Bug 1662088

Summary: Fail to push a new OpenShift release image to docker.io due to authentication error via 'oc adm release new' command
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: ocAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.1.0CC: aos-bugs, ccoleman, jokerman, mfojtik, mmccomas
Target Milestone: ---Flags: jvallejo: needinfo? (ccoleman)
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: `oc adm release new` obtains tokens only with the push scope Consequence: for docker.io this token doesn't allow to push blobs Fix: obtain token with the scopes push and pull Result: new tokens are accepted by docker.io
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:41:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Johnny Liu 2018-12-26 06:02:16 UTC
Description of problem:
See the following details.

Version-Release number of the following components:
# oc version
oc v4.0.0-0.112.0
kubernetes v1.11.0+a81c74aa0a
features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

Steps to Reproduce:
1. Build a new image and push it to docker.io
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 

Actual results:
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 
Uploading ... failed
error: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Expected results:
Failed to push release image to docker.io due to authentication error.

Additional info:
1. I tried `docker tag/push` image to docker.io. it is completed successfully.
2. mirror a release image successfully.
# oc --loglevel=9 adm release mirror --from=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-release-image=docker.io/jialiu/mirrortesting:1 --to=docker.io/jialiu/mirrortesting
3. I run the same commands with --loglevel=9 to capture the log, attach the log later.

Comment 2 Juan Vallejo 2019-01-07 23:12:29 UTC
Can you make sure that you are authenticated to both the docker.io registry as well as the "registry.svc.ci.openshift.org" registry (via the `docker login` command)?
Adding Clayton for further information he may have.

Comment 4 Johnny Liu 2019-01-08 01:57:42 UTC
(In reply to Juan Vallejo from comment #2)
> Can you make sure that you are authenticated to both the docker.io registry
> as well as the "registry.svc.ci.openshift.org" registry (via the `docker
> login` command)?
I am sure I am authenticated to docker.io registry. But I have no auth for "registry.svc.ci.openshift.org". And because mirror command is passed, I do not think I have to authenticate  "registry.svc.ci.openshift.org" registry, according to log, the issue might happen at authentication for "docker.io", but docker client have no any authentication issue.

# docker push docker.io/jialiu/newtesting:2
The push refers to a repository [docker.io/jialiu/newtesting]
8a788232037e: Mounted from jialiu/my 
2: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

Comment 5 Juan Vallejo 2019-02-04 22:59:08 UTC
Origin PR: https://github.com/openshift/origin/pull/21965

Comment 7 Oleg Bulatov 2019-02-20 13:57:11 UTC
The fix was merged 3 days ago.

Comment 9 Johnny Liu 2019-02-21 09:16:58 UTC
Verified this bug with oc v4.0.0-0.177.0, and PASS.

# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:3
info: Found 70 images in release
info: Manifests will be extracted to /tmp/release-image-0.0.1-2019-02-21-091420559773594
Loading manifests from service-serving-cert-signer: sha256:a792c98d39e33a119c98300e4179891ffa593036213eda7fedb7625557cc0f8a ...
Uploading ... 36.34kB/s
Uploading 975B ...
Uploading 75.83MB ...
Uploading 471B ...
Uploading 7.495MB ...
Uploading 10.64MB ...
Pushed image sha256:aa6e3f171ef96c149a5e128af247af7507bc214c08593735f14820ce93712cc4 to docker.io/jialiu/newtesting:3
Built release image from 26 operators

Comment 12 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.