rancher: Private registries not working on rancher/rancher:v2.0.1

Tested with master. Created a private registry in docker with credentials. Pushed an image. The image was pulled correctly from the private registry in rancher and the pods started successfully. The workload YAML had the registry name in imagePullSecrets

    spec:
      affinity: {}
      containers:
      - image: soumyanewtest.rancher.space:5000/testuser/mynginx
        imagePullPolicy: Always
        name: myregtest
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities: {}
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: false
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
      dnsPolicy: ClusterFirst
      imagePullSecrets:
      - name: myregistry
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30

@soumyalj @deniseschannon In which version is/was this fixed? Mean was the fix already released? I’m currently on v2.0.6 and there this problem still persist. There is actually no imagePullSecrets in my workload YAML.

UPDATE: The problem was that I added the private registry to Rancher after creating the Deploy Workload. I deleted the Workload again and ad recreated it and it was working then.

Hi

The Rancher 2.0 system doesn’t appear to sync secrets so well. You can try to create one in the UI, you do so by;

• picking the namespace (left most menu, usually Default)
• now the top most menu changes and you have the choice to enter Resources, specify a “registry” resource and fill in the username/password

Now you’ll need to use that secret in the YML file you are deploying with. Here’s a sample:

spec: imagePullSecrets: - name: test-sec

  containers:
  - name: "whatever-name"
    image: "privaterepo/image-name:version"

Some info on secrets : https://kubernetes-v1-4.github.io/docs/user-guide/kubectl/kubectl_create_secret_docker-registry/

A tip from me: I also had the same problem and decided to learn kubernetes and kubectl - which helped immensely (I used the Pluralsight beginners Kubernetes course).

Hope this helps.

John Clayton CTO E: johnc@filewave.com A: St. Gallerstr 1, 9500 Wil, St Gallen https://maps.google.com/?q=St. Gallestr 1%2C 9500 Wil%2C St Gallen W: https://www.filewave.com

On 4 June 2018 at 19:28, Sean Reifschneider notifications@github.com wrote:

I’m in the same boat, I want to test deploying a small sample container that I’m able to run locally on my workstation, but I can’t seem to get it to login to the private registry. I set up the registry using the docker documentation for basic auth, I have a LetsEncrypt SSL cert on it via my haproxy load balancer.

I entered the credentials in the Resources->Registries page, and on my workstation I can do “docker login” to it and push the image. When I connect via a broswer and request /v1/_catalog, I can see the repository. But in the haproxy logs I see that it is trying to request “GET /v2/” and getting a 401 (authorization failed) status code. Looks like it is then trying to get “/v1/_ping” and getting a 404, then finally trying to get “/v1/repositories/COMPANY/PROJECT/images” and also getting a 404.

Is configuring Rancher to use a private repo documented anywhere? Am I supposed to be using some other mechanism to deploy my own test app to Rancher?

I’m really lost here, and I’m rather inexperienced with Docker/Kubernetes, and the logging is telling me very little.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/rancher/rancher/issues/13676#issuecomment-394434515, or mute the thread https://github.com/notifications/unsubscribe-auth/ABVx0vUHZyr-0YRnC9dm7HNpfdks1nx4ks5t5W5UgaJpZM4ULKpG .

For me the update from @phlegx worked. I deleted the workload and recreated it after adding my docker repository and it worked.

I retested this morning with v2.0.2 version. This is my current conclusion :

• The workaround creating docker-registry secret and using imagePullSecrets in the pod definition works. But nothing is integrated in Rancher : secret and registry are not visible in the UI
• If I add a registry in the Rancher UI, I can use it ONLY if a deploy a Workload with the UI. If I specify my private registry “myregsitry.com:5000/myimage:tag” in the field “Docker Image”, it works. The workload is created and the image correctly pulled. However, I can’t find the registry created in the Rancher UI through the Kubernetes API. Does it mean that this component is only created in the Rancher config ?

To conlude, for the moment, I prefer the first solution because the integration with Kubernetes is better. The best solution will be as with Rancher 1.6 : defining repository in the Rancher UI for all namespace and using it with specify imagePullSecrets.

I was in the same boat, but I’ve finally figured it out with the help of #13339 and some experimenting. Here is what I did:

I had gone into Resources->Registries and done “Add Registry”. I selected “Available to all namespaces”, “Custom”, entered “dockerregistry.example.com:443” and then put in the username and password. This creted the registry with a name of “dc-zgjgt” in my example because I didn’t put anything in the name.

Then I created the workload and in the “Docker Image” field I put “dockerregistry.example.com:443/example/springtest:latest”.

After creating that workload I went into the Workloads page and clicked on that workload name, which brought up the “Workload: springtest” page. Then I clicked the 3 dots on the right and did “View/Edit YAML”. After the spec->template->spec->containers section I added the lines: “imagePullSecrets:” and “- name: dc-zgjgt” and saved. The end result was something like:

[...]
spec:
  containers:
  - image: dockerregistry.example.com:443/company/springtest:latest
    imagePullPolicy: Always
    [...]
  imagePullSecrets:
  - name: dc-zgjgt

Once I did that, the pod deployed and my service is running.

@jotolo Have a look at this example: https://github.com/kubernetes/website/blob/master/content/en/docs/tasks/configure-pod-container/private-reg-pod.yaml