Bug 1464188 - docker push on exposed registry url without port results in "unauthorized: authentication required" [NEEDINFO]
docker push on exposed registry url without port results in "unauthorized: au...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity high
: rc
: 7.2
Assigned To: Antonio Murdaca
atomic-bugs@redhat.com
: Extras, Reopened
: 1439614 1480499 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 11:29 EDT by Steven Walter
Modified: 2017-09-05 06:35 EDT (History)
10 users (show)

See Also:
Fixed In Version: docker-2:1.12.6-50.git0fdc778
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-05 06:35:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
amurdaca: needinfo? (mfojtik)


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2599 normal SHIPPED_LIVE docker bug fix and enhancement update 2017-09-05 10:32:57 EDT

  None (edit)
Description Steven Walter 2017-06-22 11:29:52 EDT
Description of problem:
Secure and expose registry, then push causes "unauthorized: authentication required". If port is on 443, for instance, then running "docker push" should default to trying 443 (if in additional registries in /etc/sysconfig/docker or if specifying https://) or 80 (if in insecure registry or if specifying http://). As it stands this message occurs unless manually specifying the actual port.

Version-Release number of selected component (if applicable):
3.5

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Secure and expose registry
2. docker push registry.cloudapps.example.com/openshift/php:latest

Actual results:
Cannot set persistent booleans, please try as root.
The push refers to a repository [registry.cloudapps.example.com/openshift/php]
95c4fd550d8e: Preparing
b41b282bd373: Preparing
3cb03dc081c0: Preparing
f483edd7a42b: Preparing
f7b626558f10: Preparing
unauthorized: authentication required

Expected results:
Push successful

Additional info:

not sure if this appears only in certain conditions. I documented in a KCS solution https://access.redhat.com/solutions/3090231 -- may be related to upstream issue https://github.com/openshift/origin/issues/12260 and PRs https://github.com/openshift/origin/pull/11391 and https://github.com/openshift/origin/pull/14319

This is a slightly odd user experience, as we should expect that if you specify https, or if it's a known secure registry, that you'd automatically try port 443. Or otherwise it would be good to have a slightly more useful error message.

Or if the above is not able to be modified due to upstream conventions, we can change this to a docs bug to add a quick note in the docs, "On a secured, exposed registry it is required to specify the port"
Comment 1 Oleg Bulatov 2017-06-22 15:14:05 EDT

*** This bug has been marked as a duplicate of bug 1439614 ***
Comment 2 Boris Kurktchiev 2017-06-22 15:21:23 EDT
The above bug is not public, is there some way we can change that so those of us affected by this can keep track of the progress?
Comment 3 Michal Fojtik 2017-06-22 15:24:18 EDT
Copying Oleg from the private bug:

I've found that it was fixed in Docker v17.04.0-ce-rc1:
https://github.com/moby/moby/commit/78a429a97ac110e986c150a57507163dfe223f46
https://github.com/docker/distribution/commit/462bb55c3f05def7f4ddee3c3965f08a25777df9

So we need to wait for docker update to pickup this fix.
Comment 4 Boris Kurktchiev 2017-06-22 15:25:49 EDT
and is it going to be backported to 1.12 since that is what OCP is released with?
Comment 5 Michal Fojtik 2017-06-22 15:29:36 EDT
(In reply to Boris Kurktchiev from comment #4)
> and is it going to be backported to 1.12 since that is what OCP is released
> with?

Dan might know if that is doable (or know a person who can triage it).
Comment 6 Daniel Walsh 2017-06-22 15:45:48 EDT
Either rename this bugzilla to Docker or create a new bug to back port those patches.
Comment 7 Steven Walter 2017-06-22 16:22:23 EDT
Daniel I think this is what you mean
Comment 9 Antonio Murdaca 2017-06-22 16:30:55 EDT
I'm going to backport that patch, assuming assumuing the docker/distribution registry used by openshift has the fix already backported.
Comment 10 Antonio Murdaca 2017-06-22 16:32:43 EDT
Michal could you check if openshift registry has this patch https://github.com/docker/distribution/commit/462bb55c3f05def7f4ddee3c3965f08a25777df9 ?
Comment 11 Antonio Murdaca 2017-06-22 16:37:37 EDT
Patch backported here https://github.com/projectatomic/docker/commit/c87521300a1fbe4acc342e26fdf434f8b49a57f8
Comment 12 Jhon Honce 2017-07-10 18:59:33 EDT
*** Bug 1439614 has been marked as a duplicate of this bug. ***
Comment 14 zhou ying 2017-08-13 22:56:17 EDT
*** Bug 1480499 has been marked as a duplicate of this bug. ***
Comment 15 Luwen Su 2017-08-25 04:50:00 EDT
A similar problem is fine for me, Bug 1472974

Move to verified.
Comment 17 errata-xmlrpc 2017-09-05 06:35:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2599

Note You need to log in before you can comment on or make changes to this bug.