search

openshift / origin

Conformance test suite for OpenShift
http://www.openshift.org
Apache License 2.0
8.47k stars 4.7k forks source link

STI push to registry failed #18128

Closed xavierbaude closed 6 years ago

xavierbaude commented 6 years ago

Hello everybody,

I get a strange issue since migrating from 3.6.1 to 3.7.1 today.

When I use a sti image, the build end OK but the push step is failed because the TLS certificate of the registry does not contain the ip of the registry console.

---> Installing application source ...
--
  | ---> Building your Node application from source
  | npm WARN deprecated to-iso-string@0.0.2: to-iso-string has been deprecated, use @segment/to-iso-string instead.
  | npm WARN deprecated jade@0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
  | npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
  | nodejs-ex@0.0.1 /opt/app-root/src
  | +-- chai@3.5.0
 [..]
  | `-- object-assign@4.1.0
  | Running post commit hook ...
  | sh: cannot set terminal process group (-1): Inappropriate ioctl for device
  | sh: no job control in this shell
  | > nodejs-ex@0.0.1 test /opt/app-root/src
  | > IP=0.0.0.0 PORT=3030 mocha --timeout 5000 tests/*_test.js
  | Server running on http://0.0.0.0:3030
  | Basic routes tests
  | ::ffff:127.0.0.1 - - [16/Jan/2018:16:33:34 +0000] "GET / HTTP/1.1" 200 40382 "-" "node-superagent/1.2.0"
  | ✓ GET to / should return 200 (114ms)
  | ::ffff:127.0.0.1 - - [16/Jan/2018:16:33:34 +0000] "GET /pagecount HTTP/1.1" 200 17 "-" "node-superagent/1.2.0"
  | ✓ GET to /pagecount should return 200
  | 2 passing (203ms)
  | Pushing image 172.30.150.10:5000/adeo-xavierbaude-op/nodejs-mongodb-example:latest ...
  | Registry server Address:
  | Registry server User Name: serviceaccount
  | Registry server Email: serviceaccount@example.org
  | Registry server Password: <<non-empty>>
  | error: build error: Failed to push image: Get https://172.30.150.10:5000/v1/_ping:  x509: cannot validate certificate for 172.30.150.10 because it doesn't contain any IP SANs

From a container : 

h-4.2$ curl -I https://docker-registry.default.svc:5000 -Ivv
* About to connect() to docker-registry.default.svc port 5000 (#0)
*   Trying 172.30.150.10...
* Connected to docker-registry.default.svc (172.30.150.10) port 5000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=docker-registry.default.svc
*       start date: Oct 25 14:54:30 2017 GMT
*       expire date: Sep 03 14:54:31 2027 GMT
*       common name: docker-registry.default.svc
*       issuer: CN=openshift-signer@1508940851

Why is the ip is used instead of the service name ??

xavierbaude commented 6 years ago

Hello again,

Found the issue, the option "OPENSHIFT_DEFAULT_REGISTRY" is removed from file : /etc/sysconfig/atomic-openshift-master (after upgrade ?).

see : https://bugzilla.redhat.com/show_bug.cgi?id=1467786 https://github.com/openshift/origin/issues/6283