search

containerd / nerdctl

contaiNERD CTL - Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ...
Apache License 2.0
7.91k stars 587 forks source link

Login to docker.io failed. (`expected acArg to be "docker.io", got "registry-1.docker.io"`) #3245

Closed lingdie closed 1 week ago

lingdie commented 1 month ago

Description

I tried to use nerdctl to login to docker.io, but got:

nerdctl login docker.io --debug
Enter Username: lingdie
Enter Password:
DEBU[0005] Found hosts dir "/etc/containerd/certs.d"
DEBU[0005] Ignoring hosts dir "/etc/docker/certs.d"      error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0005] len(regHosts)=1
ERRO[0007] failed to call tryLoginWithRegHost            error="failed to call rh.Authorizer.AddResponses: expected acArg to be \"docker.io\", got \"registry-1.docker.io\"" i=0
FATA[0007] failed to call rh.Authorizer.AddResponses: expected acArg to be "docker.io", got "registry-1.docker.io"

however, this works:

nerdctl login --debug
DEBU[0000] Found hosts dir "/etc/containerd/certs.d"
DEBU[0000] Ignoring hosts dir "/etc/docker/certs.d"      error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0000] len(regHosts)=1
DEBU[0001] no scope specified for token auth challenge   host=index.docker.io
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
---
nerdctl login https://index.docker.io/v1 --debug
DEBU[0000] Found hosts dir "/etc/containerd/certs.d"
DEBU[0000] Ignoring hosts dir "/etc/docker/certs.d"      error="stat /etc/docker/certs.d: no such file or directory"
DEBU[0000] len(regHosts)=1
DEBU[0001] no scope specified for token auth challenge   host=index.docker.io
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

whats the differance betwen these commands? Is this a bug?

I need to ues nerdctl sdk to login and push images to registries, what should I do if I don't want to write hard codes for docker.io.

Steps to reproduce the issue

  1. nertctl login docker.io
  2. nertctl login
  3. nertctl login https://index.docker.io/v1

Describe the results you received and expected

nertctl login docker.io should works as well.

What version of nerdctl are you using?

nerdctl version Client: Version: v1.5.0 OS/Arch: linux/amd64 Git commit: b33a58f288bc42351404a016e694190b897cd252 buildctl: Version:

Server: containerd: Version: v1.7.15 GitCommit: 926c9586fe4a6236699318391cd44976a98e31f1 runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e946

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

AkihiroSuda commented 1 month ago

@fahedouch PTAL

apostasie commented 1 month ago

whats the differance betwen these commands? Is this a bug?

I would say yes (because docker works fine in that case).

I do not know why we do this check - maybe there was a security reason to make sure we do not return credentials for a different host.

I would like to rewrite most of our login code (as there are a lot of issues - #3072) but that will take some time.

If @fahedouch knows and can comment on the reason for the acArg / host check, and if we can soften it to maybe the main domain + tld, that could be a fix.

Alternatively, we could match the registry param if *.docker.io -> replace with index.docker.io.

apostasie commented 1 month ago

acArg vs. host

This is in place to prevent sending credentials to hosts.toml mirrors. Although in that case, it does not make sense (and is also possibly problematic with redirects).

Some discussion on the overall question here: #3265