Bug 1344448

Summary: rhel-push-plugin blocking push to non-docker.io registry - confusing messages
Product: Red Hat Enterprise Linux 7 Reporter: Mike Fiedler <mifiedle>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: lsm5, mifiedle, vlaad
Target Milestone: rcKeywords: Extras, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.10.3-42.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 16:19:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Fiedler 2016-06-09 17:36:42 UTC 
Description of problem:

This is on build 1.10.3-34 (June 8)

I have a private registry configured as an additional registry.   If I try to push my image to the registry without the :latest tag, the push is disallowed, like so:

----------
root@ip-172-31-60-112: ~ # time docker push 172.31.19.47:5000/t2/django-example
Error response from daemon: plugin rhel-push-plugin failed with error: AuthZPlugin.AuthZReq: sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please push your image using a tag directly to avoid pushing the RHEL based image
----------

If I add the :latest tag, the push works:

-----------
time docker push 172.31.19.47:5000/t2/django-example:latest
The push refers to a repository [172.31.19.47:5000/t2/django-example]
d12fa38e2a57: Pushed 
a0db5afb18a2: Pushed 
db1eb9183f6f: Pushed 
afafa291bfcc: Pushed 
latest: digest: sha256:0c3a0fc5c205386b86f0b6e96377deb514491737c51b47656462ba09aa22988e size: 1142
----------

The full image (all layers) is pushed to the private registry.

- In the error message, it's clear that the plugin understands that :latest is the image version being pushed - could it allow the push implicitly?   

- In any case, this does not seem to be doing anything to keep the image from being pushed to docker.io.   Following the documentation at https://github.com/projectatomic/rhel-push-plugin, it seems only docker.io pushes should be disallowed.


Version-Release number of selected component (if applicable):  1.10.3-34 (June 8)


How reproducible: Always


Steps to Reproduce:
1.  Install 1.10.3-34 from pre-release RPM repos
2.  Configure and additional private registry
3.  Create an image and tag it for the private registry with version latest.   Example:  docker tag 51d4d650ec31 172.31.19.47:5000/t2/django-example:latest
4.  docker push 172.31.19.47:5000/t2/django-example

Actual results:

Error response from daemon: plugin rhel-push-plugin failed with error: AuthZPlugin.AuthZReq: sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please push your image using a tag directly to avoid pushing the RHEL based image


Expected results:

Push allowed if target registry is not docker.io


Additional info:
Comment 1 Mike Fiedler 2016-06-09 17:38:25 UTC 
Possibly related to https://bugzilla.redhat.com/show_bug.cgi?id=1343226 where the plugin is blocking pushes of OpenShift builds to the internal registry.
Comment 3 Antonio Murdaca 2016-06-09 20:58:52 UTC 
(In reply to Mike Fiedler from comment #0)
> Description of problem:
> 
> This is on build 1.10.3-34 (June 8)
> 
> I have a private registry configured as an additional registry.   If I try
> to push my image to the registry without the :latest tag, the push is
> disallowed, like so:
> 
> ----------
> root@ip-172-31-60-112: ~ # time docker push
> 172.31.19.47:5000/t2/django-example
> Error response from daemon: plugin rhel-push-plugin failed with error:
> AuthZPlugin.AuthZReq:
> sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is
> RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please
> push your image using a tag directly to avoid pushing the RHEL based image
> ----------
> 
> If I add the :latest tag, the push works:
> 
> -----------
> time docker push 172.31.19.47:5000/t2/django-example:latest
> The push refers to a repository [172.31.19.47:5000/t2/django-example]
> d12fa38e2a57: Pushed 
> a0db5afb18a2: Pushed 
> db1eb9183f6f: Pushed 
> afafa291bfcc: Pushed 
> latest: digest:
> sha256:0c3a0fc5c205386b86f0b6e96377deb514491737c51b47656462ba09aa22988e
> size: 1142
> ----------
> 
> The full image (all layers) is pushed to the private registry.
> 
> - In the error message, it's clear that the plugin understands that :latest
> is the image version being pushed - could it allow the push implicitly?   
> 

The plugin is just understanding that the image you're trying to push w/o a tag has a tag which is RHEL based so it's telling you that. One improvements on this is that if there's only 1 tag then block it instantly w/o that error (I've to understand if this is doable though)

> - In any case, this does not seem to be doing anything to keep the image
> from being pushed to docker.io.   Following the documentation at
> https://github.com/projectatomic/rhel-push-plugin, it seems only docker.io
> pushes should be disallowed.

Fixing, this is a bug

> 
> 
> Version-Release number of selected component (if applicable):  1.10.3-34
> (June 8)
> 
> 
> How reproducible: Always
> 
> 
> Steps to Reproduce:
> 1.  Install 1.10.3-34 from pre-release RPM repos
> 2.  Configure and additional private registry
> 3.  Create an image and tag it for the private registry with version latest.
> Example:  docker tag 51d4d650ec31 172.31.19.47:5000/t2/django-example:latest
> 4.  docker push 172.31.19.47:5000/t2/django-example
> 
> Actual results:
> 
> Error response from daemon: plugin rhel-push-plugin failed with error:
> AuthZPlugin.AuthZReq:
> sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is
> RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please
> push your image using a tag directly to avoid pushing the RHEL based image
> 
> 
> Expected results:
> 
> Push allowed if target registry is not docker.io
> 
> 
> Additional info:
Comment 4 Antonio Murdaca 2016-06-10 08:57:28 UTC 
Fixed https://github.com/projectatomic/rhel-push-plugin/commit/1a0046fc57606e329223748391d90284f2346565

Lokesh can you rebuild the plugin in RHEL extras?
Comment 6 Mike Fiedler 2016-06-15 00:50:03 UTC 
Verified the problem is resolved in the following build:

Client:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-42.el7.x86_64
 Go version:      go1.4.2
 Git commit:      02f13c2-unsupported
 Built:           Mon Jun 13 15:22:15 2016
 OS/Arch:         linux/amd64

Server:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-42.el7.x86_64
 Go version:      go1.4.2
 Git commit:      02f13c2-unsupported
 Built:           Mon Jun 13 15:22:15 2016
 OS/Arch:         linux/amd64


I am able to push to a private registry without specifying an explicit version tag.
Comment 9 errata-xmlrpc 2016-06-23 16:19:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1274