1419487 – Sanitize Docker v1 Registry Logging

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1419487 - Sanitize Docker v1 Registry Logging

Summary: Sanitize Docker v1 Registry Logging

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker-registry
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-06 10:32 UTC by Marko Myllynen
Modified:	2019-04-10 12:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-10 12:49:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marko Myllynen 2017-02-06 10:32:45 UTC

Description of problem:
After configuring a secure v1 Docker Registry with docker and docker-registry on "warn" level logging and pushing few images, I see system log being flooded with these kinds of messages:

Feb  6 09:59:03 rhev-i24c-01 dockerd-current: time="2017-02-06T09:59:03.698273419+02:00" level=error msg="Attempting next endpoint for push after error: Get https://registry.example.com:5000/v2/: EOF"
Feb  6 09:59:03 rhev-i24c-01 gunicorn: 192.168.122.1 - - [06/Feb/2017:09:59:03] "GET /v2/ HTTP/1.1" 404 233 "-" "docker/1.12.5 go/go1.7.4 kernel/3.10.0-514.6.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.5 \(linux\))"
Feb  6 09:59:03 rhev-i24c-01 gunicorn: 06/Feb/2017:09:59:03 +0000 INFO: 192.168.122.1 - - [06/Feb/2017:09:59:03] "GET /v2/ HTTP/1.1" 404 233 "-" "docker/1.12.5 go/go1.7.4 kernel/3.10.0-514.6.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.5 \(linux\))"
Feb  6 09:59:03 rhev-i24c-01 dockerd-current: time="2017-02-06T09:59:03.708042748+02:00" level=error msg="Upload failed: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: \"<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 3.2 Final//EN\\\">\\n<title>404 Not Found</title>\\n<h1>Not Found</h1>\\n<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>\\n\""
Feb  6 09:59:03 rhev-i24c-01 gunicorn: 192.168.122.1 - - [06/Feb/2017:09:59:03] "POST /v2/openshift3/ose-docker-registry/blobs/uploads/ HTTP/1.1" 404 233 "-" "docker/1.12.5 go/go1.7.4 kernel/3.10.0-514.6.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.5 \(linux\))"
Feb  6 09:59:03 rhev-i24c-01 gunicorn: 06/Feb/2017:09:59:03 +0000 INFO: 192.168.122.1 - - [06/Feb/2017:09:59:03] "POST /v2/openshift3/ose-docker-registry/blobs/uploads/ HTTP/1.1" 404 233 "-" "docker/1.12.5 go/go1.7.4 kernel/3.10.0-514.6.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.5 \(linux\))"

These should not be logged on warn level (debug would look more appropriate) and it might be also considered to use a dedicated log file for these.

Please also note the wrong timezone by gunicorn.

There might be other cases as well which I didn't come across now, would be great to have docker-registry logging reviewed and sanitized in general. If done in upstream/Fedora already, then please consider backporting to RHEL 7.

Thanks.

Version-Release number of selected component (if applicable):
docker-registry-0.9.1-7.el7.x86_64

Comment 1 Marko Myllynen 2017-02-06 10:33:59 UTC

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1419485
https://bugzilla.redhat.com/show_bug.cgi?id=1419486

Comment 3 Lokesh Mandvekar 2019-04-10 12:49:49 UTC

docker-registry has been obsoleted by docker-distribution. Please file a bug against docker-distribution if this issue exists with it as well..

Note You need to log in before you can comment on or make changes to this bug.