docker: fix unauthenticated pulls from gcr.io #195
Conversation
|
@mtrmac PTAL, this is breaking F25 atomic users https://bugzilla.redhat.com/show_bug.cgi?id=1409873 I'll update skopeo and docker once this is in. |
|
Apart from tests failing, could you document what exactly is the behavior (e.g. HTTP request/response sequences) we are trying to support here? It is really not obvious from the code. My best guess is that the server is returning a different |
|
hey all - would be great if we can streamline this so that we can possibly get this in for an F25 two week atomic release this week. |
|
Tests failure seems unrelated @mtrmac, should be related to containers/storage#11
I thought this would be the only case, hence I did this way. GCR registry is really weird though and does some really weird stuff (like you need the gcloud CLI to docker login with just a token and other stuff...). It's not fully similar to the upstream Docker registry and I thought special casing it would be far better now than hunting down every corner case we have with GCR. I couldn't find any reliable documentation on GCR API either so far. |
I don’t really have an opinion on that, my point is that it’s impossible to tell from the code what the special case is. (I do admit I haven’t tried to set this up myself so far; I’m thinking that at least one of the code structure, comments, or test cases, should be clear enough so that this is not necessary. Otherwise, when it is undocumented and unknown what is the special case and the needed behavior, there is very high likelihood that anyone editing the code in the future will break the workaround because they will have no idea what it is or perhaps even that there is a workaround in there at all.) |
|
Alright, I'll try to restructure that if statement and document what it does (I'm not fully sure what else I could do honestly) |
|
Yeah, we don’t really have a testing infrastructure for |
|
OK, adding debugging prints (headers abbreviated): → BUT subsequently → … I guess it makes sense (all of the server may require authentication, but an individual repository does not need it), though it does seem to be in violation of https://github.com/docker/distribution/blob/master/docs/spec/api.md#api-version-check . Anyway, ultimately it means that this PR is necessary; most of the objections, if any, should be directed at #191, or perhaps |
| @@ -265,7 +265,12 @@ func (c *dockerClient) setupRequestAuth(req *http.Request) error { | |||
| } | |||
| chs := parseAuthHeader(res.Header) | |||
| if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 { | |||
| // try again one last time with Basic Auth (gcr.io for instance) | |||
| if res.StatusCode == http.StatusOK { | |||
There was a problem hiding this comment.
Is it really just StatusOK? What about StatusNotFound, StatusAccepted (both used in deleteImage and PutBlob), StatusCreated (PutBlob, Putmanifest)?
Or perhaps this should really be if res.StatusCode != http.StatusUnauthorized? I don’t readily have a reproducer for #191 so I don’t know which of the conditions should get us into the testReq2 path.
There was a problem hiding this comment.
I believe status != 401 would be more appropriate (meaning, I don't have a clear vision on other API endpoints)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
runcom
force-pushed
the
fix-gcr.io-unauthenticated
branch
from
c5f869f
to
15f6d41
Compare
|
@mtrmac push forced with (I hope) better documentation on the code path (please feel free to reword it if it's not clear to you) |
|
👍 Thanks! That is perfect. (I will eventually get to #191 in my mail backlog and perhaps look into cleaning up the other path more, but this particular PR is great now.) |
|
Nah, things were urgent and I wasn’t really reading mail. Don’t worry about it :) In the worst case, the #191 case will be broken sometime in the future and we will have an opportunity to revisit and clean up. |
|
lgtm tests failure shouldn't impact anyone except this repo's CI since skopeo and docker vendors containers/storage (that's failing) |
|
@runcom do you have an ETA on this + a new F25 docker build? |
|
I built this by hand and can confirm at least that gcr.io pulls work again |
|
@ncdc I'm running Docker integration tests with this patch before committing this to Docker and rebuild in F25, shouldn't take that long (just some hours at this point, tomorrow morning at last if something goes wrong) |
vendor containers/image, OCI/image-spec
./skopeo inspect gcr.io/google_containers/pause-amd64:3.0currently fails while pulling from agcr.iorepository which requires auth is ok. This was my bad before the shutdown. This patch fixes both unauthenticated and authenticated pulls.Signed-off-by: Antonio Murdaca runcom@redhat.com