I'm new to openshift and I have a showstopper:
On my Computer I created a Dockerimage called restservice and I successfully tested it:
docker run -d -p 8080:8080 restservice
Then I created an app in Openshift-Online with the image:
oc new-app restservice
I can see the deployment-pod is starting and after the creating of the running pod is failing.
with
oc describe pod restservice-2-50n0h
I get the following Error:
...
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
1m 1m 1 {default-scheduler } Normal Scheduled Successfully assigned restservice-2-50n0h to ip-172-31-54-238.us-west-2.compute.internal
41s 41s 1 {kubelet ip-172-31-54-238.us-west-2.compute.internal} spec.containers{restservice} Normal Pulling pulling image "restservice:latest"
39s 39s 1 {kubelet ip-172-31-54-238.us-west-2.compute.internal} spec.containers{restservice} Warning Failed Failed to pull image "restservice:latest": unauthorized: authentication required
39s 39s 1 {kubelet ip-172-31-54-238.us-west-2.compute.internal} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "restservice" with ErrImagePull: "unauthorized: authentication required"
55s 9s 2 {kubelet ip-172-31-54-238.us-west-2.compute.internal} Warning FailedSync Error syncing pod, skipping: failed to "SetupNetwork" for "restservice-2-50n0h_wgbeckmann" with SetupNetworkError: "Failed to setup network for pod \"restservice-2-50n0h_wgbeckmann(06f892b4-7568-11e7-914e-0a69cdf75e6f)\" using network plugins \"cni\": CNI request failed with status 400: 'Failed to execute iptables-restore: exit status 1 (iptables-restore: line 3 failed\n)\n'; Skipping pod"
I have no Idea what Authentication is needet.
The missing step is to pusch the Image to openshift online.
So these are the Steps:
Build a Image on the local Computer
docker build -t restservice .
Tag it with registry/username/image-name
docker tag restservice registry.starter-us-west2.openshift.com/myusername/myrestservice
Get your Secret for the Login into the Openshift Registry
oc whoami -t
sr3grwkegr3kjrk42k2jrg34kb5k43g5k4jg53 (sr3... is the output)
Log into Openshift Registry
docker login -u name#mail.com -p sr3grwkegr3kjrk42k2jrg34kb5k43g5k4jg53 https://registry.starter-us-west-2.openshift.com
Push the Image to the Registry
docker push registry.starter-us-west-2.openshift.com/myusername/myrestservice
Create the new App with the Image
oc new-app myrestservice
Thats all ....
Related
I'm new to Kubernetes and learning it these days. I'm trying to create a deployment with the help of kubectl and every time I create a deployment, the container is not running and I get ErrImagePull or ImagePullBackOff.
I have tried on two machines, both have the same problem.
kubectl create deployment nginx-depl --image=nginx
Following is the description of one of the deployments I was creating
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 23s default-scheduler Successfully assigned default/nginx-85b98978db-z6b2n to minikube
Normal Pulling 22s kubelet Pulling image "nginx"
Warning Failed 7s kubelet Failed to pull image "nginx": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Warning Failed 7s kubelet Error: ErrImagePull
Normal BackOff 7s kubelet Back-off pulling image "nginx"
Warning Failed 7s kubelet Error: ImagePullBackOff
Looks like you dont have internet connectivity from the cluster nodes. kubelet on the node is trying to pull the docker image from https://registry-1.docker.io/v2/ but connectivity is not established and was timed out. hence you are getting ImagePullBackOff Error
Docker Image: -
docker images | grep -i "gcc"
gcc-docker latest 84c4359e6fc9 21 mites ago 1.37GB
docker run -it gcc-docker:latest
hello,world
Kubernetes pod deployed:-
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned default/hello-world to master-node
Normal Pulling 4s kubelet, master-node Pulling image "gcc-docker:latest"
Warning Failed 0s kubelet, master-node Failed to pull image "gcc-docker:latest": rpc error: code = Unknown desc = Erroresponse from daemon: pull access denied for gcc-docker, repository does not exist or may require 'docker login': denied: requested acce to the resource is denied
Warning Failed 0s kubelet, master-node Error: ErrImagePull
Normal BackOff 0s kubelet, master-node Back-off pulling image "gcc-docker:latest"
Warning Failed 0s kubelet, master-node Error: ImagePullBackOff
-->yaml files used to deploy pod
apiVersion: v1
kind: Pod
metadata:
name: hello-world
labels:
type: hello-world
spec:
containers:
- name: hello-world
image: gcc-docker:latest
command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 60']
ports:
- containerPort: 80
I tried pulling gcc-docker and got the same error.You may have this image present on your system already and now its not on dockerhub.
if you know the repository for this image, try to use the same and for authentication create secrets of docker type and use them as image pull secrets.
