OpenShift internal docker registry inaccessible

Question

I am trying to connect with the internal docker registry of an openshift cluster with

/bin/docker login -u user -p password` `oc get svc -n default | grep docker-registry `:5000

Getting the following message:

Error response from daemon: Get https://VirtualIP:5000: cannotconnect

Which form and version of OpenShift are you using? – Cameron Kerr Apr 12 '21 at 10:13 — Cameron Kerr, Apr 12 '21 at 10:13

score 0 · Answer 1 · answered Apr 12 '21 at 10:37

I'm going to assume that you are using OpenShift version 4. Possibly this may even be in the form of CodeReady Containers (a single-node OpenShift 4 developer type of environment).

OpenShift will expose its container registry on the following URL:

https://default-route-openshift-image-registry.apps-crc.testing:5000/

(where apps-crc.testing is the application domain you have in your deployment). Note that this is for EXTERNAL access to the image repository; internally you'll want to refer to an image (in this case, the image 'shiny-proxy:latest' in the project 'shiny') as follows:

image-registry.openshift-image-registry.svc:5000/shiny/shiny-proxy:latest

For CodeReady Containers, you might see: https://code-ready.github.io/crc/#accessing-the-internal-openshift-registry_gsg

Which will also help you with certificate issues (eg. self-signed certificates).

Pay particular attention to how you login; you don't use a password, but instead you use a token, which you can get with 'oc whoami -t'.

PS> docker login -u developer -p $(oc whoami -t) `
https://default-route-openshift-image-registry.apps-crc.testing:5000/

Special note for CodeReady Containers and 'vsock' mode

If you are using the 'vsock' mode. You'll need to port-forward to the image-registry service (as kubeadmin; developer user won't have access). Additionally, the Docker daemon will need to be able to connect to that forwarded port, and 127.0.0.1 won't work, so allow the port-forward to be connected to from 0.0.0.0 (note potential access issue) and have Docker connect to 'host.docker.internal'.

PS> oc -n openshift-image-registry port-forward service/image-registry 5000:5000 --address 0.0.0.0

You need to adjust the Docker Daemon's insecure registries to add host.docker.internal:

{
  "registry-mirrors": [],
  "insecure-registries": [
    "host.docker.internal:5000"
  ],
  "debug": false,
  "experimental": false,
  "features": {
    "buildkit": true
  }
}

PS> docker login -u developer -p $(oc whoami -t) host.docker.internal:5000

Granted, the name 'host.docker.internal' is misleading as to this being the OpenShift internal registry. Let's tag and push an image into OpenShift

PS> docker tag openshift-r-shiny:latest host.docker.internal:5000/cameron-rshiny/openshift-r-shiny:latest
docker push host.docker.internal:5000/cameron-rshiny/openshift-r-shiny:latest

Verify:

PS> oc -n cameron-rshiny get is
NAME                IMAGE REPOSITORY                                                                           TAGS     UPDATED
openshift-r-shiny   default-route-openshift-image-registry.apps-crc.testing/cameron-rshiny/openshift-r-shiny   latest   About a minute ago

OpenShift internal docker registry inaccessible

1 Answers1

Special note for CodeReady Containers and 'vsock' mode