1381736 – 'atomic pull' must use fully-qualified registry name when pulling images

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1381736 - 'atomic pull' must use fully-qualified registry name when pulling images

Summary: 'atomic pull' must use fully-qualified registry name when pulling images

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Brent Baude
QA Contact:	atomic-bugs@redhat.com
Docs Contact:	Yoana Ruseva
URL:
Whiteboard:
Depends On:	1389677 1391788
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-04 20:55 UTC by Micah Abbott
Modified:	2016-12-06 17:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-06 17:42:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2857	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2016-12-06 22:40:27 UTC

Description Micah Abbott 2016-10-04 20:55:04 UTC

Using atomic-1.12.5-2.el7.x86_64 in RHELAH 7.3

When using 'atomic pull' to pull down docker images, if a user does not use the fully qualified registry name, the operation will fail:

# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
ReturnTuple(return_code=1, stdout='', stderr='time="2016-10-04T19:46:31Z" level=fatal msg="error fetching manifest: status code: 401, body: {\\"errors\\":[{\\"code\\":\\"UNAUTHORIZED\\",\\"message\\":\\"authenti
cation required\\",\\"detail\\":[{\\"Type\\":\\"repository\\",\\"Name\\":\\"rhel7/cockpit-ws\\",\\"Action\\":\\"pull\\"}]}]}\\n" \n')
Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 56, in pull_image
    handler()
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 37, in pull_docker_image
    fq_name = skopeo_inspect("{}{}".format(pull_uri, self.args.image))['Name']
  File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 274, in skopeo_inspect
    raise ValueError(results)
ValueError: ReturnTuple(return_code=1, stdout='', stderr='time="2016-10-04T19:46:31Z" level=fatal msg="error fetching manifest: status code: 401, body: {\\"errors\\":[{\\"code\\":\\"UNAUTHORIZED\\",\\"message\\"
:\\"authentication required\\",\\"detail\\":[{\\"Type\\":\\"repository\\",\\"Name\\":\\"rhel7/cockpit-ws\\",\\"Action\\":\\"pull\\"}]}]}\\n" \n')


The correct way is to use the fully qualified registry name, like this:

atomic pull registry.access.redhat.com/rhel7/cockpit-ws

Comment 2 Daniel Walsh 2016-10-10 15:54:36 UTC

Brent is this fixed in atomic-1.13?

Comment 3 Brent Baude 2016-10-10 17:28:51 UTC

Yes it is.  Might be good to get an ack from micah on it.

Comment 4 Daniel Walsh 2016-10-10 17:47:38 UTC

Fixed in atomic-1.13

Comment 6 Alex Jia 2016-11-01 09:30:47 UTC

It works well on my RHEL7.3-RC-3, but it's failed on 7.3.0-3 atomic cloud images. 


1. failure on 7.3.0-3 atomic cloud images

it may be caused by lost /etc/containers/policy.json and /etc/containers/registries.d/default.yaml in cloud images.

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)
      Unlocked: development
[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3
[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host
  GPGSignature: (unsigned)
      Unlocked: development
[root@atomic-00 cloud-user]# rpm -q atomic skopeo
atomic-1.13.5-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64

[root@atomic-00 cloud-user]# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
[
    {
        "search": true,
        "hostname": "registry-1.docker.io",
        "name": "docker.io",
        "secure": true
    },
    {
        "search": true,
        "hostname": "registry.access.redhat.com",
        "name": "registry.access.redhat.com",
        "secure": true
    },
    {
        "search": false,
        "hostname": "10.73.73.33:5000",
        "name": "10.73.73.33:5000",
        "secure": false
    }
]
Trying docker.io/rhel7/cockpit-ws:latest
URL: https://registry-1.docker.io/v2/
GET_URL: https://registry-1.docker.io/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token_scope to repository:rhel7/cockpit-ws:pull
URL: http://registry-1.docker.io/v2/
GET_URL: https://auth.docker.io/token?service=registry.docker.io&scope=repository:rhel7/cockpit-ws:pull
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token to eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
URL: http://registry-1.docker.io/v2/
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: http://registry-1.docker.io/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTIzNzAsImlhdCI6MTQ3Nzk5MjA3MCwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiI4aWNmSDM5MHV3YjdMWEMzY3h3ViIsIm5iZiI6MTQ3Nzk5MjA3MCwic3ViIjoiIn0.05B9FKShqd7wcEete2i_s-pw4A6bUYH6pmgiUGCVB5CuEPyRqkcHYo0BOV_E45JtNd3VwD2uqERCGcWVt2qHWg', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Trying registry.access.redhat.com/rhel7/cockpit-ws:latest
URL: https://registry.access.redhat.com/v2/
GET_URL: https://registry.access.redhat.com/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
argument of type 'NoneType' is not iterable
Traceback (most recent call last):
  File "/bin/atomic", line 186, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 65, in pull_image
    handler()
  File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 49, in pull_docker_image
    trust.discover_sigstore(fq_name)
  File "/usr/lib/python2.7/site-packages/Atomic/trust.py", line 282, in discover_sigstore
    if not scope in registry_configs:
TypeError: argument of type 'NoneType' is not iterable



2. works well in RHEL7.3-RC-3

[root@bootp-73-3-203 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@bootp-73-3-203 ~]# rpm -q atomic skopeo
atomic-1.13.5-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64


[root@bootp-73-3-203 ~]# atomic --debug pull rhel7/cockpit-ws
Image rhel7/cockpit-ws is being pulled to docker ...
[
    {
        "search": true,
        "hostname": "registry-1.docker.io",
        "name": "docker.io",
        "secure": true
    },
    {
        "search": true,
        "hostname": "registry.access.redhat.com",
        "name": "registry.access.redhat.com",
        "secure": true
    },
    {
        "search": false,
        "hostname": "registry.access.stage.redhat.com",
        "name": "registry.access.stage.redhat.com",
        "secure": false
    }
]
Trying docker.io/rhel7/cockpit-ws:latest
URL: https://registry-1.docker.io/v2/
GET_URL: https://registry-1.docker.io/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token_scope to repository:rhel7/cockpit-ws:pull
URL: http://registry-1.docker.io/v2/
GET_URL: https://auth.docker.io/token?service=registry.docker.io&scope=repository:rhel7/cockpit-ws:pull
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Set token to eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
URL: http://registry-1.docker.io/v2/
GET_URL: http://registry-1.docker.io/v2/
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: http://registry-1.docker.io/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Authorization': 'Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE5qQTFNekV5TXpVNE5UZGFGdzB4TnpBMU16RXlNelU0TlRkYU1FWXhSREJDQmdOVkJBTVRPMUV6UzFRNlFqSkpNenBhUjFoT09qSlhXRTA2UTBWWFF6cFVNMHhPT2tvMlYxWTZNbGsyVHpwWlFWbEpPbGhQVTBRNlZFUlJTVG8wVWtwRE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVo0NkVLV3VKSXhxOThuUC9GWEU3U3VyOXlkZ3c3K2FkcndxeGlxN004VHFUa0N0dzBQZm1SS2VLdExwaXNTRFU4LzZseWZ3QUFwZWh6SHdtWmxZR2dxT0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VVROTFZEcENNa2t6T2xwSFdFNDZNbGRZVFRwRFJWZERPbFF6VEU0NlNqWlhWam95V1RaUE9sbEJXVWs2V0U5VFJEcFVSRkZKT2pSU1NrTXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBTzYxSWloN1FUcHNTMFFIYUNwTDFZTWNMMnZXZlNydlhHbHpSRDEwN2NRUEFpRUFtZXduelNYRHplRGxqcDc4T1NsTFFzbnROYWM5eHRyYW0xU0kxY0ZXQ2tJPSJdfQ.eyJhY2Nlc3MiOltdLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE0Nzc5OTE4NDMsImlhdCI6MTQ3Nzk5MTU0MywiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiIzaDdZQzJVbWgzNGRXNWpXUW5QSyIsIm5iZiI6MTQ3Nzk5MTU0Mywic3ViIjoiIn0.qZnjcTTNA0HYvhbMMtqZOL6wgJYTLaiZfb2sT1mHG7VKU8KNcNolVPxczagLFPKwE0wJl8K8nkp5UX6X0ff_zw', 'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Trying registry.access.redhat.com/rhel7/cockpit-ws:latest
URL: https://registry.access.redhat.com/v2/
GET_URL: https://registry.access.redhat.com/v2/
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
GET_URL: https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest
GET_HEADER: {'Accept': '[application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v1+json]'}
GET_VERIFY: True
Pulling registry.access.redhat.com/rhel7/cockpit-ws:latest ...
Executing: /usr/bin/skopeo --debug copy --remove-signatures docker://registry.access.redhat.com/rhel7/cockpit-ws:latest docker-daemon:rhel7/cockpit-ws:latest
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration 
DEBU[0000]  Using "default-docker" configuration        
DEBU[0000]  No signature storage configuration found for registry.access.redhat.com/rhel7/cockpit-ws:latest 
DEBU[0000] IsRunningImageAllowed for image docker:registry.access.redhat.com/rhel7/cockpit-ws:latest 
DEBU[0000]  Using default policy section                
DEBU[0000]  Requirement 0: allowed                      
DEBU[0000] Overall: allowed                             
DEBU[0000] GET https://registry.access.redhat.com/v2/   
DEBU[0001] Ping https://registry.access.redhat.com/v2/ err <nil> 
DEBU[0001] Ping https://registry.access.redhat.com/v2/ status 200 
DEBU[0001] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/manifests/latest 
DEBU[0002] Will convert manifest from MIME type application/vnd.docker.distribution.manifest.v1+prettyjws to application/vnd.docker.distribution.manifest.v2+json 
Copying blob sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9
DEBU[0002] Downloading rhel7/cockpit-ws/blobs/sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
DEBU[0002] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
DEBU[0004] Detected compression format gzip             
 0 B / ? [--------------------------------------------------------------------=]DEBU[0004] Using original blob without modification     
DEBU[0004] docker-daemon: input with unknown size, streaming to disk first… 
 67.72 MB / ? [---------------------------------------------------------------=]DEBU[0038] … streaming done                             
DEBU[0038] Sending as tar file sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
 67.95 MB / ? [------------------------------------------=--------------------] DEBU[0038] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0038] Computed DiffID sha256:94b2db70f7476c98f4c4a1b7a922136e0c5600d2d74905407ad364dcca2bf852 for layer sha256:30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 
Copying blob sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed
DEBU[0038] Downloading rhel7/cockpit-ws/blobs/sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0038] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0040] Detected compression format gzip             
 0 B / 700 B [-----------------------------------------------------------------]DEBU[0040] Using original blob without modification     
DEBU[0040] Sending as tar file sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
DEBU[0040] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0040] Computed DiffID sha256:22426f366c51f26105aa9a6c6c9aea9fff0f21b7aabfc97870727577edaa3260 for layer sha256:99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed 
Copying blob sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8
DEBU[0040] Downloading rhel7/cockpit-ws/blobs/sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
DEBU[0040] GET https://registry.access.redhat.com/v2/rhel7/cockpit-ws/blobs/sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
 700 B / 700 B [===============================================================]DEBU[0042] Detected compression format gzip             
 0 B / ? [--------------------------------------------------------------------=]DEBU[0042] Using original blob without modification     
DEBU[0042] docker-daemon: input with unknown size, streaming to disk first… 
 4.12 MB / ? [------------------------------------------------=---------------] DEBU[0042] … streaming done                             
DEBU[0042] Sending as tar file sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
DEBU[0042] Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter 

DEBU[0042] Computed DiffID sha256:326d0a1c81f59c2b0b5a3e075169287a31be68dc726a1f06cb00bc8050f99bf0 for layer sha256:4ecb11c223ec8ccf0afba1eda003b64726db42b9c8ce52a78794c0988448efc8 
Copying config sha256:b43b419e2783b348b771fc92872654b9b9ae27aac112f034ef8f313fc26ead24
DEBU[0042] No compression detected                      
 0 B / 2.19 KB [---------------------------------------------------------------]DEBU[0042] Using original blob without modification     
DEBU[0042] Sending as tar file sha256:b43b419e2783b348b771fc92872654b9b9ae27aac112f034ef8f313fc26ead24 

Writing manifest to image destination
DEBU[0042] Sending as tar file manifest.json            
Storing signatures
DEBU[0042] docker-daemon: Closing tar stream            
DEBU[0042] docker-daemon: Waiting for status            
 2.19 KB / 2.19 KB [===========================================================]DEBU[0044] docker-daemon: sending done, status <nil>

[root@bootp-73-3-203 ~]# atomic images list
   REPOSITORY                               TAG      IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
   registry.access.stage.redhat.com/rhel7   latest   f98706e16e41   2016-10-26 20:02   192.51 MB      Docker    
>  busybox                                  latest   e02e811dd08f   2016-10-08 05:03   1.09 MB        Docker    
   rhel7/cockpit-ws                         latest   b43b419e2783   2016-09-08 05:03   218.81 MB      Docker

Comment 8 Alex Jia 2016-11-04 03:31:48 UTC

Please also see bug 1391788

Comment 9 Alex Jia 2016-11-04 05:13:32 UTC

(In reply to Alex Jia from comment #8)
> Please also see bug 1391788

Manually copy existing policy.json into /etc/containers/ of RHELAH, it works well and not found the issue in Comment 0.

Comment 10 Alex Jia 2016-11-08 10:42:33 UTC

It works well both rhel-atomic-host-7.3.1-1 image and RHEL7.3-RC-3 w/ latest docker and selinux-policy installation.

1. in rhel-atomic-host-7.3.1-1 imag

[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.1 (2016-11-04 00:49:18)
        Commit: ad61697d3d0df9859551104d57c6187925f05e7daeffb41d4a276a9fed7e089d
        OSName: rhel-atomic-host

[root@atomic-00 cloud-user]# rpm -q atomic skopeo docker selinux-policy
atomic-1.13.6-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64
docker-1.12.3-2.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch

2. in RHEL7.3-RC-3

[root@dell-per630-02 RPMs]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@dell-per630-02 RPMs]# rpm -q atomic skopeo docker selinux-policy
atomic-1.13.8-1.el7.x86_64
skopeo-0.1.17-0.5.git1f655f3.el7.x86_64
docker-1.12.3-4.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch

Comment 12 errata-xmlrpc 2016-12-06 17:42:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2857.html

Note You need to log in before you can comment on or make changes to this bug.