Bug 1255502

Summary: Docker build fails when pulling image from repository
Product: OpenShift Container Platform Reporter: Kenny Woodson <kwoodson>
Component: BuildAssignee: Cesar Wong <cewong>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.0.0CC: jialiu, jkaur, libra-bugs, pruan, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openshift-3.0.1.900-0.git.251.56c53fd.el7ose.x86_64 Doc Type: Bug Fix
Doc Text:
Cause: Docker client libraries needed to be updated. Consequence: OpenShift was unable to import an image from an authenticated v2 registry. Fix: Docker client libraries were updated. Result: OpenShift can now import an image from an authenticated v2 registry.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-22 19:52:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenny Woodson 2015-08-20 18:35:13 UTC 
Description of problem:
When doing a docker build based on an image from the internal docker registry, the registry responds with the following message:

F0818 16:18:36.664505       1 builder.go:64] Build error: pulling with digest 
reference failed from v2 registry


Version-Release number of selected component (if applicable):
openshift-node-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-master-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-sdn-ovs-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
tuned-profiles-openshift-node-3.0.1.0-1.git.525.eddc479.el7ose.x86_64

ose-docker-builder:v3.0.1.0
ose-docker-registry:v3.0.1.0

How reproducible:
Very

Steps to Reproduce:
1. Create a Docker file that uses an image.  ex. FROM <anyimage>
2. Use oc new-app to create the previous container from step 1.
3. Create a new docker file that references the FROM line with the container from step 1. ex. FROM <image_from_step_1>
4. Use oc new-app to build the container from step 3.
5. Verify the error message, "pulling with digest 
reference failed from v2 registry"

Actual results:
Builds fail when building containers based on images already in the registry.

Expected results:
Builds should succeed when building containers based on containers that are in the internal v3 docker registry.

Additional info:
We ran into this issue when building a few containers for our monitoring solution.  We debugged this issue and according to Cesar,

"I found the issue is a Docker bug that seems to have been introduced in 1.7.1. The problem seems to be in the parsing of a Dockerfile FROM spec that includes a SHA digest. The lookup into the auth config map fails (most likely because it's not handling the ':' in the spec correctly) and then the right credentials are not passed to the registry. This only happens in 'docker build'. Other operations like 'docker pull' work because the credentials are handled differently."

"I found that the Docker issue we ran into has been fixed in more recent versions of Docker (starting with 1.8). At least part of the fix went into this commit: https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 which is tagged with 1.8."
Comment 2 Cesar Wong 2015-08-24 13:12:55 UTC 
The issue is with the format of the credential map passed to Docker from the client. It can be reproduced with images that have a sha digest or not. The fix in https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 should be all that's needed to fix this.
Comment 3 Cesar Wong 2015-09-09 16:10:33 UTC 
Fixed with https://github.com/openshift/origin/pull/4535
Comment 5 Johnny Liu 2015-09-11 10:08:03 UTC 
Verified this bug with openshift-3.0.1.900-0.git.185.2f7757a.el7ose.x86_64, and PASS.


Steps:
1. Create git repo, include a docker file, just like: https://github.com/jianlinliu/docker-build
2. Run "oc new-app https://github.com/jianlinliu/docker-build", this would trigger a docker build, it will push a new docker images into internal docker registry.
$ oc describe po docker-build-1-srs9t|grep "Image"
Image(s):			172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f2
3. Create another git repo, include a docker file, that uses docker images generated from step 2 with "FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f", e.g: https://github.com/jianlinliu/docker-build1
4. Run "oc new-app https://github.com/jianlinliu/docker-build1", build and deploy successfully.

$ oc build-logs docker-build1-1
I0911 05:50:27.807942       1 docker.go:202] Cloning source from https://github.com/jianlinliu/docker-build1
Step 0 : FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f2
 ---> 26904fe2c1eb
Step 1 : ADD test /opt/jialiu_test
 ---> 9e06855d6446
<--snip-->
Comment 7 errata-xmlrpc 2015-09-22 19:52:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1835