Failed to pull image docker.io/openshift/origin-deployer:v3.11.0 - too many requests

Question

Failed to pull image docker.io/openshift/origin-deployer:v3.11.0 - too many requests

cassanellicarlo opened this issue 4 years ago · comments

Carlo Cassanelli commented 4 years ago

Failing to pull Openshift origin-deployer image from Docker Hub because of the pull rate limit.

Version

Kubernetes v1.11.0+d4cacc0
OKD v3.11.0+1b5fc2d-513

Current Result

Failed to pull image docker.io/openshift/origin-deployer:v3.11.0: rpc error: code = Unknown desc = too many requests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

Expected Result

Not having this error for the origin deployer.
Is there a way to solve this problem? We would like to not configure secrets for the docker hub on every deployment. Maybe the solution is to switch to another registry?

Clayton Coleman · Answer 1 · Thu Dec 03 2020 23:30:01 GMT+0800 (China Standard Time)

OKD is published to quay.io and mirrored to dockerhub. Using quay.io/openshift/origin-...:v3.11 as your oreg_url should be more successful for you. We are discussing changing the defaults.

Carlo Cassanelli · Answer 2 · Thu Dec 03 2020 23:45:43 GMT+0800 (China Standard Time)

What url do i need to specify exactly?

The documentation here specifies oreg_url=registry.redhat.io/openshift3/ose-${component}:${version}

Is this the correct url i have to put?
oreg_url=quay.io/openshift/origin-${component}:${version}

Thanks

Nate Childers · Answer 3 · Fri Dec 04 2020 20:50:29 GMT+0800 (China Standard Time)

@smarterclayton I'm sure you've considered it but it's worth mentioning if not. Could you also document what it would take to retrofit an existing cluster with updated "oreg_url" so that those of us with existing production clusters can affect this change?

We've looked into playbooks/openshift-node/imageconfig.yml but it doesn't seem to make the appropriate changes.

Russell Teague · Answer 4 · Fri Dec 04 2020 22:34:34 GMT+0800 (China Standard Time)

I was looking into this yesterday and will be posting something shortly that should help.

Russell Teague · Answer 5 · Fri Dec 04 2020 23:24:29 GMT+0800 (China Standard Time)

I've opened #12278 to help with moving away from docker.io for OKD 3.11. For new installs this will mostly use quay.io with a few images still being pulled from docker.io.

I found that using oreg_url had some nuances that made it more difficult to get a successful install.

Running an upgrade with these changes will switch many images over to quay.io however some deployments may still use docker.io images until they are restarted.

Non quay.io images after a fresh install:

$ oc get pods --all-namespaces -o json | grep -e '\"image\":' | grep -v "quay.io" | sort | uniq         
                        "image": "docker.io/ansibleplaybookbundle/origin-ansible-service-broker:v3.11",
                        "image": "docker.io/grafana/grafana:5.2.1",
                        "image": "docker.io/openshift/oauth-proxy:v1.1.0",
                        "image": "docker.io/openshift/prometheus-alertmanager:v0.15.2",
                        "image": "docker.io/openshift/prometheus-node-exporter:v0.16.0",
                        "image": "docker.io/openshift/prometheus:v2.3.2",
                        "image": "grafana/grafana:5.2.1",
                        "image": "openshift/oauth-proxy:v1.1.0",
                        "image": "openshift/prometheus-alertmanager:v0.15.2",
                        "image": "openshift/prometheus-node-exporter:v0.16.0",
                        "image": "openshift/prometheus:v2.3.2",
                        "image": "registry.access.redhat.com/openshift3/registry-console:v3.11",

Some of these could be addressed at a later date, but only if the image is already available in quay.io.

Russell Teague · Answer 6 · Sat Dec 05 2020 03:51:41 GMT+0800 (China Standard Time)

Fixed in #12278