Bootstrap FreeKB - OpenShift - Resolve "Failed to pull image proxyconnect timeout"
OpenShift - Resolve "Failed to pull image proxyconnect timeout"
Updated:   |  OpenShift articles

Let's say the oc get events command returns something like this. Notice this output includes proxyconnect timeout. This suggests a proxy server is being used when attempting to pull an image from registry.redhat.io.

3m11s       Warning   Failed    pod/mypod   Failed to pull image "registry.redhat.io/openshift4/ose-hello-openshift-rhel8": rpc error: code = Unknown desc = error pinging docker registry registry.redhat.io: Get "https://registry.redhat.io/v2/": proxyconnect tcp: dial tcp <IP address>:<port>: i/o timeout

 

The oc get proxy command can be used to list the list the proxy servers.In this example, there is a proxy server named "cluster".

~]$ oc get proxy
NAME      AGE
cluster   622d

 

The oc describe proxy cluster command can be used to display more information on the cluster proxy server (http://proxy.example.com in this example).

~]$ oc describe proxy cluster
Name:         cluster
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  config.openshift.io/v1
Kind:         Proxy
Metadata:
  Creation Timestamp:  2020-09-30T15:40:25Z
  Generation:          1
  Managed Fields:
    API Version:  config.openshift.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:httpProxy:
        f:httpsProxy:
        f:noProxy:
        f:trustedCA:
          .:
          f:name:
      f:status:
        .:
        f:httpProxy:
        f:httpsProxy:
    Manager:      cluster-bootstrap
    Operation:    Update
    Time:         2020-09-30T15:40:25Z
    API Version:  config.openshift.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:noProxy:
    Manager:         cluster-network-operator
    Operation:       Update
    Time:            2022-02-02T14:20:38Z
  Resource Version:  747167713
  Self Link:         /apis/config.openshift.io/v1/proxies/cluster
  UID:               69f64d95-6665-4233-8ce5-813b2cf84e06
Spec:
  Http Proxy:   http://proxy.example.com
  Https Proxy:  http://proxy.example.com
  No Proxy:     .example.com
  Trusted CA:
    Name:  user-ca-bundle
Status:
  Http Proxy:   http://proxy.example.com
  Https Proxy:  http://proxy.example.com
  No Proxy:     .cluster.local,.svc,.example.com,10.9.0.0/14,localhost
Events:         <none>

 

If you have access to the proxy server, you might need to focus on why the proxy server is timing out when attempting to ping registry.redhat.io.

curl can be used to test if you are able to authenticate against sso.redhat.com using your proxy server.

curl
--location
--proxy <hostname or ip address of your proxy server>:<port>
--proxy-user <proxy server username>:<proxy server password>
--user <Red Hat username>:<Red Hat password>
"https://sso.redhat.com/auth/realms/rhcc/protocol/redhat-docker-v2/auth?service=docker-registry&client_id=curl&scope=repository:rhel:pull"
-v

 

Egress

Egress provides a way for an application deployed on OpenShift to access an external URL, such as http://www.example.com.

 

The oc get netnamespaces command can be used to list the netid and egress IP addresses associated with a project / namespace. In this example, no Egress IP addresses are listed, which will most likely deny any request going outside the network.

~]# oc get netnamespace foo
NAME          NETID      EGRESS IPS
foo           10932896

 

The oc patch netnamespace command can be used to assign an egress IP address to a project / namespace.

~]# oc patch netnamespace project001 --type merge --patch '{ "egressIPs": [ "10.7.11.10" ] }'
netnamespace.network.openshift.io/project001 patched

 

And now the oc get netnamespaces command shows the project / namespace is allowed to make connections out on a specific IP address.

~]# oc get netnamespace foo
NAME          NETID      EGRESS IPS
foo           10932896   ["10.7.11.10"]

 

The oc get egressnetworkpolicy command can be used to list the egress rules in your current project/namespace. In this example, there is an egress network policy named egress-traffic.

~]$ oc get egressnetworkpolicy --namespace foo
NAME             AGE
egress-traffic   630d

 

The oc describe egressnetworkpolicy command can be used to display egress related configuration. In this example, the egress settings for the project/namespace named foo is displayed. The rules are read in order, which means the deny rule should always be the very last rule.

~]$ oc describe egressnetworkpolicy egress-traffic --namespace foo
Name:        egress-traffic
Namespace:   project001
Created:     10 months ago
Labels:      <none>
Annotations: <none>
Rule:        Allow to 10.7.19.24
Rule:        Allow to proxy.example.com
Rule:        Deny to 0.0.0.0/0

 

If there isn't a rule to allow the proxy server, the oc edit egressnetworkpolicy command can be used to add an Allow rule for the proxy server.

oc edit egressnetworkpolicy egress-traffic --namespace foo

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 44ff12 in the box below so that we can be sure you are a human.