Red Hat Container Registry Authentication

Updated -

Red Hat distributes container images from two locations: registry.access.redhat.com (no authentication needed) and registry.redhat.io (authentication required). Container images from third party vendors are available from registry.connect.redhat.com. This article describes how you can:

  • Use registry.access.redhat.com, with no authentication required.
  • Learn about how authentication works with registry.redhat.io.
  • Create a registry Service Account for use on shared systems.

Red Hat Registries

Red Hat distributes container images through three different container registries:

Registry Content Supports
unauthenticated access
Supports
Red Hat login
Supports
registry tokens
registry.access.redhat.com Red Hat products Yes No No
registry.redhat.io Red Hat products No Yes Yes
registry.connect.redhat.com Third-party products No Yes Yes

Although both registry.access.redhat.com and registry.redhat.io hold essentially the same container images, some images that require a subscription are only available from registry.redhat.io.

Getting a Red Hat Login

To use the registry.redhat.io registry, you have to have a Red Hat login. If you are a customer with entitlements to Red Hat products, you already have an account. This is the same type of account that you use to log into the Red Hat Customer Portal (access.redhat.com) and manage your Red Hat subscriptions.

If you do not have a Red Hat account, you can get a free Red Hat account by signing up for one of the following:

Once you agree to the terms and get a Red Hat account, you can use that account to log into the new Red Hat registry and get images. Keep in mind that you would still need entitlements from Red Hat to add or update RPM packages while building or updating an image using yum.

Using Authentication

To retrieve content from an authenticated registry, you will need to log into the registry using either your Customer Portal, Red Hat Developer, or Registry Service Account credentials.

To login to the registry.redhat.io registry, you can use either the podman login, skopeo login, and buildah login commands. You can replace any docker command examples used throughout this article with the podman command. From OpenShift, Satellite, or other shared environments, you must use Service Accounts for authentication.

To use Podman to authenticate to registry.redhat.io:

# podman login registry.redhat.io
Username: myrhusername
Password: ***********

To use Skopeo to authenticate to registry.redhat.io:

# skopeo login registry.redhat.io
Username: myrhusername
Password:  ***********

To use the docker login command to authenticate to registry.redhat.io:

# docker login https://registry.redhat.io
Username: myrhusername
Password:  ***********

You can pull the image from the registry.redhat.io registry as follows:

Using the Skopeo command:

skopeo copy docker://registry.redhat.io/rhel8/pcp containers-storage:registry.redhat.io/rhel8/pcp 

Using the Podman command:

# podman pull registry.redhat.io/rhel8/rsyslog
Username: myrhusername
Password:  xxxxxxxxxxx

When you log into the registry, your credentials are stored in your ${XDG_RUNTIME_DIR}/containers/auth.json file. Those credentials are used automatically the next time you pull from that registry. Here is an example of that file:

   {
           "auths": {
                   "https://registry.redhat.io": {
                           "auth": "c2xmams6c2RmbGtq"
                   }
           }
   }

For other ways to save these credentials, see the config.json description on the docker login page.

For OpenShift nodes you will have an additional step. After you log in, you will need to copy ~/.docker/config.json to /var/lib/origin/.docker/config.json and restart the node.

# cp ~/.docker/config.json /var/lib/origin/.docker/config.json; systemctl restart atomic-openshift-node

Registry Service Accounts for Shared Environments

To consume container images from registry.redhat.io in shared environments such as OpenShift, it is recommended for an administrator to use a Registry Service Account, also referred to as authentication tokens, in place of an individual's Customer Portal credentials.

Service Accounts are a mechanism provided to a Customer Portal organization, used exclusively for authenticating to and retrieving content from registry.redhat.io. The use of Service Accounts is encouraged to prevent the need to use Customer Portal credentials on shared systems, in contrast to Customer Portal accounts, Registry Service Accounts are resilient to some security controls applied to Customer Portal accounts, such as mandated password resets.

The management of Service Accounts is available via the Registry Service Account management application. You have the freedom to decide how many Service Accounts are created and how they are used on your systems, as a guideline, you may opt to use one Service Account per shared system (such as an OpenShift Container Platform cluster).

Managing Registry Service Accounts

Within the application for Service Account Management, there is a simple approach to split authorization for management of tokens. The ability to create, modify, or remove Service Accounts is defined by whether a Customer Portal login has the Organization Administrator role assigned.

Customer Portal Organization Administrators can:

  • View all Registry Service Accounts created for an organization.
  • Create Registry Service Accounts.
  • Modify or remove any Registry Service Accounts.

Customer Portal Users (non-organization Admins) can:

  • View all Registry Service Accounts for an organization.
  • Create Registry Service Accounts.
  • Only modify or remove Registry Service Accounts they have created.

