Bug 1662088 - Fail to push a new OpenShift release image to docker.io due to authentication error via 'oc adm release new' command
Summary: Fail to push a new OpenShift release image to docker.io due to authentication...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Oleg Bulatov
QA Contact: Xingxing Xia
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-26 06:02 UTC by Johnny Liu
Modified: 2023-09-14 04:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: `oc adm release new` obtains tokens only with the push scope Consequence: for docker.io this token doesn't allow to push blobs Fix: obtain token with the scopes push and pull Result: new tokens are accepted by docker.io
Clone Of:
Last Closed: 2019-06-04 10:41:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:41:33 UTC

Description Johnny Liu 2018-12-26 06:02:16 UTC
Description of problem:
See the following details.

Version-Release number of the following components:
# oc version
oc v4.0.0-0.112.0
kubernetes v1.11.0+a81c74aa0a
features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:

Steps to Reproduce:
1. Build a new image and push it to docker.io
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 

Actual results:
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 
Uploading ... failed
error: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Expected results:
Failed to push release image to docker.io due to authentication error.

Additional info:
1. I tried `docker tag/push` image to docker.io. it is completed successfully.
2. mirror a release image successfully.
# oc --loglevel=9 adm release mirror --from=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-release-image=docker.io/jialiu/mirrortesting:1 --to=docker.io/jialiu/mirrortesting
3. I run the same commands with --loglevel=9 to capture the log, attach the log later.

Comment 2 Juan Vallejo 2019-01-07 23:12:29 UTC
Can you make sure that you are authenticated to both the docker.io registry as well as the "registry.svc.ci.openshift.org" registry (via the `docker login` command)?
Adding Clayton for further information he may have.

Comment 4 Johnny Liu 2019-01-08 01:57:42 UTC
(In reply to Juan Vallejo from comment #2)
> Can you make sure that you are authenticated to both the docker.io registry
> as well as the "registry.svc.ci.openshift.org" registry (via the `docker
> login` command)?
I am sure I am authenticated to docker.io registry. But I have no auth for "registry.svc.ci.openshift.org". And because mirror command is passed, I do not think I have to authenticate  "registry.svc.ci.openshift.org" registry, according to log, the issue might happen at authentication for "docker.io", but docker client have no any authentication issue.

# docker push docker.io/jialiu/newtesting:2
The push refers to a repository [docker.io/jialiu/newtesting]
8a788232037e: Mounted from jialiu/my 
2: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

Comment 5 Juan Vallejo 2019-02-04 22:59:08 UTC
Origin PR: https://github.com/openshift/origin/pull/21965

Comment 7 Oleg Bulatov 2019-02-20 13:57:11 UTC
The fix was merged 3 days ago.

Comment 9 Johnny Liu 2019-02-21 09:16:58 UTC
Verified this bug with oc v4.0.0-0.177.0, and PASS.

# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:3
info: Found 70 images in release
info: Manifests will be extracted to /tmp/release-image-0.0.1-2019-02-21-091420559773594
Loading manifests from service-serving-cert-signer: sha256:a792c98d39e33a119c98300e4179891ffa593036213eda7fedb7625557cc0f8a ...
Uploading ... 36.34kB/s
Uploading 975B ...
Uploading 75.83MB ...
Uploading 471B ...
Uploading 7.495MB ...
Uploading 10.64MB ...
Pushed image sha256:aa6e3f171ef96c149a5e128af247af7507bc214c08593735f14820ce93712cc4 to docker.io/jialiu/newtesting:3
Built release image from 26 operators

Comment 12 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 13 Red Hat Bugzilla 2023-09-14 04:44:14 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.