How do you push images to the local docker image repository?

[mccorm...@gmail.com]

I understand there is no docker anymore. The install comes with the default system:admin user. I need to create a new openshift user with a valid token and then somehow use that token to login to some image repo.

[bpa...@redhat.com]

On Tuesday, April 30, 2019 at 1:22:09 PM UTC-4, mccorm...@gmail.com wrote:

I understand there is no docker anymore. The install comes with the default system:admin user. I need to create a new openshift user with a valid token and then somehow use that token to login to some image repo.

These docs cover how to add a new user:

https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-htpasswd-identity-provider.html

login username: stage-user

password: zc9$!9S%&0N9hsBVSN42

As for logging into the registry itself, you will first need to create a route for the registry, you can do that by modifying the registry config:

oc edit configs.imageregistry.operator.openshift.io/cluster

and changing the "defaultRoute: false" to true in the spec section.

That will give you an https route like "default-route-openshift-image-registry.apps.yourcluster.com" that represents the cluster registry.

Then, assuming you are logged into the cluster on the command line as your new user, you can either:

docker login -u openshift -p `oc whoami -t` yourregistryroute.yourcluster.com

or

oc registry login  (that should work as is, but if not you can pass --registry=yourregistryroute.yourcluster.com to control which registry it is attempting to login.

Both of those commands will update your local user's .docker/config.json w/ credentials for the registry.

[Tom McCormick]

1. There is no docker present, so that does not seem to be an option.

2. Actually the generation of the cluster gives you a user to 'oc login' with so that part is fine as well. 

3. I am doing this from inside the cluster, so im assuming I don't need to expose the registry as a route, I am simply using the cluster ip. 

4. My issue is with certificates (as seen below)

[core@ip-10-0-130-133 ~]$ oc registry login --registry=172.30.144.144:5000

error: unable to check your credentials - pass --skip-check to bypass this error: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

I tried doing this login with --skip-check, but its hard to tell if it actually works. Then I try the following in case the login did work. 

[core@ip-10-0-130-133 ~]$ sudo podman push 172.30.144.144:5000/test/nginx

Getting image source signatures

Copying blob 5dacd731af1b: 0 B / 55.75 MiB [--------------------------------] 0s

Copying blob 912ed487215b: 0 B / 52.06 MiB [--------------------------------] 0s

Copying blob fc4c9f8e7dac: 0 B / 3.50 KiB [---------------------------------] 0s

Error copying image to the remote destination: Error trying to reuse blob sha256:5dacd731af1b0386ead06c8b1feff9f65d9e0bdfec032d2cd0bc03690698feda at destination: pinging docker registry returned: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

and for completeness, this is how I usually login to my docker registry (when its insecure) and changing docker to podman

[core@ip-10-0-130-133 ~]$ sudo podman login -u kubeadmin -p xxxxxxx 172.30.144.144:5000

error authenticating creds for "172.30.144.144:5000": pinging docker registry returned: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

Goal: The most ideal thing for me to do to unblock is to make the registry insecure. Most of my dev registries in openshift 3.x were insecure and made things easier. I am not sure how to make the registry

--
You received this message because you are subscribed to a topic in the Google Groups "OpenShift 4 Developer Preview" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openshift-4-dev-preview/bzGMBRWUZUc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openshift-4-dev-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openshift-4-dev-preview/d712126b-2a9f-4c1b-81aa-0a7f534a6556%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ben Parees]

On Wed, May 1, 2019 at 3:23 PM Tom McCormick <mccorm...@gmail.com> wrote:

1. There is no docker present, so that does not seem to be an option.

you can install docker on any client machine you choose, the same place you can install oc.  Once you have a route for the registry you can interact with it from your external client machine with docker (or podman) installed.

2. Actually the generation of the cluster gives you a user to 'oc login' with so that part is fine as well. 

3. I am doing this from inside the cluster, so im assuming I don't need to expose the registry as a route, I am simply using the cluster ip. 

In that case at least use the registry service name, which will help w/ your certificate issues.  The registry service uses a cert that's signed by the cluster service serving CA.

 

4. My issue is with certificates (as seen below)

[core@ip-10-0-130-133 ~]$ oc registry login --registry=172.30.144.144:5000

error: unable to check your credentials - pass --skip-check to bypass this error: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

I tried doing this login with --skip-check, but its hard to tell if it actually works. Then I try the following in case the login did work. 

if it worked you should see an entry in your .docker/config.json for the registry ip/service hostname.

 

[core@ip-10-0-130-133 ~]$ sudo podman push 172.30.144.144:5000/test/nginx

Getting image source signatures

Copying blob 5dacd731af1b: 0 B / 55.75 MiB [--------------------------------] 0s

Copying blob 912ed487215b: 0 B / 52.06 MiB [--------------------------------] 0s

Copying blob fc4c9f8e7dac: 0 B / 3.50 KiB [---------------------------------] 0s

Error copying image to the remote destination: Error trying to reuse blob sha256:5dacd731af1b0386ead06c8b1feff9f65d9e0bdfec032d2cd0bc03690698feda at destination: pinging docker registry returned: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

presumably you need to configure podman to treat the registry as insecure (or get the service signing CA from your cluster and provide it to the machine running podman).

https://www.projectatomic.io/blog/2018/05/podman-tls/

and for completeness, this is how I usually login to my docker registry (when its insecure) and changing docker to podman

[core@ip-10-0-130-133 ~]$ sudo podman login -u kubeadmin -p xxxxxxx 172.30.144.144:5000

error authenticating creds for "172.30.144.144:5000": pinging docker registry returned: Get https://172.30.144.144:5000/v2/: x509: cannot validate certificate for 172.30.144.144 because it doesn't contain any IP SANs

same as above.

Goal: The most ideal thing for me to do to unblock is to make the registry insecure. Most of my dev registries in openshift 3.x were insecure and made things easier. I am not sure how to make the registry

Not an option in openshift4.  The registry service is always secured by TLS.  You can create an insecure route pointing to the registry service, if you really want to, and use that route to talk to your registry, but that's not an approach i'd recommend.

 

On Wed, May 1, 2019 at 6:18 AM <bpa...@redhat.com> wrote:

On Tuesday, April 30, 2019 at 1:22:09 PM UTC-4, mccorm...@gmail.com wrote:

I understand there is no docker anymore. The install comes with the default system:admin user. I need to create a new openshift user with a valid token and then somehow use that token to login to some image repo.

These docs cover how to add a new user:

https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-htpasswd-identity-provider.html

login username: stage-user

password: zc9$!9S%&0N9hsBVSN42

As for logging into the registry itself, you will first need to create a route for the registry, you can do that by modifying the registry config:

oc edit configs.imageregistry.operator.openshift.io/cluster

and changing the "defaultRoute: false" to true in the spec section.

That will give you an https route like "default-route-openshift-image-registry.apps.yourcluster.com" that represents the cluster registry.

Then, assuming you are logged into the cluster on the command line as your new user, you can either:

docker login -u openshift -p `oc whoami -t` yourregistryroute.yourcluster.com

or

oc registry login  (that should work as is, but if not you can pass --registry=yourregistryroute.yourcluster.com to control which registry it is attempting to login.

Both of those commands will update your local user's .docker/config.json w/ credentials for the registry.

--
You received this message because you are subscribed to a topic in the Google Groups "OpenShift 4 Developer Preview" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openshift-4-dev-preview/bzGMBRWUZUc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openshift-4-dev-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openshift-4-dev-preview/d712126b-2a9f-4c1b-81aa-0a7f534a6556%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ben Parees | OpenShift