Unable to use new-app to create from a --docker-image docker (authentication error?) #18860

benwaine · 2018-03-06T16:23:40Z

I am attempting to use the new app command to create an application, specifying an image from an external repository using the --docker-image argument. The created pod gets stuck on an image pull error.

Based on the error received in the pod event log I'm assuming I have made some invalid assumptions regards how to authenticate against a private repository. I'm reading from this guide.

Error:

Failed to pull image "registry.hub.docker.com/akbenaw/demo-app:latest": rpc error: code = 2 desc = Error response from daemon: {"message":"pull access denied for registry.hub.docker.com/akbenaw/demo-app, repository does not exist or may require 'docker login'"}

Any help would be much appreciated!

Version

oc v3.7.1+ab0f056
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth

Server https://192.168.99.100:8443
openshift v3.7.1+a8deba5-34
kubernetes v1.7.6+a08f5eeb62

Using docker toolbox for mac.

Steps To Reproduce

Create A Cluster

oc cluster up --create-machine

Update config to allow pulling from private docker repository

docker cp origin:/var/lib/origin/openshift.local.config .
Update the master-config.yaml file to add registry.hub.docker.com

# ....
imagePolicyConfig:
  allowedRegistriesForImport:
  - domainName: registry.hub.docker.com
  - domainName: docker.io
  - domainName: '*.docker.io'
# ....

docker cp master-config.yaml origin:/var/lib/origin/openshift.local.config/master/

Restart Cluster

oc cluster down
oc cluster up --use-existing-config

Build And Push Docker Image

docker login registry.hub.docker.com
docker build . -t registry.hub.docker.com/akbenaw/demo-app:latest
docker push registry.hub.docker.com/akbenaw/demo-app:latest

Create Pull Secret & Add To Default SA

oc login https://192.168.99.100:8443 --token=xxxxxxxxxx
oc secret new-dockercfg docker-config-akbenaw-rep --docker-email="ben.andersen-waine@xxxxxx.com" --docker-username="akbenaw" --docker-password="xxxxxxxxxxxxx" --docker-server="registry.hub.docker.com"
oc secrets link default docker-config-akbenaw-rep --for=pull

Create a new-app

oc new-app --docker-image=registry.hub.docker.com/akbenaw/demo-app --name=demo-app

W0306 16:13:59.343503   56337 newapp.go:440] Could not find an image stream match for "registry.hub.docker.com/akbenaw/demo-app:latest". Make sure that a Docker image with that tag is available on the node for the deployment to succeed.
--> Found Docker image f480e20 (6 hours old) from registry.hub.docker.com for "registry.hub.docker.com/akbenaw/demo-app:latest"

    * This image will be deployed in deployment config "demo-app"
    * Port 8080/tcp will be load balanced by service "demo-app"
      * Other containers can access this service through the hostname "demo-app"

--> Creating resources ...
    deploymentconfig "demo-app" created
    service "demo-app" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/demo-app'
    Run 'oc status' to view your app.