Regardless of which user creates a Service Account, the account can be viewed by other Customer Portal users within the same organization. There is no functionality to conceal a Service Account and its associated credentials from being viewed by others within the organization.

Creating Registry Service Accounts

Navigate to the Registry Service Account Management Application, and log in if necessary.

  1. From the Registry Service Accounts page, click New Service Account button.
  2. Provide a name for the Service Account. It will be prepended with a fixed, random string.
    • Enter a description.
    • Click create.
  3. Navigate back to your Service Accounts.
  4. Click the Service Account you created.
    • Note the username, including the prepended string (i.e. XXXXXXX|username). This is the username which should be used to login to registry.redhat.io.
    • Note the password. This is the password which should be used to login to registry.redhat.io.

There are tabs available within the Token Information page which offer guidance on how to use the authentication token for various scenarios. For example, the Docker Login tab demonstrates how the token can be used with the docker CLI.

Modifying Authentication Tokens

As with Service Account creation, accounts can be modified or deleted as part of the functionality provided by the management application. These can each be invoked from the Registry Service Accounts page using the pop-up menu to the right of each authentication token. The description for each function is described as follows:

  • Regenerate token: Allows an authorized user to reset the password associated with the Service Account, the username for the Service Account does not change.
  • Update Description: Allows an authorized user to update the description for the Service Account.
  • Delete Account: Allows an authorized user to remove the Service Account.

Warning: The regeneration or removal of Service Accounts will impact any systems which may be using the token to authenticate and retrieve content from registry.redhat.io.

Allowing Pods to Reference Images from Other Secured Registries

The .dockercfg file (or $HOME/.docker/config.json for newer Docker clients) is a Docker credentials file that stores your information if you have previously logged into a secured or insecure registry.

To pull a secured container image that is not from OpenShift Container Platform’s internal registry, you must create a pull secret from your Docker credentials and add it to your service account.

If you already have a .dockercfg file for the secured registry, you can create a secret from that file by running:

$ oc create secret generic <pull_secret_name> \
    --from-file=.dockercfg=<path/to/.dockercfg> \
    --type=kubernetes.io/dockercfg

Or if you have a $HOME/.docker/config.json file:

$ oc create secret generic <pull_secret_name> \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:

$ oc create secret docker-registry <pull_secret_name> \
    --docker-server=<registry_server> \
    --docker-username=<user_name> \
    --docker-password=<password> \
    --docker-email=<email>

To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses; default is the default service account:

$ oc secrets link default <pull_secret_name> --for=pull

To use a secret for pushing and pulling build images, the secret must be mountable inside of a pod. You can do this by running:

$ oc secrets link builder <pull_secret_name>

For builds, you must also reference the secret as the pull secret from within your build configuration.

Learning More About Red Hat Registry

Here are a few other resources to help you get started with registry.redhat.io:

  • Troubleshooting: If you are in a security-hardened environment, you may need to make internal changes to whitelist registry.redhat.io on proxies. You can follow the Troubleshooting Authentication Issues with registry.redhat.io article to verify connectivity with registry.redhat.io.
  • Where to get further help: If you need further help, open a support ticket for your product through the Red Hat Customer Portal.

33 Comments

broken link Red Hat Developer Program: Signing up for a free developer account gives you access to developer tools and programs. points to https://access.redhat.com/developers.redhat.com whcih is giving a 404

Thanks for pointing that out, Aur élien. I fixed the link. It should have been https://developers.redhat.com.

Hello! great note, I came here because my CDK 3.7.01 did not downloaded the images. I've created the account on config.json by authenticating with docker login.. then I created the secret on the openshift project, and then I imported the images, here some notes:

0) make sure you have proper credentials. 
1) docker login (so that the .docker/config.json gets created)
2) oc create secret generic "redhat.io" --from-file=.dockerconfigjson=config.json --type=kubernetes.io/dockerconfigjson
3) oc import-image --all=true redhat-sso72-openshift

this allowed me to import the images just for the selected imagestream for rh-sso 7.2

Is there a way to get registry.redhat.io catalog as you could do with a private docker registry by command to API?

Example:

curl -X GET https://myprivateregistry.fqdn/v2/_catalog
{"repositories":["flk_cfrequeststchk","portainer/agent","portainer/portainer","rh7-php56-fpm-rhel7","rhel7-minimal","rhel7minimalrphy27"]}

#Like....
curl -X GET https://registry.redhat.io/v2/_catalog

Regards

For the step to apply config.json to OpenShift nodes, the command syntax was incorrect.

# cp ~/.docker /var/lib/origin/ systemctl restart atomic-openshift-node

should be this instead:

# cp ~/.docker/config.json /var/lib/origin/.docker/config.json; systemctl restart atomic-openshift-node

Thanks for making that change, Kevin. I published it.