Also, one more thing you are running the container on the master node, and I assume it's minikube or some local setup.
Minikube uses a dedicated VM to run Kubernetes which is not the same as the machine on which you have installed minikube.
So images available on your laptop will not be available to minikube.
I tried to deploy 'deployments' in kubernetes which is pull docker image from private registry (I don't know who did this setup) but during "docker pull images" through kubernetes i'm getting following error
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 85s default-scheduler Successfully assigned default/trusted-enc-assettag1-deployment-8467b74958-6fbp7 to k8s-node
Normal BackOff 24s (x2 over 61s) kubelet, k8s-node Back-off pulling image "10.105.168.81:5000/simplehttpserverenc:enc_v1"
Warning Failed 24s (x2 over 61s) kubelet, k8s-node Error: ImagePullBackOff
Normal Pulling 12s (x3 over 82s) kubelet, k8s-node Pulling image "10.105.168.81:5000/simplehttpserverenc:enc_v1"
Warning Failed 0s (x3 over 62s) kubelet, k8s-node Failed to pull image "10.105.168.81:5000/simplehttpserverenc:enc_v1": rpc error: code = Unknown desc = Error response from daemon: Get https://10.105.168.81:5000/v2/: net/http: TLS handshake timeout
Warning Failed 0s (x3 over 62s) kubelet, k8s-node Error: ErrImagePull
[root#k8s-master ~]# docker pull 10.105.168.81:5000/simplehttpserverenc:enc_v1
ImagePullBackOff and net/http: TLS handshake timeout error.
Initially this "net/http: TLS handshake timeout" error is observed in docker pull as well. I referred some answers and
configured certificate(/etc/docker/certs.d//ca.crt ) and
proxy (/etc/systemd/system/docker.service.d/proxy.conf)
after that able to perform docker pull from private image.
[root#k8s-master ~]# docker pull 10.105.168.81:5000/simplehttpserverenc:enc_v1
enc_v1: Pulling from simplehttpserverenc
54fec2fa59d0: Pull complete
cd3f35d84cab: Pull complete
a0afc8e92ef0: Pull complete
9691f23efdb7: Pull complete
6512e60b314b: Pull complete
a8ac6632d329: Pull complete
68f4c4e0aa8c: Pull complete
Digest: sha256:0358708cd11e96f6cf6f22b29d46a8eec50d7107597b866e1616a73a198fe797
Status: Downloaded newer image for 10.105.168.81:5000/simplehttpserverenc:enc_v1
10.105.168.81:5000/simplehttpserverenc:enc_v1
[root#k8s-master ~]#
But still unable to perform this docker pull through kubernetes. How to solve this ?
If you use docker as container engine in your k8s, AFAIK it's the same with Understand the configuration. Because the image pulling is conducted by the container engine and it depends the proprietary configuration of each one on the certificates. How about pulling the same image on the worker node in your k8s ? Is it possible to pull the one without errors ?
As your dockerconfigjson is not working properly. Try this method :
kubectl create secret docker-registry regcred --docker-server=10.105.168.81:5000 --docker-username=<your-name> --docker-password=<your-pword>
And in Kubernetes manifest :
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: 10.105.168.81:5000/simplehttpserverenc:enc_v1
imagePullSecrets:
- name: regcred
I had encounted this many times, when I forgot to configure these secrets. Also if you have any othernamespace, you will have to generate secrets for each of these namespaces separately passing -n <your-ns> to above kubectl create secret
Edit : As you can not pull the image from worker node.
Make sure you copied docker-registry ca.crt to /etc/docker/certs.d/ca.crt
and then try docker pull .
I have setup a new Kubernetes v1.5 cluster.
I locally created a new docker image using :
# MAIN IMAGE
FROM gcr.io/google_containers/nginx-slim
I created it using the command :
docker build -t myapp:1 .
