I Can not pull image from gitlab private registry
How to use the Container Registry
First log in to GitLab’s Container Registry using your GitLab username and password. If you have 2FA enabled you need to use a personal access token:
docker login registry.gitlab.com
Version openshift
oc version
oc v3.6.1+008f2d5
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO
openshift v3.6.1+008f2d5
kubernetes v1.6.1+5115d708d7
Steps To Reproduce
oc new-project test2
oc project test2
oc secrets new-dockercfg secret --docker-server=https://registry.gitlab.com --docker-username=user --docker-password="pass" [email protected]
secret/secret
oc secrets link builder secret --for=pull
oc secrets link default secret --for=pull
oc secrets link deployer secret --for=pull
oc new-app --docker-image='registry.gitlab.com/user/imagename:latest' --loglevel=5
I1227 12:37:21.263940 77342 newapp.go:486] Docker client did not respond to a ping: Get http://unix.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied
I1227 12:37:21.264210 77342 dockerimagelookup.go:79] checking remote registry for "registry.gitlab.com/user/imagename:latest"
I1227 12:37:22.356499 77342 dockerimagelookup.go:214] image import failed: image.ImageImportStatus{Tag:"latest", Status:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:""}, Status:"Failure", Message:"Internal error occurred: Get https://registry.gitlab.com/v2/user/imagename/manifests/latest: denied: access forbidden", Reason:"InternalError", Details:(*v1.StatusDetails)(0xc42072aff0), Code:500}, Image:(*image.Image)(nil)}
W1227 12:37:22.356612 77342 dockerimagelookup.go:220] Docker registry lookup failed: Get https://registry.gitlab.com/v2/user/imagename/manifests/latest: denied: access forbidden
F1227 12:37:22.356776 77342 helpers.go:119] error: no match for "registry.gitlab.com/user/imagename:latest"
Current Result
image did not pull from registry denied: access forbidden
Expected Result
images must pull from registry Additional Information
oc get all -o json -n test2
{
"apiVersion": "v1",
"items": [],
"kind": "List",
"metadata": {},
"resourceVersion": "",
"selfLink": ""
}
oc describe secret/secret
Name: secret
Namespace: test2
Labels: <none>
Annotations: <none>
Type: kubernetes.io/dockercfg
Data
====
.dockercfg: {"https://registry.gitlab.com":{"username":"user","password":"pass","email":"[email protected]","auth":"someauth"}}
oc describe serviceaccount/default
Name: default
Namespace: test2
Labels: <none>
Annotations: <none>
Image pull secrets: default-dockercfg-8h0hq
secret
Mountable secrets: default-dockercfg-8h0hq
default-token-8dc0x
Tokens: default-token-6s4bl
default-token-8dc0x
oc describe serviceaccount/builder
Name: builder
Namespace: test2
Labels: <none>
Annotations: <none>
Image pull secrets: builder-dockercfg-w3lfm
secret
Mountable secrets: builder-token-t7kzh
builder-dockercfg-w3lfm
Tokens: builder-token-c1nt6
builder-token-t7kzh
oc describe serviceaccount/deployer
Name: deployer
Namespace: test2
Labels: <none>
Annotations: <none>
Image pull secrets: deployer-dockercfg-zqnxx
secret
Mountable secrets: deployer-token-sbl9c
deployer-dockercfg-zqnxx
Tokens: deployer-token-sbl9c
deployer-token-z61sv
oc adm diagnostics
[Note] Determining if client configuration exists for client/cluster diagnostics
Info: Successfully read a client config file at '/home/centos/.kube/config'
Info: Using context for cluster-admin access: 'default/oshift.com/system:admin'
[Note] Performing systemd discovery
[Note] Running diagnostic: ConfigContexts[api-gateway/oshift.com/admin]
Description: Validate client config context is complete and has connectivity
Info: For client config context 'api-gateway/oshift.com/admin':
The server URL is 'https://oshift.com'
The user authentication is 'admin/oshift.com'
The current project is 'api-gateway'
Successfully requested project list; has access to project(s):
[datasources datasources-china-copy hello-openshift hola superpython test test2 testproject]
[Note] Running diagnostic: ConfigContexts[default/oshift.com/system:admin]
Description: Validate client config context is complete and has connectivity
Info: For client config context 'default/oshift.com/system:admin':
The server URL is 'https://oshift.com'
The user authentication is 'system:admin/oshift.com'
The current project is 'default'
Successfully requested project list; has access to project(s):
[datasources datasources-china-copy default hello-openshift hola kube-public kube-system logging management-infra openshift ...]
[Note] Running diagnostic: DiagnosticPod
Description: Create a pod to run diagnostics from the application standpoint
ERROR: [DCli2012 from diagnostic DiagnosticPod@openshift/origin/pkg/diagnostics/client/run_diagnostics_pod.go:156]
See the errors below in the output from the diagnostic pod:
[Note] Running diagnostic: PodCheckAuth
Description: Check that service account credentials authenticate as expected
Info: Service account token successfully authenticated to master
ERROR: [DP1014 from diagnostic PodCheckAuth@openshift/origin/pkg/diagnostics/pod/auth.go:174]
Request to integrated registry timed out; this typically indicates network or SDN problems.