When creating shared registry tokens,

1) The web site says you can use underscores in the name, but it will not validate. 2) Using uppercase letters in the name will cause the returned secret to be invalid, since the secret name is required to be DNS compliant. You need to edit the yaml in order to set the name lowercase.

Hi, I am using minishift on my Windows laptop. I tried to import images from Red Hat registry with following command,

$ minishift addons apply xpaas

However I get following error while browsing through the image list,

Internal error occurred: Get https://registry.redhat.io/v2/fuse7/fuse-console/manifests/1.0: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/articles/3399531. Timestamp: 2019-07-24T15:13:41Z Error count: 2

Appreciate if you could help me resolve this.

Thanks, Pravin

I created a draft for this: https://access.redhat.com/node/3399531/draft Tried to make the procedure look more explicit

Those changes look good Michal, so I published them. In the old days, we used to mark commands in bold, to make it clearer when a # was a prompt and not indicating a comment. It's good to remind people every once in a while that # means a command run by the superuser and # in a file is a comment.

I'm not able to log in using mu username and password. From docker:

"Get https://registry.redhat.io/v2/: unauthorized"

Trying with curl -Lv -u : "https://sso.redhat.com/auth/realms/rhcc/protocol/redhat-docker-v2/auth?service=docker-registry&client_id=curl&scope=repository:rhel:pull" :

{"errors":[{"code":"UNAUTHORIZED","message":"Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/articles/3399531","detail":[{"type":"repository","name":"rhel","actions":["pull"]}]}]}.

But when I've created Registry Service Account I'm able to login using the token. Is this normal behavior?

Hi Artur, AFAIK, is not a normal behavior, you should be able to login using also your Customer Portal credentials if you have any subscription, can you please try the following command instead of docker login?

$ podman login registry.redhat.io --log-level debug

Best Regards.

Don't know why after I've changed password everything works fine.

Difficult to know, maybe some sync issue. Anyway, I'm glad you could solve it.

Regards.

Hello All,

I cannot see anything when I look at https://access.redhat.com/terms-based-registry/. I am logged in with my partner account. I will also raise a support call. I just see the rotating circle any ideas before I raise a support call? I have accepted the terms of the developer network.

Any help much appreciated,

Kevin.

Hi, Am working on mirror registry as part of Air-gap installation of our product, I am following this link. "https://docs.openshift.com/container-platform/4.2/installing/install_config/installing-restricted-networks-preparations.html#installation-restricted-network-samples_installing-restricted-networks-preparations" as part of it , am facing an issue while executing second command i.e. "oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ip-10-0-3-204.us-east-2.compute.internal:5000/rhscl/ruby-25-rhel7:latest"

And the error is : "error: unable to retrieve source image registry.redhat.io/rhscl/ruby-25-rhel7 by tag latest: Head https://registry.redhat.io/v2/rhscl/ruby-25-rhel7/manifests/latest: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication error: an error occurred during planning"

Can any one please help me out of this issue. Thanks.

Hi Vamshidhar,

Please note that Using Samples Operator imagestreams with alternate or mirrored registries step is what we call a second-day operation that has to be performed once the cluster has been installed and you are logged in as cluster-admin.

If needed, you can also locally test that image with your registry.redhat.io credentials as follows:

$ podman login registry.redhat.io
$ skopeo inspect docker://registry.redhat.io/rhscl/ruby-25-rhel7:latest

NOTE: If more help is needed, please create a support case and we'll properly guide you with the troubleshooting over there.

Best Regards.

Thanks for your response @Pedro Jose Amoedo Martinez. But have some doubts regarding your response. Please let me know the answers of these following questions: I am executing these steps in mirror registry where the Openshift is yet to install and only oc cli is installed in it. Am I executing in correct place or not Cluster means Openshift 4.3 cluster or the linux machine with mirror registry and oc cli installed in it?

Thanks.

where exactly I need to install these commands?

Hi Vamshidhar, that's exactly what I thought, you are trying to execute a post-installation step within your mirror registry host, but that optional step for samples operator imagestreams is to be run after the cluster is properly installed, in your case it should be sufficient with the previous step Mirroring the OpenShift Container Platform image repository to proceed with the installation.

Best Regards.

got it. Thanks Pedro Jose Amoedo Martinez.

