Bug 1209439
Summary: | docker fails to authenticate against additional registries | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Minar <miminar> | ||||
Component: | docker | Assignee: | Michal Minar <miminar> | ||||
Status: | CLOSED ERRATA | QA Contact: | Luwen Su <lsu> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.1 | CC: | apenney, kasured, lsm5, miabbott, pasteur, sghosh | ||||
Target Milestone: | rc | Keywords: | Extras | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | docker-1.5.0-30.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
Cause:
Prevention code against forwarding credentials belonging to other registry than the one being contacted did not cope with urls lacking schema. These are recently being sent by Docker clients.
Consequence:
All the credentials were thrown away - therefore user couldn't authenticate to any registry except for docker.io.
Fix:
Docker daemon's credential checking is now more robust.
Result:
Users can now authenticate against any registry.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-05-12 20:14:35 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Michal Minar
2015-04-07 11:10:06 UTC
Created attachment 1011745 [details]
fix authentication issue
Note that this does not fix authentication against additional registries when dealing with unqualified repositories:
docker -d --add-registry $repo
docker login $repo
docker pull user/app
will still fails if $repo requires authentication.
Has there been any movement on this? It blows my mind that with RHEL 7.1 (in EC2) I am unable to pull any of my private containers from quay.io without failures. This seems like a crippling, huge, bug, and it's just sitting here for days. Fixed in docker-1.5.0-30.el7. Ashley, does the current build address your issue? How would I get access to -30? In EC2 when I add server-extras it only has -28 currently. Is there another location for docker I should be pulling from? One can find the latest docker version in virt7-testing repository. It is version 1.6.0-1.el7 though. If you do not already have the repo file for this repository you can create it with the contents [virt7-testing] name=virt7-testing baseurl=http://cbs.centos.org/repos/virt7-testing/x86_64/os/ enabled=0 gpgcheck=0 Later on go ahead and install the latest docker with yum --enablerepo=virt7-testing install docker Meanwhile as the initial reporter of the issue I can verify that I can no longer reproduce the issue against the latest build version. Login/Logout/Pull/Push are working as expected against the private repo as described in the aforementioned scenario. Thanks, Evgeny Reproduced in docker-1.5.0-28 and verified in docker-1.6.0-11.el7.x86_64. Anyone can refer http://www.dropbit.ch/private-docker-registry-with-nginx-on-centos-7/ to build a private docker-registry that uses https connection. The key trigger step here is that use #docker login timesu.com(my repo address) instead of #docker login --username=timesu.com --password=$pwd https://timesu.com. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0993.html |