1489039 – [3.5][Backport] exposing docker-registry with a non tls-passthrough route does not work

Bug 1489039 - [3.5][Backport] exposing docker-registry with a non tls-passthrough route does not work

Summary: [3.5][Backport] exposing docker-registry with a non tls-passthrough route doe...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	3.5.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	3.5.z
Assignee:	Michal Minar
QA Contact:	Dongbo Yan
Docs Contact:
URL:
Whiteboard:
Depends On:	1471707 1489042
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-06 15:46 UTC by Michal Minar
Modified:	2020-12-14 09:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The registry used to append forwarded target port to redirected location urls. Registry client gets confused by the received location containing superfluous port and cannot match it against the original host. This happened when exposed with tls-termination other than passthrough. Consequence: Client's new request to the target location lacks credentials. As a consequence, image push fails due to authorization error. Fix: Registry was rebased to newer version which fixes forwarding processing logic. Result: Registry now doesn't confuse its clients. Clients can push images successfully to the exposed registry using arbitrary tls-termination.
Clone Of:	1471707
Environment:
Last Closed:	2017-10-25 13:06:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:3049	0	normal	SHIPPED_LIVE	OpenShift Container Platform 3.6, 3.5, and 3.4 bug fix and enhancement update	2017-10-25 15:57:15 UTC

Comment 1 Michal Minar 2017-09-06 15:47:54 UTC

This PR https://github.com/docker/distribution/pull/2219 will be back-ported to fix the issue.

Comment 2 Ben Parees 2017-10-02 19:46:44 UTC

Was this backport requested by a customer?  If not, why are we doing it?

Comment 4 Michal Minar 2017-10-03 09:55:05 UTC

Back-port PR: https://github.com/openshift/ose/pull/882

Comment 6 Dongbo Yan 2017-10-12 12:04:05 UTC

Verified
$ ./oc version
oc v3.5.5.31.34
kubernetes v1.5.2+43a9be4
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://:8443
openshift v3.5.5.31.34
kubernetes v1.5.2+43a9be4

Comment 8 errata-xmlrpc 2017-10-25 13:06:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3049

Note You need to log in before you can comment on or make changes to this bug.