Hi Pedro, How are you? Expecting a small favour from you in the form of your response. Here is the issue description: While I am trying to execute this command "oc adm -a ${LOCAL_SECRET_JSON} release mirror \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}" to mirror the repository, following this link "https://docs.openshift.com/container-platform/4.3/installing/install_config/installing-restricted-networks-preparations.html#installation-mirror-repository_installing-restricted-networks-preparations"

But am facing this issue. "

phase 0: ip-172-31-44-157.us-east-2.compute.internal:5000 ocp4/openshift4 blobs=215 mounts=0 manifests=103 shared=5

info: Planning completed in 19.54s error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:c34d29490c36c7c29a7b4f5b7d2349dd83b44854b11f5390a1e8b97dcfc89ea6 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:0980f3533926bf4f1d0cdf540ccdb3d12727b3419d511b4b79b9be7ec60c283f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-release: failed to upload blob sha256:b0daa1bac4a057d5dc10d02c1da08d4727196ea17181379b29c3acfefd612927: unauthorized: authentication required error: unable to upload blob sha256:4e603fc2e875301213528d2dd99dd4b0d738be518189552f9ffe0347f1d8622c to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:33b5eefe01c0c10dfaae5a21a8a9cba2bb5c017f95ed4747244e31f87dfb9d07 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-release: failed to upload blob sha256:cf5693de4d3cdd6f352978b87c8f89ead294eff44938598f57a91cf7a02417d2: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:214dd8c485d8ff896e9568fd826dda492d742ed62fc956d8d2b15d57ced1f470: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:f877b971af21e4c319457cf3f5803c0ef972959c163ea0b3bb080c7f63e85377: unauthorized: authentication required error: unable to upload blob sha256:735eea48633302cb2ffc890fb74aae8f88f78f89e5b0fd937f5e18f165040100 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:8185a79560513ce19a03de5a964d6f99582ce2dc01191bd5fc61135dc7d4f160 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:41497369317a5c2d8b5618c137f98ef3a95048e6d8ef1addfccc6447737b0248 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:8eefb38aa6990799be555ed23c5a9382754459fb4ff7a4aa5cfaff09d65782ec: unauthorized: authentication required error: unable to upload blob sha256:76d1ea2b00c79775863c70ecd06a4a4d97623184afb3b0aa4d3147d8143bdf90 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a5a62a06b550ddde14fe51cb3038a5f2871f582fc6a7f45e070873297d9670ac: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ef6d99a0dcb9d1679b0789ed4e04dec2369c251b2f66ec6a9e831098cc66cfae: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:7295647469cc1f751f86d3e0a56ed5c8767f70ec2954bdf9c8a6d31cdebe1925: unauthorized: authentication required error: unable to upload blob sha256:20520aab13927d2d3575d8483f8389caff18f0ca63d5f6f801fce0ef80a481e8 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:82900c6b38c2cb4f2813c2a7213e14f1f52ff35639e175e1e351c703e5b6f6a6 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:77ba89edcb5957d3111f0cbf802082cf389deb83feb8971bbd75bc25fb8de8ab to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:37b9339e947a92390db77a869cd1e27bf54a7c5394216739425f3ff9e58a72f7: unauthorized: authentication required error: unable to upload blob sha256:d634ba04e77a60e2916463fbaa53f409761682d40f89258e0a6377894a12ba6f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:77a0c17a1430ba841c4edec4d2e1b083e486fbad4da79b5cc1c1e2797ba46fe5: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:3835a6160030090b244fa6025afe33991580e0c222921aaa961da0e7a2c2d6de: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:99a236b3bcafa33f8db34903b24eb6fb8267fa1b010d3c0e6c6cd36d2f33fd62: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:383a87ff7b1bd537e527cbe8ddd06bea31d957d75cc18dd4a65aa058ab2362a4: unauthorized: authentication required error: unable to upload blob sha256:95da825607de4f0d5c938aef4845578144de9c1b7a226fcb41ee26b28abc0ac2 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:0bb54aa5e97745c8692f6fc54dadca5b4b645a724ba5df96ecb762626d083981 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:939cdbe548914c2421b80552c2aa98bf2d4dd45e5042c619779d24bbfe9abd01 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:e4e559866e8975226786d9829ec87dfc2c6996c079ff22e4f9fbc8166c90bd1c: unauthorized: authentication required error: unable to upload blob sha256:ac7e2991e99016c797fda44ea0b80fb7b6b29ca49e36ad7ab681a06fd14673fd to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:b0961e362fa91b68178131a414b491909cfb5f4c5be1bcff564dd9d9aa818dce to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ef7d68f7c558e3bd0e2256bbe5a0178b8586150600042ae8e8fa084cad7812fe: unauthorized: authentication required error: unable to upload blob sha256:737ae892ee19b9a4b996afb370017040fcbdf468bafbf4d2691794fea12011cc to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:15b04cdb62e727e92767ae11648052f51c069f4815a709af42dcf77f01cb8f5d