I can see that the image is avaiable and running :
docker ps | grep app
d6fc0508e56b myapp:1 "nginx -g 'daemon ..." 31 seconds ago Up 30 seconds 0.0.0.0:32354->80/tcp
Now I am trying to use the same image in a kubernetes deployment.
kubectl run app-deployment --image myapp:1 --replicas=1 --port=80
But doing so does not start the pod and I get the ERROR :
19s 3s 2 {kubelet 10.0.0.17} spec.containers{app-deployment} Normal Pulling pulling image "myapp:1"
18s 2s 2 {kubelet 10.0.0.17} spec.containers{app-deployment} Warning Failed Failed to pull image "myapp:1": unauthorized: authentication required
18s 2s 2 {kubelet 10.0.0.17} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "app-deployment" with ErrImagePull: "unauthorized: authentication required"
The files /root/.docker/config.json & /var/lib/kubelet/.dockercfg are currently empty. Is there something Ive missed in setting up Kubernetes ?
Since you are building a custom docker image, you have to build it in every node of your cluster that the scheduler could put the pod into.
Furthermore, you need yo specify in your PodSpec an imagePullPolicy of ifNotPresent to indicate the kubelet not to try to download your image if it is already present.
This should make your image work, but I strongly suggest you to push your image in a docker registry and let the nodes pull it from there.
I configured docker on the same host as my kubernetes-master for the private docker registry.Docker pushing to the private docker registry without https was successful. I also can pull the image just using docker.
When I run kubernetes for this image, I get with 'kubectl describe pods' following log :
kubectl describe pods
Name: fgpra-250514157-yh6vb
Namespace: default
Node: 5.179.232.64/5.179.232.64
Start Time: Tue, 11 Oct 2016 18:06:59 +0200
Labels: pod-template-hash=250514157,run=fgpra
Status: Pending
IP: <removed myself>
Controllers: ReplicaSet/fgpra-250514157
Containers:
fgpra:
Container ID:
Image: 5.179.232.65:5000/some_api_image
Image ID:
Port: 3000/TCP
QoS Tier:
cpu: BestEffort
memory: BestEffort
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Environment Variables:
Conditions:
Type Status
Ready False
Volumes:
default-token-q7u3x:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-q7u3x
Events:
FirstSeen LastSeen Count From SubobjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
4s 4s 1 {default-scheduler } Normal Scheduled Successfully assigned fgpra-250514157-yh6vb to 5.179.232.64
4s 4s 1 {kubelet 5.179.232.64} Warning MissingClusterDNS kubelet does not have ClusterDNS IP configured and cannot create Pod using "ClusterFirst" policy. Falling back to DNSDefault policy.
4s 4s 1 {kubelet 5.179.232.64} spec.containers{fgpra} Normal Pulling pulling image "5.179.232.65:5000/some_api_image"
4s 4s 1 {kubelet 5.179.232.64} spec.containers{fgpra} Warning Failed Failed to pull image "5.179.232.65:5000/some_api_image": unable to ping registry endpoint https://5.179.232.65:5000/v0/
v2 ping attempt failed with error: Get https://5.179.232.65:5000/v2/: http: server gave HTTP response to HTTPS client
v1 ping attempt failed with error: Get https://5.179.232.65:5000/v1/_ping: http: server gave HTTP response to HTTPS client
4s 4s 1 {kubelet 5.179.232.64} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "fgpra" with ErrImagePull: "unable to ping registry endpoint https://5.179.232.65:5000/v0/\nv2 ping attempt failed with error: Get https://5.179.232.65:5000/v2/: http: server gave HTTP response to HTTPS client\n v1 ping attempt failed with error: Get https://5.179.232.65:5000/v1/_ping: http: server gave HTTP response to HTTPS client"
3s 3s 1 {kubelet 5.179.232.64} spec.containers{fgpra} Normal BackOff Back-off pulling image "5.179.232.65:5000/some_api_image"
3s 3s 1 {kubelet 5.179.232.64} Warning FailedSync Error syncing pod, skipping: failed to "StartContainer" for "fgpra" with ImagePullBackOff: "Back-off pulling image \"5.179.232.65:5000/some_api_image\""
I already configured my /etc/init.d/sysconfig/docker to use my insecure private registry.
This is the command to start the kubernetes deployment :
kubectl run fgpra --image=5.179.232.65:5000/some_api_image --port=3000
How can I set kubernetes to pull from my private docker registry without using ssl?
This rather a docker issue than a kubernetes one. You need to add your http registry as a insecure-registry to your docker daemon on each kubernetes node.
docker daemon --insecure-registry=5.179.232.65:5000
In most environment there is a file like /etc/default/docker where you can add this parameter.