Bug 1662088 - Fail to push a new OpenShift release image to docker.io due to authentication error via 'oc adm release new' command [NEEDINFO]
Summary: Fail to push a new OpenShift release image to docker.io due to authentication...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Oleg Bulatov
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-26 06:02 UTC by Johnny Liu
Modified: 2019-06-04 10:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: `oc adm release new` obtains tokens only with the push scope Consequence: for docker.io this token doesn't allow to push blobs Fix: obtain token with the scopes push and pull Result: new tokens are accepted by docker.io
Clone Of:
Environment:
Last Closed: 2019-06-04 10:41:27 UTC
Target Upstream Version:
jvallejo: needinfo? (ccoleman)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:41:33 UTC

Description Johnny Liu 2018-12-26 06:02:16 UTC
Description of problem:
See the following details.

Version-Release number of the following components:
# oc version
oc v4.0.0-0.112.0
kubernetes v1.11.0+a81c74aa0a
features: Basic-Auth GSSAPI Kerberos SPNEGO

How reproducible:
Always

Steps to Reproduce:
1. Build a new image and push it to docker.io
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 
2.
3.

Actual results:
# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:1 
Uploading ... failed
error: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Expected results:
Failed to push release image to docker.io due to authentication error.

Additional info:
1. I tried `docker tag/push` image to docker.io. it is completed successfully.
2. mirror a release image successfully.
# oc --loglevel=9 adm release mirror --from=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-release-image=docker.io/jialiu/mirrortesting:1 --to=docker.io/jialiu/mirrortesting
3. I run the same commands with --loglevel=9 to capture the log, attach the log later.

Comment 2 Juan Vallejo 2019-01-07 23:12:29 UTC
Can you make sure that you are authenticated to both the docker.io registry as well as the "registry.svc.ci.openshift.org" registry (via the `docker login` command)?
Adding Clayton for further information he may have.

Comment 4 Johnny Liu 2019-01-08 01:57:42 UTC
(In reply to Juan Vallejo from comment #2)
> Can you make sure that you are authenticated to both the docker.io registry
> as well as the "registry.svc.ci.openshift.org" registry (via the `docker
> login` command)?
I am sure I am authenticated to docker.io registry. But I have no auth for "registry.svc.ci.openshift.org". And because mirror command is passed, I do not think I have to authenticate  "registry.svc.ci.openshift.org" registry, according to log, the issue might happen at authentication for "docker.io", but docker client have no any authentication issue.

# docker push docker.io/jialiu/newtesting:2
The push refers to a repository [docker.io/jialiu/newtesting]
8a788232037e: Mounted from jialiu/my 
2: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

Comment 5 Juan Vallejo 2019-02-04 22:59:08 UTC
Origin PR: https://github.com/openshift/origin/pull/21965

Comment 7 Oleg Bulatov 2019-02-20 13:57:11 UTC
The fix was merged 3 days ago.

Comment 9 Johnny Liu 2019-02-21 09:16:58 UTC
Verified this bug with oc v4.0.0-0.177.0, and PASS.


# oc adm release new  --from-release=registry.svc.ci.openshift.org/openshift/origin-release:v4.0 --to-image=docker.io/jialiu/newtesting:3
info: Found 70 images in release
info: Manifests will be extracted to /tmp/release-image-0.0.1-2019-02-21-091420559773594
<--SNIP-->
Loading manifests from service-serving-cert-signer: sha256:a792c98d39e33a119c98300e4179891ffa593036213eda7fedb7625557cc0f8a ...
Uploading ... 36.34kB/s
Uploading 975B ...
Uploading 75.83MB ...
Uploading 471B ...
Uploading 7.495MB ...
Uploading 10.64MB ...
Pushed image sha256:aa6e3f171ef96c149a5e128af247af7507bc214c08593735f14820ce93712cc4 to docker.io/jialiu/newtesting:3
Built release image from 26 operators

Comment 12 errata-xmlrpc 2019-06-04 10:41:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.