oc-mirror command fails with 401 Unauthorized error
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4 oc-mirrorCLI- Disconnected Environment
Issue
-
Even though the registry credentials are correct as per
oc-mirrorin a disconnected environment fails with a "HTTP 401 Unauthorized" error, mirroring is getting failed. -
Mirroring is failing after
oc-mirrorhangs for a while with the below error:error: error rendering new refs: render reference "registry.redhat.io/redhat/redhat-operator-index:v4.14": error resolving name for image ref registry.redhat.io/redhat/redhat-operator-index:v4.14: pulling from host registry.redhat.io failed with status code [manifests v4.14]: 401 Unauthorized
Resolution
Red Hat is aware of the issue and has been tracked in This content is not included.OCPBUGS-31561. The recommendation is to use the latest oc-mirror binary from latest OpenShift version (which is 4.21 at the time of writing), and use the oc-mirror plugin v2.
Workaround for older versions
Note: do not apply the workaround in Production environments.
-
In the
ImageSetConfigurationfile, remove thestorageConfigfield.$ oc edit ImageSetConfiguration -oyaml kind: ImageSetConfiguration apiVersion: mirror.openshift.io/v1alpha2 storageConfig: <--- Remove this entire field registry: imageURL: <registry_URL> skipTLS: true -
Delete the
registrydirectory which is mentioned in imageURL and thenexecuteoc-mirror command again.$ oc mirror --config= <imageset-config.yaml> file:<dir> --source-skip-tls --source-use-http
Root Cause
The recommendation is to use the latest version of oc-mirror and the v2 for mirroring any RHOCP version. Starting with oc-mirror 4.18, the oc-mirror plugin v2 is GA, and it is the recommended option to use.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.