Search code examples
openshiftgitlab

Can not pull image from gitlab private registry(openshift)


I Can not pull image from gitlab private registry

How to use the Container Registry

First log in to GitLab’s Container Registry using your GitLab username and password. If you have 2FA enabled you need to use a personal access token:

docker login registry.gitlab.com

Version openshift

oc version
oc v3.6.1+008f2d5
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

openshift v3.6.1+008f2d5
kubernetes v1.6.1+5115d708d7

Steps To Reproduce

oc new-project test2
oc project test2

oc secrets new-dockercfg secret     --docker-server=https://registry.gitlab.com     --docker-username=user     --docker-password="pass"     [email protected]
secret/secret

oc secrets link builder secret --for=pull
oc secrets link default secret --for=pull
oc secrets link deployer secret --for=pull

oc new-app --docker-image='registry.gitlab.com/user/imagename:latest' --loglevel=5
I1227 12:37:21.263940   77342 newapp.go:486] Docker client did not respond to a ping: Get http://unix.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied
I1227 12:37:21.264210   77342 dockerimagelookup.go:79] checking remote registry for "registry.gitlab.com/user/imagename:latest"
I1227 12:37:22.356499   77342 dockerimagelookup.go:214] image import failed: image.ImageImportStatus{Tag:"latest", Status:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:""}, Status:"Failure", Message:"Internal error occurred: Get https://registry.gitlab.com/v2/user/imagename/manifests/latest: denied: access forbidden", Reason:"InternalError", Details:(*v1.StatusDetails)(0xc42072aff0), Code:500}, Image:(*image.Image)(nil)}
W1227 12:37:22.356612   77342 dockerimagelookup.go:220] Docker registry lookup failed: Get https://registry.gitlab.com/v2/user/imagename/manifests/latest: denied: access forbidden
F1227 12:37:22.356776   77342 helpers.go:119] error: no match for "registry.gitlab.com/user/imagename:latest"

Current Result

image did not pull from registry denied: access forbidden

Expected Result

images must pull from registry Additional Information

oc get all -o json -n test2
{
    "apiVersion": "v1",
    "items": [],
    "kind": "List",
    "metadata": {},
    "resourceVersion": "",
    "selfLink": ""
}

oc describe secret/secret
Name:       secret
Namespace:  test2
Labels:     <none>
Annotations:    <none>

Type:   kubernetes.io/dockercfg

Data
====
.dockercfg: {"https://registry.gitlab.com":{"username":"user","password":"pass","email":"[email protected]","auth":"someauth"}}

oc describe serviceaccount/default
Name:       default
Namespace:  test2
Labels:     <none>
Annotations:    <none>

Image pull secrets: default-dockercfg-8h0hq
                    secret

Mountable secrets:  default-dockercfg-8h0hq
                    default-token-8dc0x

Tokens:             default-token-6s4bl
                    default-token-8dc0x

oc describe serviceaccount/builder
Name:       builder
Namespace:  test2
Labels:     <none>
Annotations:    <none>

Image pull secrets: builder-dockercfg-w3lfm
                    secret

Mountable secrets:  builder-token-t7kzh
                    builder-dockercfg-w3lfm

Tokens:             builder-token-c1nt6
                    builder-token-t7kzh

oc describe serviceaccount/deployer
Name:       deployer
Namespace:  test2
Labels:     <none>
Annotations:    <none>

Image pull secrets: deployer-dockercfg-zqnxx
                    secret

Mountable secrets:  deployer-token-sbl9c
                    deployer-dockercfg-zqnxx

Tokens:             deployer-token-sbl9c
                    deployer-token-z61sv

oc adm diagnostics
[Note] Determining if client configuration exists for client/cluster diagnostics
Info:  Successfully read a client config file at '/home/centos/.kube/config'
Info:  Using context for cluster-admin access: 'default/oshift.com/system:admin'
[Note] Performing systemd discovery

[Note] Running diagnostic: ConfigContexts[api-gateway/oshift.com/admin]
       Description: Validate client config context is complete and has connectivity

Info:  For client config context 'api-gateway/oshift.com/admin':
       The server URL is 'https://oshift.com'
       The user authentication is 'admin/oshift.com'
       The current project is 'api-gateway'
       Successfully requested project list; has access to project(s):
         [datasources datasources-china-copy hello-openshift hola superpython test test2 testproject]

[Note] Running diagnostic: ConfigContexts[default/oshift.com/system:admin]
       Description: Validate client config context is complete and has connectivity

Info:  For client config context 'default/oshift.com/system:admin':
       The server URL is 'https://oshift.com'
       The user authentication is 'system:admin/oshift.com'
       The current project is 'default'
       Successfully requested project list; has access to project(s):
         [datasources datasources-china-copy default hello-openshift hola kube-public kube-system logging management-infra openshift ...]

[Note] Running diagnostic: DiagnosticPod
       Description: Create a pod to run diagnostics from the application standpoint

ERROR: [DCli2012 from diagnostic DiagnosticPod@openshift/origin/pkg/diagnostics/client/run_diagnostics_pod.go:156]
       See the errors below in the output from the diagnostic pod:
       [Note] Running diagnostic: PodCheckAuth
              Description: Check that service account credentials authenticate as expected

       Info:  Service account token successfully authenticated to master
       ERROR: [DP1014 from diagnostic PodCheckAuth@openshift/origin/pkg/diagnostics/pod/auth.go:174]
              Request to integrated registry timed out; this typically indicates network or SDN problems.

