Failed to push images to private registry on OCP 3.11

Question

Failed to push images to private registry on OCP 3.11

shlao opened this issue 5 years ago · comments

HI, I try to setup the environment for ci-operator to watch Installer
Then I get the following errors when pushing images to the OCP 3.11 private registry:
*** Image of the release container is : registry.svc.ci.openshift.org/openshift/origin-v4.0@sha256:08a5da4ce4fa7b95393c15ff7ab0ea1a97edf5aa2f9bef6150e60370fd641555

a) ci-operator has not been tested with self-signed docker registry, and I get the errors:
error: unable to check your credentials - pass --skip-check to bypass this error: Get https://docker-registry.default.svc:5000/v2/: x509: certificate signed by unknown authority

b) errors from command: oc adm release, in container 'registry.svc.ci.openshift.org/openshift/origin-v4.0'
I) error: only image streams with public image repositories can be the source for releases when using the default --reference-mode
II) error: --to-image was not valid: invalid reference format

c) Registry access problem:
denied: requested access to the resource is denied

For Problem A), I update the ca with commands:
$ docker cp /etc/origin/master/ca-bundle.crt f4916a7c15f5:/etc/pki/ca-trust/source/anchors/openshift-ca.crt
[root@f4916a7c15f5 ~]# update-ca-trust enable

But I don't know how to fix the problems of b, c.

Petr Muller · Answer 1 · Mon Feb 11 2019 21:40:25 GMT+0800 (China Standard Time)

Hi, thanks for the report! To be able to help you out, we'll need more information from you:

What cluster are you trying to run ci-operator against? I understand it's some custom OCP 3.11 cluster?
Please provide exact inputs/outputs you are using. Ideally, give us the full ci-operator command you are trying to run (with all parameters), the ci-operator config file content you use and any relevant environmental variable content (like JOB_SPEC).

More information about what you are trying to achieve would be helpful as well. Could you elaborate more on "setup the environment for ci-operator to watch installer"?

Sheng Lao · Answer 2 · Tue Feb 12 2019 17:05:21 GMT+0800 (China Standard Time)

@petr-muller Thanks

OCP 3.11 is installed on two nodes: one master, one infra. I use the ansible playbooks to setup the cluster and follow the guide to configure the private registry (with ssl).
I don't set any environment variables, like JOB_SPEC. I start ci-operator (on the master node), as follows:
ci-operator --v --git-ref=shlao/installer@master
--config /root/go/src/github.com/openshift/release/ci-operator/config/openshift/installer/openshift-installer-master.yaml
--template /root/go/src/github.com/openshift/release/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
Here is the excerpt.

$ oc get pod release-latest -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
    ci-operator.openshift.io/container-sub-tests: release
    ci.openshift.io/job-spec: ""
    openshift.io/scc: anyuid
  creationTimestamp: 2019-02-02T02:41:09Z
  labels:
    build-id: ""
    created-by-ci: "true"
    job: dev
    persists-between-builds: "false"
    prow.k8s.io/id: ""
  name: release-latest
  namespace: ci-op-7ki07xfl
  ownerReferences:
  - apiVersion: image.openshift.io/v1
    controller: true
    kind: ImageStream
    name: pipeline
    uid: 70973860-2693-11e9-895c-fa163e380b62
  resourceVersion: "6231"
  selfLink: /api/v1/namespaces/ci-op-7ki07xfl/pods/release-latest
  uid: ff695cbf-2693-11e9-895c-fa163e380b62
spec:
  containers:
  - command:
    - /bin/sh
    - -c
    - |
      #!/bin/sh
      set -eu

