#7188 OpenShift rollout fails with unauthorized error
Closed: Invalid a year ago Opened a year ago by mizdebsk.

Staging OpenShift fails to rollout koschei-web deployment with the following error:

Failed to pull image "koschei-web:latest": rpc error: code = Unknown desc = errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Possibly this is upstream bug https://github.com/openshiftio/openshift.io/issues/2980

Steps to reproduce the issue:

  1. Optionally recreate koschei project on staging OpenShift from scratch:

    [root@os-master01 ~][STG]# oc delete project koschei && rm -rf /etc/openshift_apps/koschei/
    [root@batcave01 ~][PROD]# ansible-playbook /srv/web/infra/ansible/playbooks/openshift-apps/koschei.yml

  2. Start koschei-web build and wait for it to complete:

    oc start-build koschei-web
    oc logs -f build/koschei-web-1

  3. Optionally verify that koschei-web:latest image is available in imagestream: https://os.stg.fedoraproject.org/console/project/koschei/browse/images/koschei-web/latest

  4. Rollout deployment:

    oc rollout latest dc/koschei-web

  5. Examine rollout log:

    oc logs rc/koschei-web-1

It shows:

Error from server (BadRequest): container "koschei-web" in pod "koschei-web-1-kzbvv" is waiting to start: trying and failing to pull image
  1. Examine detailed status of failed pod:

    oc describe pod koschei-web-1-kzbvv

Among other things it shows:

Failed to pull image "koschei-web:latest": rpc error: code = Unknown desc = errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Metadata Update from @mizdebsk:
- Issue tagged with: staging

a year ago

I also explained this on IRC, but I'll add it here for the record as well.
To deploy from the built-in registry, you need to use "image: docker-registry.default.svc:5000/koschei/koschei-web:latest", so the full pull name including registry, since otherwise it will try to pull from registry.redhat.com and docker.com and then fail.

The reason why the bodhi deployconfig.yml doesen't have that and still work is https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/openshift-apps/bodhi/templates/deploymentconfig.yml#n92.
Because we always do a build between the DC creating and the DC deploying (or at least, we start a build at the same time because when the playbook runs it has a "role: openshift/start-build" in it), the actual container in the DC is automatically filled in: " - image: docker-registry.default.svc:5000/bodhi/bodhi-web@sha256:f35d85f9145646974a18a2a5338bb9ed77e0071d702544515d13bd9232077a87"

So if you either use the full url or the imagestream trigger, it should work.

Metadata Update from @puiterwijk:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata