Closed johnmcollier closed 4 years ago
Why is that expected to work at all? The official name of the registry is just docker.io
; the underlying hostnames are not a part of the UI contract, to my knowledge.
And even if you did want to use the underlying host names for some reason, index.docker.io
is the V1 (GitHub.com/docker/registry) server hostname; the V2 (GitHub.com/docker/distribution) host is registry-1.docker.io
. containers/image has never supported the V1 protocol.
Given that, while index.docker.io
does reply to the V2 API, it’s not set up consistently to do that
$ curl -iL https://index.docker.io/v2/
…
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
…
so, the client successfully obtains a token for registry.docker.io
, but the server at index.docker.io
refuses to accept it.
I suppose it would be cleaner if the index.docker.io
server just refused to accept the /v2/
paths; in principle it would be might be nice to implement V1 registry protocol in containers/image, but that’s extremely unlikely to happen.
Ultimately, the end-user recommendation is the same either way: don’t do that.
in principle it would be might be nice to implement V1 registry protocol in containers/image, but that’s extremely unlikely to happen.
(And even if it did happen, c/image would certainly try V2 before V1, run into the inconsistent V2 configuration and not fall back to V1. So the only way it could ultimately work is by editing the index.docker.io
registry name back to docker.io
, the way your workaround does — but I don’t see any reason to expect that index.docker.io
references should work, so far; they just look like mistakes in the caller/input that should be fixed in the caller/input.)
Just a drive by comment as it popped at the top of my mailbox. Docker allows to pull from index.docker.io
and more things. See https://github.com/moby/moby/pull/34319#discussion_r162021213 for an example.
All inputs below will yield the same image (plenty of hard-coded magic):
docker pull busybox
docker pull library/busybox
docker pull docker.io/busybox
docker pull docker.io/library/busybox
docker pull index.docker.io/busybox
docker pull index.docker.io/library/busybox
docker pull registry-1.docker.io/library/busybox
In there, I see https://github.com/moby/moby/pull/34319#discussion_r167745783 :
This is mixing hostnames and image names. Images don't have names like
registry-1.docker.io
orindex.docker.io
and should not be considered "official". The "official" namespace isdocker.io
.
Description
We're running Buildah on Kubernetes and we're finding that
buildah pull index.docker.io/<some-image>
fails, whilebuildah pull docker.io/<some-image>
doesn't fail.In the logs I see:
but it's a public repository and shouldn't need authentication (and if we use
docker.io/...
it's fine).Steps to reproduce the issue:
buildah pull index.docker.io/appsody/nodejs-express:0.2
. It will fail and show the error I posted above.buildah pull docker.io/appsody/nodejs-express:0.2
. It will pull the image fine.Describe the results you received: Buildah fails to pull from `index.docker.io/appsody/nodejs-express:0.2
Describe the results you expected: Buildah fails can pull from `index.docker.io/appsody/nodejs-express:0.2
Output of
rpm -q buildah
orapt list buildah
:Output of
buildah version
:*Output of `cat /etc/release`:**
Output of
uname -a
:Output of
cat /etc/containers/storage.conf
: