1209439 – docker fails to authenticate against additional registries

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1209439 - docker fails to authenticate against additional registries

Summary: docker fails to authenticate against additional registries

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Minar
QA Contact:	Luwen Su
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-07 11:10 UTC by Michal Minar
Modified:	2019-03-06 01:17 UTC (History)
CC List:	6 users (show)
Fixed In Version:	docker-1.5.0-30.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Prevention code against forwarding credentials belonging to other registry than the one being contacted did not cope with urls lacking schema. These are recently being sent by Docker clients. Consequence: All the credentials were thrown away - therefore user couldn't authenticate to any registry except for docker.io. Fix: Docker daemon's credential checking is now more robust. Result: Users can now authenticate against any registry.
Clone Of:
Environment:
Last Closed:	2015-05-12 20:14:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
fix authentication issue (1.54 KB, patch) 2015-04-07 12:39 UTC, Michal Minar	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0993	0	normal	SHIPPED_LIVE	docker bug fix update	2015-05-13 00:14:16 UTC

Description Michal Minar 2015-04-07 11:10:06 UTC

Description of problem:
  Docker cannot authenticate against additional registries.

Version-Release number of selected component (if applicable):
  docker-1.5.0-28.el7

How reproducible:
  ALWAYS

Steps to Reproduce:
1. run daemon with --add-registry=<private>
2. docker login <private>
3. docker pull <private>/<user>/redis

Actual results:
    [root@centos7 ~]# docker login $PRIVATE_REGISTRY
    Login Succeeded

    [root@centos7 ~]# docker pull <private>/<user>/redis
    Trying to pull repository <private>/<user>/redis ... failed
    FATA[0000] Authentication is required.

    [root@centos7 ~]# systemctl status docker.service -l
    docker.service - Docker Application Container Engine
       Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)
       Active: active (running) since Mon 2015-04-06 20:49:51 MSK; 11min ago
         Docs: http://docs.docker.com
     Main PID: 10923 (docker)
       CGroup: /system.slice/docker.service
               └─10923 /usr/bin/docker -d --selinux-enabled
    Apr 06 21:00:14 centos7.kasured.com docker[10923]: time="2015-04-06T21:00:14+03:00" level="info" msg="-job resolve_repository(<private>/<user>/redis) = OK (0)"
    Apr 06 21:00:14 centos7.kasured.com docker[10923]: time="2015-04-06T21:00:14+03:00" level="info" msg="authConfig does not conform to given endpoint ( != <private>)"
    Apr 06 21:00:14 centos7.kasured.com docker[10923]: Authentication is required.
    Apr 06 21:00:14 centos7.kasured.com docker[10923]: time="2015-04-06T21:00:14+03:00" level="info" msg="-job pull(<private>/<user>/redis, latest) = ERR (1)"

Expected results:
    Repository is pulled.

Comment 2 Michal Minar 2015-04-07 12:39:46 UTC

Created attachment 1011745 [details]
fix authentication issue

Note that this does not fix authentication against additional registries when dealing with unqualified repositories:

  docker -d --add-registry $repo
  docker login $repo
  docker pull user/app

will still fails if $repo requires authentication.

Comment 3 Ashley Penney 2015-04-10 13:47:54 UTC

Has there been any movement on this?  It blows my mind that with RHEL 7.1 (in EC2) I am unable to pull any of my private containers from quay.io without failures.  This seems like a crippling, huge, bug, and it's just sitting here for days.

Comment 4 Michal Minar 2015-04-13 06:48:59 UTC

Fixed in docker-1.5.0-30.el7.
Ashley, does the current build address your issue?

Comment 5 Ashley Penney 2015-04-15 15:55:41 UTC

How would I get access to -30?  In EC2 when I add server-extras it only has -28 currently.  Is there another location for docker I should be pulling from?

Comment 6 Evgeny Rusak 2015-04-22 19:01:34 UTC

One can find the latest docker version in virt7-testing repository. It is version  1.6.0-1.el7 though.

If you do not already have the repo file for this repository you can create it with the contents
[virt7-testing]
name=virt7-testing  
baseurl=http://cbs.centos.org/repos/virt7-testing/x86_64/os/  
enabled=0  
gpgcheck=0 

Later on go ahead and install the latest docker with 
yum --enablerepo=virt7-testing install docker

Meanwhile as the initial reporter of the issue I can verify that I can no longer reproduce the issue against the latest build version.

Login/Logout/Pull/Push are working as expected against the private repo as described in the aforementioned scenario.

Thanks, Evgeny

Comment 8 Luwen Su 2015-05-04 16:09:22 UTC

Reproduced in docker-1.5.0-28 and verified in docker-1.6.0-11.el7.x86_64.
Anyone can refer http://www.dropbit.ch/private-docker-registry-with-nginx-on-centos-7/ to build a private docker-registry that uses https connection.

The key trigger step here is that use #docker login timesu.com(my repo address) instead of #docker login --username=timesu.com --password=$pwd https://timesu.com.

Comment 10 errata-xmlrpc 2015-05-12 20:14:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0993.html

Note You need to log in before you can comment on or make changes to this bug.