to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:fcfe07c042e15fc68c38720393cf55d6e78d5ff3540461f42aa984bfa1cab7f5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:4b31001f734df0eee2598a1c31c22cbfab48e5c1be8bcb341fae32872269c8d4 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:5f768abf4910cee88e2b36591e21134db0da8777ec5af41b43f86d17bec25ee9: unauthorized: authentication required error: unable to upload blob sha256:35ddd8fa88d8caf31c54487128eee1b34386656755a091f5b85733e3ade1d058 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:649529f906d9529f5a43577dd0b8d51742a6881449fc28a33a419c3073cbdc35 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:0fc1182c57350e438bde64d8bd165719b13df085b52a81886a64045e0cf8950b: unauthorized: authentication required error: unable to upload blob sha256:0fcc595e5839e7f7a74c78afcdf12751f2f2a1522620b97048adfbd4812d825f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:59690687fd8c516768834561e7a1885a66d27df1e4e81ae59f8fd93c1e2f33b6: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:66699186eb4c0ffccbd1a3fc47946ff8a2c1f6464c71f77c84b4b4e69affc10c: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:157b76865e6dc16d979a8e55307ed4578b5e4e801abce5b234078c6a9237c714: unauthorized: authentication required error: unable to upload blob sha256:abc5d653995bf06a74c8069c808b116ca639ce031200a13a78c6480b4a5d4840 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:186faf513f3008a8495eb46db8689081c69a723e625915ff73f4ad25d0e8ccbf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:17f02cf95c8923e90a013fb21380cbae8ba74f3022a39a3426f3be643b850ea8 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:eadd89a9df3b791a3c34260c2d7c3c5bfd0e32098093686506dd3028740e51ed to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:febb64a650bdfa5f53037ed1670786c3ff7bda5ae3b994afe660278d208ae179 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:735eea48633302cb2ffc890fb74aae8f88f78f89e5b0fd937f5e18f165040100 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:c0d4963f76b766cb0c9922381fc5858cbf4e548352d1c04f65604708f8a83e08: unauthorized: authentication required error: unable to upload blob sha256:bc80eefccbe9f372142ee59c485eabd1de2a46f74ec8ec26a12bafbfe7fb3f67 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:b943c893b7ea1a55bb5555d0b36fd613ab6e1b56cee8799a0f61ea3375cadd2e: unauthorized: authentication required error: unable to upload blob sha256:58ed827d533cf7aaf43b1ef5fdc77732b82a564954364d6d1d6c849ccdd59be0 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:deabebe5681fcb1d9c9a1e4b7821b9670dd6299cfb67d204823654e44d21d64a: unauthorized: authentication required error: unable to upload blob sha256:6c2dca50ad0027a3b5e31f87977968e7deedf74bcdea3fc43a5973f4794e4a62 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:341971078737eba88f8696e286233324fa690c2b3174f1a22fb2a7de4be38d43 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:d913f055e25e6bd63cdce6106f7bebb8e65314c28076454c59729cad0cf8721a: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:dcf8430987e5d56772e91c5d821ca982fc4530c0bd1974d75bd8be69808f4ddd: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:112c82a83cbd456a393f6f6b85119bb2b3549eca82199d787b2591281be87363: unauthorized: authentication required error: unable to upload blob sha256:eb37c030717256accc13b265979953ab5f8d459fbed7b5d0eec8ea1c6a924a07 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ffec2e9938b3ebb7e00028eb5b54d8cdd6c72034ed0ab2a08248bd70b38b3b64: unauthorized: authentication required error: unable to upload blob sha256:e9cadd8e37a2f2cecd1a624820364b91b4e7dd7647e1b5a41e3ea1175631e402 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:edba86fb8a8005a79946ee9d27c47cc79933ba73857e219b52fbac581cc6a7f6: unauthorized: authentication required error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:02375d1250e9e8627a738ce72050e77dd101a93f56a58002cdba3f5cfe9d6cc3 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ecf206ba7ce792ca51d657a15ba0a41671ca15c6659af51af8b2df6a104e2f46: unauthorized: authentication required error: unable to upload blob sha256:6e634b4abb3b9d3f93f2d9f95a41f567435a74eb2b72c52ccced51b56b332882 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:630d792e7fe7c026abd4eb8fb2408334e672bfbd223dac128ba876778787815a: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a00143a0944f7107161bdb97737bc4940292c17626b1bfd112ee7dae2b8ebd46: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a04ae9bf26f654e52c7bdf2ec6679185aa08ee96a036781dd390ad4261f28872: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:648b1f684f8dec323f40b9e80bffe60a23523d3b2d2681230a4d2999e19e2e1e: unauthorized: authentication required error: unable to upload blob sha256:d035b2474293b39442b598d2c6d535f8f1fe3b3b7fca8cfecefb0c23a942f0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required "

Can anyone help me out of this issue.

