2020-11-12 17:55:29 UTC
Looking into this in the upcoming sprint.

Comment 2 Sally 2020-12-05 00:07:12 UTC
Other bugs/PRs took priority this sprint, adding upcoming sprint, will submit a PR for this in the coming days

Comment 3 Michal Fojtik 2021-01-04 00:58:27 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 4 Michal Fojtik 2021-01-11 16:38:51 UTC
The LifecycleStale keyword was removed because the bug moved to QE.
The bug assignee was notified.

Comment 6 zhou ying 2021-01-15 02:56:24 UTC
With latest oc client, could see the wrong now:
[root@dhcp-140-138 ~]# oc version 
Client Version: 4.7.0-202101122125.p0-9eb2f8f


[root@dhcp-140-138 ~]# oc new-app --docker-image=quay.io/sallyom/podescape-io:test
W0115 10:54:26.961736   22550 dockerimagelookup.go:240] container image remote registry lookup failed: you may not have access to the container image "quay.io/sallyom/podescape-io:test"
error: unable to locate any local docker images with name "quay.io/sallyom/podescape-io:test"

The 'oc new-app' command will match arguments to the following types:

  1. Images tagged into image streams in the current project or the 'openshift' project
     - if you don't specify a tag, we'll add ':latest'
  2. Images in the Docker Hub, on remote registries, or on the local Docker engine
  3. Templates in the current project or the 'openshift' project
  4. Git repository URLs or local paths that point to Git repositories

--allow-missing-images can be used to point to an image that does not exist yet.

See 'oc new-app -h' for examples.


Compared with older version : 
[root@localhost ~]# oc version 
Client Version: 4.7.0-202101060325.p0-d69d7c4

[root@localhost ~]# oc new-app --docker-image=quay.io/sallyom/podescape-io:test
error: unable to locate any local docker images with name "quay.io/sallyom/podescape-io:test"

The 'oc new-app' command will match arguments to the following types:

  1. Images tagged into image streams in the current project or the 'openshift' project
     - if you don't specify a tag, we'll add ':latest'
  2. Images in the Docker Hub, on remote registries, or on the local Docker engine
  3. Templates in the current project or the 'openshift' project
  4. Git repository URLs or local paths that point to Git repositories

--allow-missing-images can be used to point to an image that does not exist yet.

See 'oc new-app -h' for examples.

Comment 9 errata-xmlrpc 2021-02-24 15:27:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.