Pods fail to start when pulling an image from a private container registry

Solution In Progress - Updated -

Environment

  • Red Hat OpenShift Enterprise 3.1

Issue

  • In OpenShift 3.1, pods fail to start because they are not able to pull the new image from the private container registry
  • The error message reads:
Failed to pull image <private-container-registry>/<project>/<image>:<tag>: image pull failed for <private-container-registry>/<project>/<image>:<tag>, this may be because there are no credentials on this request. details: (Error: image <project>/<image>:<tag> not found)

Resolution

Private container registries typically secured and require authentication. The pods are failing to start because the secrets for the private container registry have not been configured.

To pull a secured Docker-formatted container image that is not from OpenShift’s integrated registry, create a configuration secret and add it to the service account.

If a .dockercfg file exists for the secured registry, a secret from that file can be created by running:

$ oc secrets new <pull_secret_name> .dockercfg=<path/to/.dockercfg>

If a $HOME/.docker/config.json (for newer docker clients) file exists for the secured registry, a secret from that file can be created by running:

$ oc secrets new <pull_secret_name> .dockerconfigjson=<path/to/.docker/config.json>

If a .dockercfg file does not already exist, create a secret by running:

$ oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>

To use a secret for pulling images for pods, add the secret to the service account. The name of the service account in this example should match the name of the service account the pod will use; default is the default service account:

$ oc secrets add serviceaccount/default secrets/<pull_secret_name> --for=pull

To use a secret for pushing and pulling build images, the secret must be mountable inside of a pod. Accomplished by running:

$ oc secrets add serviceaccount/builder secrets/<pull_secret_name>

Reference: Allowing Pods to Reference Images from Other Secured Registries

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.