Hi Vamshidhar, I must insist that you raise a support case for this, this is not the proper place for this type of troubleshooting neither to post such a long command output, thanks for your understanding.

Best Regards.

AWS restricted network cluster setup - CSR issue ( oc get csr not displaying anything after adding worker machines ). Do I need to open any ports for outbound access?

I'm using Openshift 4.3.12

I'm trying to setup Openshift cluster in AWS with restricted network. I'm using user provisioned infrastructure and following this link https://docs.openshift.com/container-platform/4.3/installing/installing_aws/installing-restricted-networks-aws.html

I'm setting AWS restricted network cluster setup. I have a VPC with public and private subnet. In public subnet I configured mirror registry and in private registry I configured my openshift cluster. VPC has "internet gateway attached". As a restricted AWS cluster install in private subnet where my openshift cluster is configured I removed outbound access and added rules to limit all traffic for public and private subnet CIDR range using private subnet Network ACL.

After adding worker machines, I executed command "oc get csr" and I couldn't see any pending CSR request, its empty. Then I added a rule in my private subnet Network ACL to allow all traffic to 0.0.0.0/0, then I'm able to see all pending requests to CSR.

kube-controller-manager only approves the kubelet client CSRs, why it requires to open all traffic to everyone?

As I don't want to open all traffic, is there any specific ports I need to open to specific IP range for CSR pending requests?

If this is not a proper place to post this question, can you please let me know "where to post this"

Hi Shashidhar, please raise a support case and we'll be glad to help you with the troubleshoot over there, this is not the proper place for that, thanks for your understanding.

Best Regards.

Hi , While I am trying to execute this command "oc adm -a ${LOCAL_SECRET_JSON} release mirror \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}" to mirror the repository, following this link "https://docs.openshift.com/container-platform/4.3/installing/install_config/installing-restricted-networks-preparations.html#installation-mirror-repository_installing-restricted-networks-preparations"

But am facing this issue. "

phase 0: ip-172-31-44-157.us-east-2.compute.internal:5000 ocp4/openshift4 blobs=215 mounts=0 manifests=103 shared=5