       [Note] Running diagnostic: PodCheckDns
              Description: Check that DNS within a pod works as expected

       [Note] Summary of diagnostics execution (version v3.6.1+008f2d5):
       [Note] Errors seen: 1

[Note] Running diagnostic: NetworkCheck
       Description: Create a pod on all schedulable nodes and run network diagnostics from the application standpoint

ERROR: [DNet2001 from diagnostic NetworkCheck@openshift/origin/pkg/diagnostics/network/run_pod.go:83]
       Checking network plugin failed. Error: User "admin" cannot get clusternetworks at the cluster scope

[Note] Skipping diagnostic: AggregatedLogging
       Description: Check aggregated logging integration for proper configuration
       Because: Master configuration is unreadable

[Note] Running diagnostic: ClusterRegistry
       Description: Check that there is a working Docker registry

ERROR: [DClu1006 from diagnostic ClusterRegistry@openshift/origin/pkg/diagnostics/cluster/registry.go:206]
       The "docker-registry" service exists but has no associated pods, so it
       is not available. Builds and deployments that use the registry will fail.

[Note] Running diagnostic: ClusterRoleBindings
       Description: Check that the default ClusterRoleBindings are present and contain the expected subjects

Info:  clusterrolebinding/cluster-readers has more subjects than expected.

       Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.

Info:  clusterrolebinding/cluster-readers has extra subject {ServiceAccount management-infra management-admin    }.
Info:  clusterrolebinding/cluster-readers has extra subject {ServiceAccount default router    }.

Info:  clusterrolebinding/self-provisioners has more subjects than expected.

       Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.

Info:  clusterrolebinding/self-provisioners has extra subject {ServiceAccount management-infra management-admin    }.

[Note] Running diagnostic: ClusterRoles
       Description: Check that the default ClusterRoles are present and contain the expected permissions

[Note] Running diagnostic: ClusterRouterName
       Description: Check there is a working router

ERROR: [DClu2007 from diagnostic ClusterRouter@openshift/origin/pkg/diagnostics/cluster/router.go:157]
       The "router" DeploymentConfig exists but has no running pods, so it
       is not available. Apps will not be externally accessible via the router.

[Note] Skipping diagnostic: MasterNode
       Description: Check if master is also running node (for Open vSwitch)
       Because: (DClu3008) Master config provided but unable to parse: open /etc/origin/master/master-config.yaml: permission denied

[Note] Skipping diagnostic: MetricsApiProxy
       Description: Check the integrated heapster metrics can be reached via the API proxy
       Because: The heapster service does not exist in the openshift-infra project at this time,
       so it is not available for the Horizontal Pod Autoscaler to use as a source of metrics.

[Note] Running diagnostic: NodeDefinitions
       Description: Check node records on master

WARN:  [DClu0003 from diagnostic NodeDefinition@openshift/origin/pkg/diagnostics/cluster/node_definitions.go:113]
       Node is-oshift-master-01.novalocal is ready but is marked Unschedulable.
       This is usually set manually for administrative reasons.
       An administrator can mark the node schedulable with:
           oadm manage-node is-oshift-master-01.novalocal --schedulable=true

       While in this state, pods should not be scheduled to deploy on the node.
       Existing pods will continue to run until completed or evacuated (see
       other options for 'oadm manage-node').

[Note] Running diagnostic: RouteCertificateValidation
       Description: Check all route certificates for certificates that might be rejected by extended validation.

[Note] Running diagnostic: ServiceExternalIPs
       Description: Check for existing services with ExternalIPs that are disallowed by master config

ERROR: [DH0002 from diagnostic ServiceExternalIPs@openshift/origin/pkg/diagnostics/host/util.go:38]
       Could not read master config file '/etc/origin/master/master-config.yaml':
       (*os.PathError) open /etc/origin/master/master-config.yaml: permission denied

Info:  Unreadable master config; skipping this diagnostic.

[Note] Running diagnostic: AnalyzeLogs
       Description: Check for recent problems in systemd service logs

Info:  Checking journalctl logs for 'origin-master' service
Info:  Checking journalctl logs for 'origin-node' service
Info:  Checking journalctl logs for 'docker' service

[Note] Running diagnostic: MasterConfigCheck
       Description: Check the master config file

ERROR: [DH0002 from diagnostic MasterConfigCheck@openshift/origin/pkg/diagnostics/host/util.go:38]
       Could not read master config file '/etc/origin/master/master-config.yaml':
       (*os.PathError) open /etc/origin/master/master-config.yaml: permission denied

[Note] Running diagnostic: NodeConfigCheck
       Description: Check the node config file

ERROR: [DH1002 from diagnostic NodeConfigCheck@openshift/origin/pkg/diagnostics/host/check_node_config.go:38]
       Could not read node config file '/etc/origin/node/node-config.yaml':
       (*os.PathError) open /etc/origin/node/node-config.yaml: permission denied

[Note] Running diagnostic: UnitStatus
       Description: Check status for related systemd units

[Note] Summary of diagnostics execution (version v3.6.1+008f2d5):
[Note] Warnings seen: 1
[Note] Errors seen: 7

Solution

  • Found a solution.

    So gitlab make the authentification in two times, first gitlab.com then registry.gitlab.com. Actually the error we got was the first one that was being dropped.

    Just duplicate what you've done for registry.gitlab.com, but for gitlab.com.