      set -euo pipefail
      export HOME=/tmp
      oc registry login
      oc adm release new --max-per-registry=32 -n "ci-op-7ki07xfl" --from-image-stream "stable" --to-image-base "docker-registry.default.svc:5000/ci-op-7ki07xfl/stable@sha256:34abb8345b741ad2da356f7bf380cefe511f1d1380df9bc7d77a8e01b51fadd7" --to-image ":latest"
      oc adm release extract --from=":latest" --to=/tmp/artifacts/release-payload
    image: registry.svc.ci.openshift.org/openshift/origin-v4.0@sha256:08a5da4ce4fa7b95393c15ff7ab0ea1a97edf5aa2f9bef6150e60370fd641555
    imagePullPolicy: IfNotPresent
    name: release
    securityContext:
      capabilities:
        drop:
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: builder-token-85z26
      readOnly: true
  imagePullSecrets:
  - name: builder-dockercfg-np72j
  nodeName: qe-shlao-cimerrn-1
  nodeSelector:
    node-role.kubernetes.io/compute: "true"
  securityContext:
    seLinuxOptions:
      level: s0:c17,c9
  serviceAccount: builder
  serviceAccountName: builder
  terminationGracePeriodSeconds: 30
  tolerations:
  - name: builder-token-85z26
    secret:
      defaultMode: 420
      secretName: builder-token-85z26
status:
  containerStatuses:
  - containerID: docker://6309ccf407f1076abf78a59eb1e3ee4bf496e0fb514375634d6948f99e2f0d09
    image: registry.svc.ci.openshift.org/openshift/origin-v4.0@sha256:08a5da4ce4fa7b95393c15ff7ab0ea1a97edf5aa2f9bef6150e60370fd641555
    imageID: docker-pullable://registry.svc.ci.openshift.org/openshift/origin-v4.0@sha256:08a5da4ce4fa7b95393c15ff7ab0ea1a97edf5aa2f9bef6150e60370fd641555
    lastState: {}
    name: release
    ready: false
    restartCount: 0
    state:
      terminated:
        containerID: docker://6309ccf407f1076abf78a59eb1e3ee4bf496e0fb514375634d6948f99e2f0d09
        exitCode: 1
        finishedAt: 2019-02-02T02:41:16Z
        message: |
          info: Using internal registry hostname docker-registry.default.svc:5000
          error: unable to check your credentials - pass --skip-check to bypass this error: Get https://docker-registry.default.svc:5000/v2/: x509: certificate signed by unknown authority
        reason: Error

Here is the command that raises the errors:
oc adm release new --max-per-registry=32 -n "ci-op-7ki07xfl" --from-image-stream "stable" --to-image-base "docker-registry.default.svc:5000/ci-op-7ki07xfl

It seems that the release pod doesn't has the ca-bundle of the private registry and the secret doesn't has the privilege to push images : builder-token-85z26

Where can I set the secret and how?

Thanks

Sheng Lao · Answer 3 · Tue Feb 12 2019 17:14:48 GMT+0800 (China Standard Time)

The output log is similar to logs

But failed at the release step.

Petr Muller · Answer 4 · Tue Feb 12 2019 22:14:58 GMT+0800 (China Standard Time)

You can use triple backticks to pass log or code blocks properly formatted. Please provide the output of ci-operator command (the one you give in bullet 2), ideally after you fix the SSL setup (I don't think we'll want to deal with running ci-operator against misconfigured registries, like ones with self-signed certificate).

Anyway, executing ci-operator against a custom cluster is quite uncommon. What are you trying to achieve? If you want to experiment with executing it or maybe with developing test template we provide a staging namespace on api.ci for that.

Sheng Lao · Answer 5 · Tue Feb 12 2019 23:36:29 GMT+0800 (China Standard Time)

@petr-muller The log is too long. I attach it (use cluster-launch-installer-libvirt-e2e.yaml).
ci-operator-installer.log.txt

For now, There are only a few e2e test cases for installer. We ,OCP QE, need to add more test-cases about that.
For example, when Upstream releasing a new version of Installer, we want to use it to deploy OCP on Openstack 12, 13, 14...

Petr Muller · Answer 6 · Wed Feb 13 2019 01:35:52 GMT+0800 (China Standard Time)

That's still the failure caused by self-signed certificate, no?

Sheng Lao · Answer 7 · Wed Feb 13 2019 14:12:45 GMT+0800 (China Standard Time)

Yes, you are right. I can handle the ca failed. then ci-operator will raise problems of b and c , in release-latest pod:
oc adm release new --max-per-registry=32 -n "ci-op-7ki07xfl" --from-image-stream "stable" --to-image-base "docker-registry.default.svc:5000/ci-op-7ki07xfl

Sheng Lao · Answer 8 · Tue Feb 26 2019 16:16:29 GMT+0800 (China Standard Time)

Use --to-file instead of --to-image-b
or
Using OCP ci cluster