-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACR doesn't support password grant in oauth workflow #104
Comments
We should be able to support this additional mode in ACR's token server. |
We ran into this today while testing our migration from Docker to Containerd. Sorry for the stupid question, but, given that this seems to be a relatively simple fix what are the timeframes associated with a change like this hitting production? |
@cpressland , you can take a look at northtyphoon/img@2da858c which has a workaround for the auth issue in containerd (resolver.go). The commit also has another fix (pusher.go) and it has been merged to the containerd. |
Thanks @northtyphoon - I've just rebuilt containerd from source in a local docker container and still see the same result: |
@cpressland I'm not sure. Can you double check if you indeed rebuilt with the change https://github.com/northtyphoon/img/blob/2da858cb88696e7a28384e3cbb9cc1d10d997bc8/vendor/github.com/containerd/containerd/remotes/docker/resolver.go#L524. |
@northtyphoon it looks like resolver.go in the master branch doesn't have that change yet, however the version I built had the changes for Once I patched in your change to my local |
@cpressland It's a hack and I don't plan to merge to contained. TBH I don't like the existing fallback code in |
We have rolled out the fix worldwide. Thanks @shizhMSFT @yuwaMSFT2 @cpressland if you build the latest img code, you should be able to pull/push to ACR. |
A couple of new container clients (eg, buildkit, img) based on containterd are sending password grand oauth request (username/pasword) to the registry auth server to the get access token.
Here is the containerd code that sends the oauth request.
https://github.com/containerd/containerd/blob/b28aa0e071df7b2ec6665a8d8926c9ffe20fa480/remotes/docker/resolver.go#L510
Currently, ACR doesn't support password grant in its oauth workflow and will fail the requests.
BTW: Docker CLI handles the basic auth slightly different so it can work with ACR. I opened an issue to confirm the behavior in containerd containerd/containerd#2381
/cc @yuwaMSFT2 @ehotinger
The text was updated successfully, but these errors were encountered: