1255502 – Docker build fails when pulling image from repository

Bug 1255502 - Docker build fails when pulling image from repository

Summary: Docker build fails when pulling image from repository

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	3.0.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Cesar Wong
QA Contact:	Wenjing Zheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-20 18:35 UTC by Kenny Woodson
Modified:	2015-09-22 19:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openshift-3.0.1.900-0.git.251.56c53fd.el7ose.x86_64
Doc Type:	Bug Fix
Doc Text:	Cause: Docker client libraries needed to be updated. Consequence: OpenShift was unable to import an image from an authenticated v2 registry. Fix: Docker client libraries were updated. Result: OpenShift can now import an image from an authenticated v2 registry.
Clone Of:
Environment:
Last Closed:	2015-09-22 19:52:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1835	0	normal	SHIPPED_LIVE	Red Hat OpenShift Enterprise 3.0.2.0 bug fix and enhancement update	2015-09-22 23:52:35 UTC

Description Kenny Woodson 2015-08-20 18:35:13 UTC

Description of problem:
When doing a docker build based on an image from the internal docker registry, the registry responds with the following message:

F0818 16:18:36.664505 1 builder.go:64] Build error: pulling with digest
reference failed from v2 registry

Version-Release number of selected component (if applicable):
openshift-node-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-master-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-sdn-ovs-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
openshift-3.0.1.0-1.git.525.eddc479.el7ose.x86_64
tuned-profiles-openshift-node-3.0.1.0-1.git.525.eddc479.el7ose.x86_64

ose-docker-builder:v3.0.1.0
ose-docker-registry:v3.0.1.0

How reproducible:
Very

Steps to Reproduce:
1. Create a Docker file that uses an image. ex. FROM <anyimage>
2. Use oc new-app to create the previous container from step 1.
3. Create a new docker file that references the FROM line with the container from step 1. ex. FROM <image_from_step_1>
4. Use oc new-app to build the container from step 3.
5. Verify the error message, "pulling with digest
reference failed from v2 registry"

Actual results:
Builds fail when building containers based on images already in the registry.

Expected results:
Builds should succeed when building containers based on containers that are in the internal v3 docker registry.

Additional info:
We ran into this issue when building a few containers for our monitoring solution. We debugged this issue and according to Cesar,

"I found the issue is a Docker bug that seems to have been introduced in 1.7.1. The problem seems to be in the parsing of a Dockerfile FROM spec that includes a SHA digest. The lookup into the auth config map fails (most likely because it's not handling the ':' in the spec correctly) and then the right credentials are not passed to the registry. This only happens in 'docker build'. Other operations like 'docker pull' work because the credentials are handled differently."

"I found that the Docker issue we ran into has been fixed in more recent versions of Docker (starting with 1.8). At least part of the fix went into this commit: https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 which is tagged with 1.8."

Comment 2 Cesar Wong 2015-08-24 13:12:55 UTC

The issue is with the format of the credential map passed to Docker from the client. It can be reproduced with images that have a sha digest or not. The fix in https://github.com/docker/docker/commit/02c7bbefb8841e5e86a4b9d467defa668e3ea613 should be all that's needed to fix this.

Comment 3 Cesar Wong 2015-09-09 16:10:33 UTC

Fixed with https://github.com/openshift/origin/pull/4535

Comment 5 Johnny Liu 2015-09-11 10:08:03 UTC

Verified this bug with openshift-3.0.1.900-0.git.185.2f7757a.el7ose.x86_64, and PASS.


Steps:
1. Create git repo, include a docker file, just like: https://github.com/jianlinliu/docker-build
2. Run "oc new-app https://github.com/jianlinliu/docker-build", this would trigger a docker build, it will push a new docker images into internal docker registry.
$ oc describe po docker-build-1-srs9t|grep "Image"
Image(s):			172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f2
3. Create another git repo, include a docker file, that uses docker images generated from step 2 with "FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f", e.g: https://github.com/jianlinliu/docker-build1
4. Run "oc new-app https://github.com/jianlinliu/docker-build1", build and deploy successfully.

$ oc build-logs docker-build1-1
I0911 05:50:27.807942       1 docker.go:202] Cloning source from https://github.com/jianlinliu/docker-build1
Step 0 : FROM 172.30.241.232:5000/jialiu/docker-build@sha256:0be79715544aebf996f6eae6d719eb1211240d9a82c2cda47abf3ff91f2128f2
 ---> 26904fe2c1eb
Step 1 : ADD test /opt/jialiu_test
 ---> 9e06855d6446
<--snip-->

Comment 7 errata-xmlrpc 2015-09-22 19:52:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1835

Note You need to log in before you can comment on or make changes to this bug.