info: Planning completed in 19.54s error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:c34d29490c36c7c29a7b4f5b7d2349dd83b44854b11f5390a1e8b97dcfc89ea6 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:0980f3533926bf4f1d0cdf540ccdb3d12727b3419d511b4b79b9be7ec60c283f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-release: failed to upload blob sha256:b0daa1bac4a057d5dc10d02c1da08d4727196ea17181379b29c3acfefd612927: unauthorized: authentication required error: unable to upload blob sha256:4e603fc2e875301213528d2dd99dd4b0d738be518189552f9ffe0347f1d8622c to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:33b5eefe01c0c10dfaae5a21a8a9cba2bb5c017f95ed4747244e31f87dfb9d07 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-release: failed to upload blob sha256:cf5693de4d3cdd6f352978b87c8f89ead294eff44938598f57a91cf7a02417d2: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:214dd8c485d8ff896e9568fd826dda492d742ed62fc956d8d2b15d57ced1f470: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:f877b971af21e4c319457cf3f5803c0ef972959c163ea0b3bb080c7f63e85377: unauthorized: authentication required error: unable to upload blob sha256:735eea48633302cb2ffc890fb74aae8f88f78f89e5b0fd937f5e18f165040100 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:8185a79560513ce19a03de5a964d6f99582ce2dc01191bd5fc61135dc7d4f160 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:41497369317a5c2d8b5618c137f98ef3a95048e6d8ef1addfccc6447737b0248 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:8eefb38aa6990799be555ed23c5a9382754459fb4ff7a4aa5cfaff09d65782ec: unauthorized: authentication required error: unable to upload blob sha256:76d1ea2b00c79775863c70ecd06a4a4d97623184afb3b0aa4d3147d8143bdf90 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a5a62a06b550ddde14fe51cb3038a5f2871f582fc6a7f45e070873297d9670ac: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ef6d99a0dcb9d1679b0789ed4e04dec2369c251b2f66ec6a9e831098cc66cfae: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:7295647469cc1f751f86d3e0a56ed5c8767f70ec2954bdf9c8a6d31cdebe1925: unauthorized: authentication required error: unable to upload blob sha256:20520aab13927d2d3575d8483f8389caff18f0ca63d5f6f801fce0ef80a481e8 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:82900c6b38c2cb4f2813c2a7213e14f1f52ff35639e175e1e351c703e5b6f6a6 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:77ba89edcb5957d3111f0cbf802082cf389deb83feb8971bbd75bc25fb8de8ab to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:23302e52b49d49a0a25da8ea870bc1973e7d51c9b306f3539cd397318bd8b0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:37b9339e947a92390db77a869cd1e27bf54a7c5394216739425f3ff9e58a72f7: unauthorized: authentication required error: unable to upload blob sha256:d634ba04e77a60e2916463fbaa53f409761682d40f89258e0a6377894a12ba6f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:77a0c17a1430ba841c4edec4d2e1b083e486fbad4da79b5cc1c1e2797ba46fe5: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:3835a6160030090b244fa6025afe33991580e0c222921aaa961da0e7a2c2d6de: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:99a236b3bcafa33f8db34903b24eb6fb8267fa1b010d3c0e6c6cd36d2f33fd62: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:383a87ff7b1bd537e527cbe8ddd06bea31d957d75cc18dd4a65aa058ab2362a4: unauthorized: authentication required error: unable to upload blob sha256:95da825607de4f0d5c938aef4845578144de9c1b7a226fcb41ee26b28abc0ac2 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:0bb54aa5e97745c8692f6fc54dadca5b4b645a724ba5df96ecb762626d083981 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:939cdbe548914c2421b80552c2aa98bf2d4dd45e5042c619779d24bbfe9abd01 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:e4e559866e8975226786d9829ec87dfc2c6996c079ff22e4f9fbc8166c90bd1c: unauthorized: authentication required error: unable to upload blob sha256:ac7e2991e99016c797fda44ea0b80fb7b6b29ca49e36ad7ab681a06fd14673fd to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:b0961e362fa91b68178131a414b491909cfb5f4c5be1bcff564dd9d9aa818dce to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ef7d68f7c558e3bd0e2256bbe5a0178b8586150600042ae8e8fa084cad7812fe: unauthorized: authentication required error: unable to upload blob sha256:737ae892ee19b9a4b996afb370017040fcbdf468bafbf4d2691794fea12011cc to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:15b04cdb62e727e92767ae11648052f51c069f4815a709af42dcf77f01cb8f5d to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:fcfe07c042e15fc68c38720393cf55d6e78d5ff3540461f42aa984bfa1cab7f5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:4b31001f734df0eee2598a1c31c22cbfab48e5c1be8bcb341fae32872269c8d4 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:5f768abf4910cee88e2b36591e21134db0da8777ec5af41b43f86d17bec25ee9: unauthorized: authentication required error: unable to upload blob sha256:35ddd8fa88d8caf31c54487128eee1b34386656755a091f5b85733e3ade1d058 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:649529f906d9529f5a43577dd0b8d51742a6881449fc28a33a419c3073cbdc35 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:0fc1182c57350e438bde64d8bd165719b13df085b52a81886a64045e0cf8950b: unauthorized: authentication required error: unable to upload blob sha256:0fcc595e5839e7f7a74c78afcdf12751f2f2a1522620b97048adfbd4812d825f to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:59690687fd8c516768834561e7a1885a66d27df1e4e81ae59f8fd93c1e2f33b6: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:66699186eb4c0ffccbd1a3fc47946ff8a2c1f6464c71f77c84b4b4e69affc10c: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:157b76865e6dc16d979a8e55307ed4578b5e4e801abce5b234078c6a9237c714: unauthorized: authentication required error: unable to upload blob sha256:abc5d653995bf06a74c8069c808b116ca639ce031200a13a78c6480b4a5d4840 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:186faf513f3008a8495eb46db8689081c69a723e625915ff73f4ad25d0e8ccbf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:17f02cf95c8923e90a013fb21380cbae8ba74f3022a39a3426f3be643b850ea8 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:eadd89a9df3b791a3c34260c2d7c3c5bfd0e32098093686506dd3028740e51ed to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:febb64a650bdfa5f53037ed1670786c3ff7bda5ae3b994afe660278d208ae179 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:735eea48633302cb2ffc890fb74aae8f88f78f89e5b0fd937f5e18f165040100 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:c0d4963f76b766cb0c9922381fc5858cbf4e548352d1c04f65604708f8a83e08: unauthorized: authentication required error: unable to upload blob sha256:bc80eefccbe9f372142ee59c485eabd1de2a46f74ec8ec26a12bafbfe7fb3f67 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:b943c893b7ea1a55bb5555d0b36fd613ab6e1b56cee8799a0f61ea3375cadd2e: unauthorized: authentication required error: unable to upload blob sha256:58ed827d533cf7aaf43b1ef5fdc77732b82a564954364d6d1d6c849ccdd59be0 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:deabebe5681fcb1d9c9a1e4b7821b9670dd6299cfb67d204823654e44d21d64a: unauthorized: authentication required error: unable to upload blob sha256:6c2dca50ad0027a3b5e31f87977968e7deedf74bcdea3fc43a5973f4794e4a62 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:341971078737eba88f8696e286233324fa690c2b3174f1a22fb2a7de4be38d43 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:d913f055e25e6bd63cdce6106f7bebb8e65314c28076454c59729cad0cf8721a: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:dcf8430987e5d56772e91c5d821ca982fc4530c0bd1974d75bd8be69808f4ddd: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:112c82a83cbd456a393f6f6b85119bb2b3549eca82199d787b2591281be87363: unauthorized: authentication required error: unable to upload blob sha256:eb37c030717256accc13b265979953ab5f8d459fbed7b5d0eec8ea1c6a924a07 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ffec2e9938b3ebb7e00028eb5b54d8cdd6c72034ed0ab2a08248bd70b38b3b64: unauthorized: authentication required error: unable to upload blob sha256:e9cadd8e37a2f2cecd1a624820364b91b4e7dd7647e1b5a41e3ea1175631e402 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:edba86fb8a8005a79946ee9d27c47cc79933ba73857e219b52fbac581cc6a7f6: unauthorized: authentication required error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob sha256:02375d1250e9e8627a738ce72050e77dd101a93f56a58002cdba3f5cfe9d6cc3 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:ecf206ba7ce792ca51d657a15ba0a41671ca15c6659af51af8b2df6a104e2f46: unauthorized: authentication required error: unable to upload blob sha256:6e634b4abb3b9d3f93f2d9f95a41f567435a74eb2b72c52ccced51b56b332882 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:630d792e7fe7c026abd4eb8fb2408334e672bfbd223dac128ba876778787815a: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a00143a0944f7107161bdb97737bc4940292c17626b1bfd112ee7dae2b8ebd46: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:a04ae9bf26f654e52c7bdf2ec6679185aa08ee96a036781dd390ad4261f28872: unauthorized: authentication required error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:648b1f684f8dec323f40b9e80bffe60a23523d3b2d2681230a4d2999e19e2e1e: unauthorized: authentication required error: unable to upload blob sha256:d035b2474293b39442b598d2c6d535f8f1fe3b3b7fca8cfecefb0c23a942f0a5 to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required error: unable to upload blob error: unable to upload blob sha256:3fc3359a0bc4dc77e62184a2977a509360097f22ef997dfe77fdd957358b7caf to ip-172-31-44-157.us-east-2.compute.internal:5000/ocp4/openshift4: unauthorized: authentication required "

