New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nginx Router doesn't work correctly with default docker registry #21067

Open
avenging opened this Issue Sep 21, 2018 · 2 comments

Comments

Projects
None yet
5 participants
@avenging

avenging commented Sep 21, 2018

Describe the bug
The default Nginx router configuration template doesn't work correctly with the default container registry installed in Openshift/Minishift.

The Nginx router configuration generated is causing the registry to send a re-direct to a port that is not open.

To reproduce
This example uses Minishift, but is guaranteed not to work in an oc cluster up set-up as well.
Follow the docs to:
Start up a Minishift instance
Build the nginx-router and deploy it replacing the default HAProxy router.

Then:
Install docker and the oc binary on a centos7 server separate to Minishift then try and login to the docker registry in the Minishift instance.
For instance a Minishift instance running in Virtualbox with IP 172.16.1.103:

  1. yum -y install docker wget
  2. systemctl start docker
  3. wget https://github.com/openshift/origin/releases/download/v3.10.0/openshift-origin-server-v3.10.0-dd10d17-linux-64bit.tar.gz
  4. tar zxf openshift-origin-server-v3.10.0-dd10d17-linux-64bit.tar.gz
  5. cp openshift-origin-server-v3.10.0-dd10d17-linux-64bit/oc /usr/bin
  6. oc login -u developer https://172.16.1.103:8443
    The server uses a certificate signed by an unknown authority.
    You can bypass the certificate check, but any data you send to the server could be intercepted by others.
    Use insecure connections? (y/n): y
  7. Enter user password (typically anything in Minishift)
  8. Add the Minishift docker registry as an insecure registry
    [root@centos-server ~]# cat < /etc/docker/daemon.json
    {
    "insecure-registries" : ["docker-registry-default.172.16.1.103.nip.io"]
    }
    END
  9. Attempt to login to the docker registry:
    [root@centos-server ~]# docker login -u developer -p $(oc whoami -t) docker-registry-default.172.16.1.103.nip.io
    Error response from daemon: Get https://docker-registry-default.172.16.1.103.nip.io/v2/: Get https://docker-registry-default.172.16.1.103.nip.io:10444/openshift/token?account=developer&client_id=docker&offline_token=true: dial tcp 172.16.1.103:10444: getsockopt: connection refused

Expected behavior
Registry login should succeed as it does with the HAProxy router:
[root@centos-server ~]# docker login -u developer -p $(oc whoami -t) docker-registry-default.172.16.1.103.nip.io
Login Succeeded

Your environment

  • Minishift version
    $ ./minishift version
    minishift v1.22.0+7163416
    Running Openshift 3.9
    OC Version
    oc v3.10.0+dd10d17
    kubernetes v1.10.0+b81c8f8
    features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://172.16.1.103:8443
openshift v3.9.0+71543b2-33
kubernetes v1.9.1+a0ce1bc657

  • NGINX router version
    Latest from master branch of origin repo.

Additional context
Removing:
proxy_set_header X-Forwarded-Port $server_port;
From the Nginx configuration fixes the problem.

@jwforres

This comment has been minimized.

Show comment
Hide comment
@bparees

This comment has been minimized.

Show comment
Hide comment
@bparees

bparees Oct 17, 2018

Contributor

this seems to be wholly a nginx router configuration issue, removing devex.

Contributor

bparees commented Oct 17, 2018

this seems to be wholly a nginx router configuration issue, removing devex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment