Why am I getting this "unauthorized" error when trying to mirror OKD installation images from Quay.io?

11/3/2020

I have been working on an installation of OKD on an air-gapped environment. The first major step has been mirroring the OKD images so that they can be moved over to the new environment and pulled locally. I've been following a combination of the OpenShift documentation and this article, as well as this resource for getting my certificates set up. I have been making slow but consistent progress.

However, I am now having trouble when attempting to actually mirror the files using

oc adm -a ${LOCAL_SECRET_JSON} release mirror \ 
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ 
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ 
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}

I get the following, encouraging response:

info: Mirroring 120 images to host.okd-registry.dns:5000/ocp4/openshift4 ...

followed by blobs: and manifests: lines, and finally the line

stats: shared=0 unique=7 size=105.3MiB ratio=1.00

I then get about 50 lines stating

error: unable to retrieve source image quay.io/openshift-release-dev/ocp-v4.0-art-dev manifest
sha256:{some value}: unauthorized: access to the requested resource is not authorized

I have a quay account but I am not sure if that is required even after my research, and if it is, where or how I would log into it. I have attempted doing so using oc login followed by various addresses within the release structure, but if this is the solution, I may be using the wrong arguments as I have not been able to find any instructions on doing this.

I have also tried the command with sudo. I doubt that is an issue but I tried it anyway.

I suppose the issue could be with my certificates, but I am not sure how to determine if this is the case.

Any guidance or suggestions would be much appreciated.

-- Blake Simmons
containers
kubernetes
okd
openshift
quay.io

1 Answer

11/10/2020

It has been determined that the OKD documentation is inaccurate at the time that I am posting this answer, and was instructing readers to pull from the OCP image repository rather than the OKD repository, which apparently requires additional credentials. A bug has been logged and the documentation will hopefully be updated soon.

The correct environment variables and full command to mirror the images are as follows:

LOCAL_REGISTRY=localhost:5000 (or your local domain name and port for the registry)
LOCAL_REPOSITORY=okd
LOCAL_SECRET_JSON=<full path to your pull secret>
OCP_RELEASE=4.5.0-0.okd-2020-10-15-235428
PRODUCT_REPO=openshift
RELEASE_NAME=okd
ARCHITECTURE=not-used-in-okd


oc adm -a ${LOCAL_SECRET_JSON} release mirror \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} --dry-run
-- Blake Simmons
Source: StackOverflow