RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1344448 - rhel-push-plugin blocking push to non-docker.io registry - confusing messages
Summary: rhel-push-plugin blocking push to non-docker.io registry - confusing messages
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.2
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-09 17:36 UTC by Mike Fiedler
Modified: 2019-03-06 01:23 UTC (History)
3 users (show)

Fixed In Version: docker-1.10.3-42.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-23 16:19:49 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1274 0 normal SHIPPED_LIVE docker bug fix and enhancement update 2016-06-23 20:12:28 UTC

Description Mike Fiedler 2016-06-09 17:36:42 UTC
Description of problem:

This is on build 1.10.3-34 (June 8)

I have a private registry configured as an additional registry.   If I try to push my image to the registry without the :latest tag, the push is disallowed, like so:

----------
root@ip-172-31-60-112: ~ # time docker push 172.31.19.47:5000/t2/django-example
Error response from daemon: plugin rhel-push-plugin failed with error: AuthZPlugin.AuthZReq: sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please push your image using a tag directly to avoid pushing the RHEL based image
----------

If I add the :latest tag, the push works:

-----------
time docker push 172.31.19.47:5000/t2/django-example:latest
The push refers to a repository [172.31.19.47:5000/t2/django-example]
d12fa38e2a57: Pushed 
a0db5afb18a2: Pushed 
db1eb9183f6f: Pushed 
afafa291bfcc: Pushed 
latest: digest: sha256:0c3a0fc5c205386b86f0b6e96377deb514491737c51b47656462ba09aa22988e size: 1142
----------

The full image (all layers) is pushed to the private registry.

- In the error message, it's clear that the plugin understands that :latest is the image version being pushed - could it allow the push implicitly?   

- In any case, this does not seem to be doing anything to keep the image from being pushed to docker.io.   Following the documentation at https://github.com/projectatomic/rhel-push-plugin, it seems only docker.io pushes should be disallowed.


Version-Release number of selected component (if applicable):  1.10.3-34 (June 8)


How reproducible: Always


Steps to Reproduce:
1.  Install 1.10.3-34 from pre-release RPM repos
2.  Configure and additional private registry
3.  Create an image and tag it for the private registry with version latest.   Example:  docker tag 51d4d650ec31 172.31.19.47:5000/t2/django-example:latest
4.  docker push 172.31.19.47:5000/t2/django-example

Actual results:

Error response from daemon: plugin rhel-push-plugin failed with error: AuthZPlugin.AuthZReq: sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please push your image using a tag directly to avoid pushing the RHEL based image


Expected results:

Push allowed if target registry is not docker.io


Additional info:

Comment 1 Mike Fiedler 2016-06-09 17:38:25 UTC
Possibly related to https://bugzilla.redhat.com/show_bug.cgi?id=1343226 where the plugin is blocking pushes of OpenShift builds to the internal registry.

Comment 3 Antonio Murdaca 2016-06-09 20:58:52 UTC
(In reply to Mike Fiedler from comment #0)
> Description of problem:
> 
> This is on build 1.10.3-34 (June 8)
> 
> I have a private registry configured as an additional registry.   If I try
> to push my image to the registry without the :latest tag, the push is
> disallowed, like so:
> 
> ----------
> root@ip-172-31-60-112: ~ # time docker push
> 172.31.19.47:5000/t2/django-example
> Error response from daemon: plugin rhel-push-plugin failed with error:
> AuthZPlugin.AuthZReq:
> sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is
> RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please
> push your image using a tag directly to avoid pushing the RHEL based image
> ----------
> 
> If I add the :latest tag, the push works:
> 
> -----------
> time docker push 172.31.19.47:5000/t2/django-example:latest
> The push refers to a repository [172.31.19.47:5000/t2/django-example]
> d12fa38e2a57: Pushed 
> a0db5afb18a2: Pushed 
> db1eb9183f6f: Pushed 
> afafa291bfcc: Pushed 
> latest: digest:
> sha256:0c3a0fc5c205386b86f0b6e96377deb514491737c51b47656462ba09aa22988e
> size: 1142
> ----------
> 
> The full image (all layers) is pushed to the private registry.
> 
> - In the error message, it's clear that the plugin understands that :latest
> is the image version being pushed - could it allow the push implicitly?   
> 

The plugin is just understanding that the image you're trying to push w/o a tag has a tag which is RHEL based so it's telling you that. One improvements on this is that if there's only 1 tag then block it instantly w/o that error (I've to understand if this is doable though)

> - In any case, this does not seem to be doing anything to keep the image
> from being pushed to docker.io.   Following the documentation at
> https://github.com/projectatomic/rhel-push-plugin, it seems only docker.io
> pushes should be disallowed.

Fixing, this is a bug

> 
> 
> Version-Release number of selected component (if applicable):  1.10.3-34
> (June 8)
> 
> 
> How reproducible: Always
> 
> 
> Steps to Reproduce:
> 1.  Install 1.10.3-34 from pre-release RPM repos
> 2.  Configure and additional private registry
> 3.  Create an image and tag it for the private registry with version latest.
> Example:  docker tag 51d4d650ec31 172.31.19.47:5000/t2/django-example:latest
> 4.  docker push 172.31.19.47:5000/t2/django-example
> 
> Actual results:
> 
> Error response from daemon: plugin rhel-push-plugin failed with error:
> AuthZPlugin.AuthZReq:
> sha256:51d4d650ec3187482144a57854538433d28f28953692ff4e0c114272874ef3ea is
> RHEL based (refers to: 172.31.19.47:5000/t2/django-example:latest), please
> push your image using a tag directly to avoid pushing the RHEL based image
> 
> 
> Expected results:
> 
> Push allowed if target registry is not docker.io
> 
> 
> Additional info:

Comment 4 Antonio Murdaca 2016-06-10 08:57:28 UTC
Fixed https://github.com/projectatomic/rhel-push-plugin/commit/1a0046fc57606e329223748391d90284f2346565

Lokesh can you rebuild the plugin in RHEL extras?

Comment 6 Mike Fiedler 2016-06-15 00:50:03 UTC
Verified the problem is resolved in the following build:

Client:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-42.el7.x86_64
 Go version:      go1.4.2
 Git commit:      02f13c2-unsupported
 Built:           Mon Jun 13 15:22:15 2016
 OS/Arch:         linux/amd64

Server:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-42.el7.x86_64
 Go version:      go1.4.2
 Git commit:      02f13c2-unsupported
 Built:           Mon Jun 13 15:22:15 2016
 OS/Arch:         linux/amd64


I am able to push to a private registry without specifying an explicit version tag.

Comment 9 errata-xmlrpc 2016-06-23 16:19:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1274


Note You need to log in before you can comment on or make changes to this bug.