| Summary: | Error pulling image, Authentication is required / Server error: 404 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | John Eckersberg <jeckersb> |
| Component: | docker-io | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el6 | CC: | dwalsh, golang-updates, jkeck, lsm5, mattdm, mgoldman, vbatts |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-28 18:19:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
John Eckersberg
2013-12-03 21:22:45 UTC
Ok, some more detail at least on the "Authentication is required" bit.
GetRemoteHistory contains the following line:
req.Header.Set("Authorization", "Token "+strings.Join(token, ", "))
However, token is a slice with only a single element, and this single string appears to be a previously joined list of tokens. Most importantly is that it appears to have been joined with "," instead of ", " and that makes a difference.
Here's two curl calls to illustrate the difference.
The first doesn't contain the extra space after the comma, and this is the way the code as written is sending the request. You can see it returns a 401 status code (Unauthorized).
$ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609b44ab13f0e43fc466f45beaa7ea9054766/ancestry --header 'Authorization: Token signature=545980deb5d0238c5c1fdbe4bc20867932fa8aee,repository="mattdm/fedora",access=read'
HTTP/1.1 401 Unauthorized
Server: cloudflare-nginx
Date: Wed, 04 Dec 2013 00:28:12 GMT
Content-Type: application/json
Content-Length: 41
Connection: keep-alive
Set-Cookie: __cfduid=de296b6a53b52e2ff5883a0e6b303fc811386116891989; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly
expires: -1
www-authenticate: Token
pragma: no-cache
cache-control: no-cache
x-docker-registry-version: 0.6.2
x-docker-registry-config: prod
CF-RAY: d74600eeb9c03f4
{
"error": "Requires authorization"
}
The second call adds that extra space, and completes successfully.
$ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609b44ab13f0e43fc466f45beaa7ea9054766/ancestry --header 'Authorization: Token ignature=545980deb5d0238c5c1fdbe4bc20867932fa8aee, repository="mattdm/fedora", access=read'
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Wed, 04 Dec 2013 00:28:26 GMT
Content-Type: application/json
Content-Length: 74
Connection: keep-alive
Set-Cookie: __cfduid=d493453bb50165de54a9a9cc1021b890d1386116906549; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly
last-modified: Thu, 01 Jan 1970 00:00:00 GMT
pragma: no-cache
cache-control: public, max-age=31536000
expires: Thu, 04 Dec 2014 00:28:26 GMT
x-docker-registry-version: 0.6.2
x-docker-registry-config: prod
CF-RAY: d746069e53c03fa
[
"a567e6f3d26a5736d00a5e9be9a609b44ab13f0e43fc466f45beaa7ea9054766"
]
I'm assuming that part of the bug is that the token string slice shouldn't ever be passed in like this. I still need to trace it back and figure out where it's getting joined ahead of time. That's probably the right place to fix it. I see nine places in registry.go where it sets the Authorization header in this manner.
I see at least a few patches on master upstream that are related to this: https://github.com/dotcloud/docker/commit/045989e3d824f577cd90a6386b66a5814e703766 https://github.com/dotcloud/docker/commit/ec4863ae5582d8e7a9dccb57d7f5f3e21c2481ef https://github.com/dotcloud/docker/commit/3b5010e90bd51ba3630f48091ed70111d26dd31a https://github.com/dotcloud/docker/commit/3f921639894d3eca72c9ae105d3ad4f386651caa I've provisioned a clean RHEL 6.5 VM and cannot reproduce this issue there, so whatever the issue is seems to be isolated to this one system. Also of note is that I get the exact same error if I use the docker binary as provided upstream here - https://docs.docker.io/en/latest/installation/binaries/ - so whatever is going on isn't a packaging issue. I see, this didn't occur on my rhel instance either, but I saw a 404 on my rawhide machine for docker-io built using go1.2, need to check I think you'll get the 404 at the end if any of the downloads fail. I think this patch upstream fixes that part: https://github.com/dotcloud/docker/commit/d47507791e14908e78cf38d415a9863c9ef75c5e (In reply to John Eckersberg from comment #5) > I think you'll get the 404 at the end if any of the downloads fail. I think > this patch upstream fixes that part: > > https://github.com/dotcloud/docker/commit/ > d47507791e14908e78cf38d415a9863c9ef75c5e This commit seems to have been included since 0.7.1. I built 0.7.2-2 few mins back, and I guess it should go into testing sometime tomorrow. Could you test it out please. Get it here: http://kojipkgs.fedoraproject.org//packages/docker-io/0.7.2/2.fc20/x86_64/docker-io-0.7.2-2.fc20.x86_64.rpm |