Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACR doesn't support password grant in oauth workflow #104

Closed
northtyphoon opened this issue Jun 4, 2018 · 8 comments
Closed

ACR doesn't support password grant in oauth workflow #104

northtyphoon opened this issue Jun 4, 2018 · 8 comments
Assignees
@yuwaMSFT2 @shizhMSFT
Labels
feature-request registry

Comments

@northtyphoon
Copy link
Member

A couple of new container clients (eg, buildkit, img) based on containterd are sending password grand oauth request (username/pasword) to the registry auth server to the get access token.

Here is the containerd code that sends the oauth request.

https://github.com/containerd/containerd/blob/b28aa0e071df7b2ec6665a8d8926c9ffe20fa480/remotes/docker/resolver.go#L510

Currently, ACR doesn't support password grant in its oauth workflow and will fail the requests.

BTW: Docker CLI handles the basic auth slightly different so it can work with ACR. I opened an issue to confirm the behavior in containerd containerd/containerd#2381

/cc @yuwaMSFT2 @ehotinger
@northtyphoon northtyphoon mentioned this issue Jun 4, 2018
Closed
@yuwaMSFT2
Copy link
Contributor

We should be able to support this additional mode in ACR's token server.

@cpressland
Copy link

We ran into this today while testing our migration from Docker to Containerd. Sorry for the stupid question, but, given that this seems to be a relatively simple fix what are the timeframes associated with a change like this hitting production?

@northtyphoon
Copy link
Member Author

@cpressland , you can take a look at northtyphoon/img@2da858c which has a workaround for the auth issue in containerd (resolver.go). The commit also has another fix (pusher.go) and it has been merged to the containerd.

@cpressland
Copy link

Thanks @northtyphoon - I've just rebuilt containerd from source in a local docker container and still see the same result: ctr: failed to resolve reference "<image>": failed to fetch oauth token: unexpected status: 400 Bad Request while running: ./ctr image pull <image> -u <user>:<pass>. Any further advice for now?

@northtyphoon
Copy link
Member Author

@cpressland I'm not sure. Can you double check if you indeed rebuilt with the change https://github.com/northtyphoon/img/blob/2da858cb88696e7a28384e3cbb9cc1d10d997bc8/vendor/github.com/containerd/containerd/remotes/docker/resolver.go#L524.
If it still doesn't work, can you send us (acrsup at microsoft dot com) your registry/image name?

@cpressland
Copy link

@northtyphoon it looks like resolver.go in the master branch doesn't have that change yet, however the version I built had the changes for pusher.go.

Once I patched in your change to my local resolver.go and recompiled I was able to pull just fine. Are you going to put in a pull request for https://github.com/containerd/containerd with the resolver.go change?

@northtyphoon
Copy link
Member Author

@cpressland It's a hack and I don't plan to merge to contained. TBH I don't like the existing fallback code in resolver.go which is only targetting a few vendors.
We have started the work to fix it on ACR. May take a few weeks to roll out worldwide.

@northtyphoon
Copy link
Member Author

We have rolled out the fix worldwide. Thanks @shizhMSFT @yuwaMSFT2

@cpressland if you build the latest img code, you should be able to pull/push to ACR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuwaMSFT2 yuwaMSFT2

@shizhMSFT shizhMSFT

Labels
feature-request registry
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sajayantony @northtyphoon @cpressland @yuwaMSFT2 @shizhMSFT