Can anyone help me out of this issue.

In section "Registry Service Accounts for Shared Environments" there's a paragraph starting with:

"The management of Service Accounts is available via the Registry Service Account management application, also accessible by the Service Accounts link on the main page of the Red Hat Container Catalog."

Statement seems wrong, there is no such link "Service Accounts" on the Red Hat Container Catalog main page. (The page I'm redirected to is https://catalog.redhat.com/software/containers/explore .)

Hi Tomas, you are right, that link is no longer working as expected, however, the same paragraph also mentions the following:

"The management of Service Accounts is available via the Registry Service Account management application"

That management application link should properly redirect you to https://access.redhat.com/terms-based-registry/ where you can properly manage the "Service Accounts", can you please confirm?

Best Regards.

Yes, I can confirm. For some reason I got fixated on going to the Container Catalog first :). Looks OK.

Perfect, thanks for the confirmation.

If you are using dockerStrategy and need to use registry.redhat.io you can add the pull secret in the build.

  source:
    dockerfile: |-
      FROM registry.redhat.io/rhel8/python-38
    type: Dockerfile
  strategy:
    dockerStrategy:
      forcePull: true
      pullSecret:
        name: you-pull-secret

Hi, please take a look:

Case1: openshift 4.3

This command works only if a put the secret in the namespace: ./oc import-image test01:latest --from=registry.redhat.io/rhscl/redis-5-rhel7:latest --confirm -n maraco if not secret, this message will output: ! error: Import failed (InternalError): Internal error occurred: registry.redhat.io/rhscl/redis-5-rhel7:latest: Get https://registry.redhat.io/v2/rhscl/redis-5-rhel7/manifests/latest: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/RegistryAuthentication

If a understood correctly, the other option to be able to put images from registry.redhat.io was to copy the credentials in "/var/lib/origin/.docker/config.json" all workers nodes. The thing is, i can't find this file on masters or workers, should i create this file manually ?

Case2: Openshift 4.5

Same command works all the time on any namespace no secret or anything required: ./oc import-image test01:latest --from=registry.redhat.io/rhscl/redis-5-rhel7:latest --confirm -n maraco

Why is this working ?

Thanks a lot.

Hi Miguel, is a new feature included in 4.5, here you have the release note about it.

Best Regards.

Thanks a lot.