Current Result

oc describe pos xxxxx

Name:		demo-app-1-dtv9r
Namespace:	myproject
Node:		localhost/10.0.2.15
Start Time:	Tue, 06 Mar 2018 16:14:00 +0000
Labels:		app=demo-app
		deployment=demo-app-1
		deploymentconfig=demo-app
Annotations:	kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"myproject","name":"demo-app-1","uid":"60b28c13-2159-11e8-b798-6a87990b...
		openshift.io/deployment-config.latest-version=1
		openshift.io/deployment-config.name=demo-app
		openshift.io/deployment.name=demo-app-1
		openshift.io/generated-by=OpenShiftNewApp
		openshift.io/scc=restricted
Status:		Pending
IP:		172.17.0.3
Created By:	ReplicationController/demo-app-1
Controlled By:	ReplicationController/demo-app-1
Containers:
  demo-app:
    Container ID:
    Image:		registry.hub.docker.com/akbenaw/demo-app:latest
    Image ID:
    Port:		8080/TCP
    State:		Waiting
      Reason:		ErrImagePull
    Ready:		False
    Restart Count:	0
    Environment:	<none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-66nwk (ro)
Conditions:
  Type		Status
  Initialized 	True
  Ready 	False
  PodScheduled 	True
Volumes:
  default-token-66nwk:
    Type:	Secret (a volume populated by a Secret)
    SecretName:	default-token-66nwk
    Optional:	false
QoS Class:	BestEffort
Node-Selectors:	<none>
Tolerations:	<none>
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath			Type		Reason			Message
  ---------	--------	-----	----			-------------			--------	------			-------
  1m		1m		1	default-scheduler					Normal		Scheduled		Successfully assigned demo-app-1-dtv9r to localhost
  1m		1m		1	kubelet, localhost					Normal		SuccessfulMountVolume	MountVolume.SetUp succeeded for volume "default-token-66nwk"
  1m		20s		3	kubelet, localhost	spec.containers{demo-app}	Normal		Pulling			pulling image "registry.hub.docker.com/akbenaw/demo-app:latest"
  1m		19s		3	kubelet, localhost	spec.containers{demo-app}	Warning		Failed			Failed to pull image "registry.hub.docker.com/akbenaw/demo-app:latest": rpc error: code = 2 desc = Error response from daemon: {"message":"pull access denied for registry.hub.docker.com/akbenaw/demo-app, repository does not exist or may require 'docker login'"}
  1m		19s		3	kubelet, localhost	spec.containers{demo-app}	Warning		Failed			Error: ErrImagePull
  1m		4s		3	kubelet, localhost	spec.containers{demo-app}	Normal		BackOff			Back-off pulling image "registry.hub.docker.com/akbenaw/demo-app:latest"
  1m		4s		3	kubelet, localhost	spec.containers{demo-app}	Warning		Failed			Error: ImagePullBackOff

Expected Result

A functioning application running my demo-app

The text was updated successfully, but these errors were encountered:

jwforres · 2018-03-08T15:58:15Z

@openshift/sig-developer-experience

bparees · 2018-03-08T16:10:44Z

I think this is a known issue w/ how secrets are created by that command.

Can you try creating a raw secret instead by:

do a docker login so your .dockerconfigjson file contains proper creds
create a secret via: oc secrets new dockeridsecret .dockerconfigjson=yourconfig.json

?

/cc @juanvallejo

juanvallejo · 2018-03-08T16:38:40Z

I believe there was a fix for this backported to 3.7, however that commit does not appear to have made it into @benwaine 's specific version of the client

benwaine · 2018-05-24T11:55:45Z

Apologies for the late response.

Thanks for supplying a resolution!

openshift-ci-robot added the sig/developer-experience label Mar 8, 2018

jwforres assigned bparees Mar 8, 2018

jwforres added the kind/question label Mar 8, 2018

bparees closed this as completed Mar 21, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to use new-app to create from a --docker-image docker (authentication error?) #18860

Unable to use new-app to create from a --docker-image docker (authentication error?) #18860

benwaine commented Mar 6, 2018

jwforres commented Mar 8, 2018

bparees commented Mar 8, 2018

juanvallejo commented Mar 8, 2018

benwaine commented May 24, 2018

Unable to use new-app to create from a --docker-image docker (authentication error?) #18860

Unable to use new-app to create from a --docker-image docker (authentication error?) #18860

Comments

benwaine commented Mar 6, 2018

Version

Steps To Reproduce

Create A Cluster

Update config to allow pulling from private docker repository

Restart Cluster

Build And Push Docker Image

Create Pull Secret & Add To Default SA

Create a new-app

Current Result

Expected Result

jwforres commented Mar 8, 2018

bparees commented Mar 8, 2018

juanvallejo commented Mar 8, 2018

benwaine commented May 24, 2018