[Note] Running diagnostic: PodCheckDns
Description: Check that DNS within a pod works as expected
[Note] Summary of diagnostics execution (version v3.6.1+008f2d5):
[Note] Errors seen: 1
[Note] Running diagnostic: NetworkCheck
Description: Create a pod on all schedulable nodes and run network diagnostics from the application standpoint
ERROR: [DNet2001 from diagnostic NetworkCheck@openshift/origin/pkg/diagnostics/network/run_pod.go:83]
Checking network plugin failed. Error: User "admin" cannot get clusternetworks at the cluster scope
[Note] Skipping diagnostic: AggregatedLogging
Description: Check aggregated logging integration for proper configuration
Because: Master configuration is unreadable
[Note] Running diagnostic: ClusterRegistry
Description: Check that there is a working Docker registry
ERROR: [DClu1006 from diagnostic ClusterRegistry@openshift/origin/pkg/diagnostics/cluster/registry.go:206]
The "docker-registry" service exists but has no associated pods, so it
is not available. Builds and deployments that use the registry will fail.
[Note] Running diagnostic: ClusterRoleBindings
Description: Check that the default ClusterRoleBindings are present and contain the expected subjects
Info: clusterrolebinding/cluster-readers has more subjects than expected.
Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.
Info: clusterrolebinding/cluster-readers has extra subject {ServiceAccount management-infra management-admin }.
Info: clusterrolebinding/cluster-readers has extra subject {ServiceAccount default router }.
Info: clusterrolebinding/self-provisioners has more subjects than expected.
Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects.
Info: clusterrolebinding/self-provisioners has extra subject {ServiceAccount management-infra management-admin }.
[Note] Running diagnostic: ClusterRoles
Description: Check that the default ClusterRoles are present and contain the expected permissions
[Note] Running diagnostic: ClusterRouterName
Description: Check there is a working router
ERROR: [DClu2007 from diagnostic ClusterRouter@openshift/origin/pkg/diagnostics/cluster/router.go:157]
The "router" DeploymentConfig exists but has no running pods, so it
is not available. Apps will not be externally accessible via the router.
[Note] Skipping diagnostic: MasterNode
Description: Check if master is also running node (for Open vSwitch)
Because: (DClu3008) Master config provided but unable to parse: open /etc/origin/master/master-config.yaml: permission denied
[Note] Skipping diagnostic: MetricsApiProxy
Description: Check the integrated heapster metrics can be reached via the API proxy
Because: The heapster service does not exist in the openshift-infra project at this time,
so it is not available for the Horizontal Pod Autoscaler to use as a source of metrics.
[Note] Running diagnostic: NodeDefinitions
Description: Check node records on master
WARN: [DClu0003 from diagnostic NodeDefinition@openshift/origin/pkg/diagnostics/cluster/node_definitions.go:113]
Node is-oshift-master-01.novalocal is ready but is marked Unschedulable.
This is usually set manually for administrative reasons.
An administrator can mark the node schedulable with:
oadm manage-node is-oshift-master-01.novalocal --schedulable=true
While in this state, pods should not be scheduled to deploy on the node.
Existing pods will continue to run until completed or evacuated (see
other options for 'oadm manage-node').
[Note] Running diagnostic: RouteCertificateValidation
Description: Check all route certificates for certificates that might be rejected by extended validation.
[Note] Running diagnostic: ServiceExternalIPs
Description: Check for existing services with ExternalIPs that are disallowed by master config
ERROR: [DH0002 from diagnostic ServiceExternalIPs@openshift/origin/pkg/diagnostics/host/util.go:38]
Could not read master config file '/etc/origin/master/master-config.yaml':
(*os.PathError) open /etc/origin/master/master-config.yaml: permission denied
Info: Unreadable master config; skipping this diagnostic.
[Note] Running diagnostic: AnalyzeLogs
Description: Check for recent problems in systemd service logs
Info: Checking journalctl logs for 'origin-master' service
Info: Checking journalctl logs for 'origin-node' service
Info: Checking journalctl logs for 'docker' service
[Note] Running diagnostic: MasterConfigCheck
Description: Check the master config file
ERROR: [DH0002 from diagnostic MasterConfigCheck@openshift/origin/pkg/diagnostics/host/util.go:38]
Could not read master config file '/etc/origin/master/master-config.yaml':
(*os.PathError) open /etc/origin/master/master-config.yaml: permission denied
[Note] Running diagnostic: NodeConfigCheck
Description: Check the node config file
ERROR: [DH1002 from diagnostic NodeConfigCheck@openshift/origin/pkg/diagnostics/host/check_node_config.go:38]
Could not read node config file '/etc/origin/node/node-config.yaml':
(*os.PathError) open /etc/origin/node/node-config.yaml: permission denied
[Note] Running diagnostic: UnitStatus
Description: Check status for related systemd units
[Note] Summary of diagnostics execution (version v3.6.1+008f2d5):
[Note] Warnings seen: 1
[Note] Errors seen: 7
Found a solution.
So gitlab make the authentification in two times, first gitlab.com then registry.gitlab.com. Actually the error we got was the first one that was being dropped.
Just duplicate what you've done for registry.gitlab.com, but for gitlab.com.