Bug 1464188

Summary:	docker push on exposed registry url without port results in "unauthorized: authentication required"
Product:	Red Hat Enterprise Linux 7	Reporter:	Steven Walter <stwalter>
Component:	docker	Assignee:	Antonio Murdaca <amurdaca>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	7.2	CC:	amurdaca, aos-bugs, bingli, dwalsh, kurktchiev, lsm5, lsu, mfojtik, peasters, yinzhou
Target Milestone:	rc	Keywords:	Extras, Reopened
Target Release:	7.2
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	docker-2:1.12.6-50.git0fdc778	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-09-05 10:35:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Steven Walter 2017-06-22 15:29:52 UTC

Description of problem:
Secure and expose registry, then push causes "unauthorized: authentication required". If port is on 443, for instance, then running "docker push" should default to trying 443 (if in additional registries in /etc/sysconfig/docker or if specifying https://) or 80 (if in insecure registry or if specifying http://). As it stands this message occurs unless manually specifying the actual port.

Version-Release number of selected component (if applicable):
3.5

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Secure and expose registry
2. docker push registry.cloudapps.example.com/openshift/php:latest

Actual results:
Cannot set persistent booleans, please try as root.
The push refers to a repository [registry.cloudapps.example.com/openshift/php]
95c4fd550d8e: Preparing
b41b282bd373: Preparing
3cb03dc081c0: Preparing
f483edd7a42b: Preparing
f7b626558f10: Preparing
unauthorized: authentication required

Expected results:
Push successful

Additional info:

not sure if this appears only in certain conditions. I documented in a KCS solution https://access.redhat.com/solutions/3090231 -- may be related to upstream issue https://github.com/openshift/origin/issues/12260 and PRs https://github.com/openshift/origin/pull/11391 and https://github.com/openshift/origin/pull/14319

This is a slightly odd user experience, as we should expect that if you specify https, or if it's a known secure registry, that you'd automatically try port 443. Or otherwise it would be good to have a slightly more useful error message.

Or if the above is not able to be modified due to upstream conventions, we can change this to a docs bug to add a quick note in the docs, "On a secured, exposed registry it is required to specify the port"

Comment 1 Oleg Bulatov 2017-06-22 19:14:05 UTC


*** This bug has been marked as a duplicate of bug 1439614 ***

Comment 2 Boris Kurktchiev 2017-06-22 19:21:23 UTC

The above bug is not public, is there some way we can change that so those of us affected by this can keep track of the progress?

Comment 3 Michal Fojtik 2017-06-22 19:24:18 UTC

Copying Oleg from the private bug:

I've found that it was fixed in Docker v17.04.0-ce-rc1:
https://github.com/moby/moby/commit/78a429a97ac110e986c150a57507163dfe223f46
https://github.com/docker/distribution/commit/462bb55c3f05def7f4ddee3c3965f08a25777df9

So we need to wait for docker update to pickup this fix.

Comment 4 Boris Kurktchiev 2017-06-22 19:25:49 UTC

and is it going to be backported to 1.12 since that is what OCP is released with?

Comment 5 Michal Fojtik 2017-06-22 19:29:36 UTC

(In reply to Boris Kurktchiev from comment #4)
> and is it going to be backported to 1.12 since that is what OCP is released
> with?

Dan might know if that is doable (or know a person who can triage it).

Comment 6 Daniel Walsh 2017-06-22 19:45:48 UTC

Either rename this bugzilla to Docker or create a new bug to back port those patches.

Comment 7 Steven Walter 2017-06-22 20:22:23 UTC

Daniel I think this is what you mean

Comment 9 Antonio Murdaca 2017-06-22 20:30:55 UTC

I'm going to backport that patch, assuming assumuing the docker/distribution registry used by openshift has the fix already backported.

Comment 10 Antonio Murdaca 2017-06-22 20:32:43 UTC

Michal could you check if openshift registry has this patch https://github.com/docker/distribution/commit/462bb55c3f05def7f4ddee3c3965f08a25777df9 ?

Comment 11 Antonio Murdaca 2017-06-22 20:37:37 UTC

Patch backported here https://github.com/projectatomic/docker/commit/c87521300a1fbe4acc342e26fdf434f8b49a57f8

Comment 12 Jhon Honce 2017-07-10 22:59:33 UTC

*** Bug 1439614 has been marked as a duplicate of this bug. ***

Comment 14 zhou ying 2017-08-14 02:56:17 UTC

*** Bug 1480499 has been marked as a duplicate of this bug. ***

Comment 15 Luwen Su 2017-08-25 08:50:00 UTC

A similar problem is fine for me, Bug 1472974

Move to verified.

Comment 17 errata-xmlrpc 2017-09-05 10:35:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2599

Comment 18 Red Hat Bugzilla 2023-09-14 03:59:41 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days