search

docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 877 forks source link

Getting 401 when using the mirror feature #1007

Open skuzye opened 9 years ago

skuzye commented 9 years ago

Hello guys, I'm trying to set a v1/v2 registry with nginx as per the documentation says. So far so good, except v1 can't pull from the docker hub and gets a 401. It then returns a 404 to my docker client which itself is able to pull from the registry without any authorization settings.

Logs from the client daemon:

May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="pulling image from host \"docker.io\" with remote name \"library/centos\""
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="pinging registry endpoint https://index.docker.io/v1/"
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="attempting v1 ping for registry endpoint https://index.docker.io/v1/"
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="pulling v1 repository with local name \"docker.io/centos\""
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="[registry] Calling GET https://index.docker.io/v1/repositories/library/centos/images"
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="https://index.docker.io/v1/repositories/library/centos/images -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:05 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:05-03:00" level=debug msg="hostDir: /etc/docker/certs.d/index.docker.io"
May 28 14:29:06 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:06-03:00" level=debug msg="Retrieving the tag list"
May 28 14:29:06 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:06-03:00" level=debug msg="https://registry-1.docker.io/v1/repositories/library/centos/tags -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:06 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:06-03:00" level=debug msg="hostDir: /etc/docker/certs.d/registry-1.docker.io"
May 28 14:29:12 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:12-03:00" level=debug msg="Got status code 200 from https://registry-1.docker.io/v1/repositories/library/centos/tags"
May 28 14:29:12 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:12-03:00" level=debug msg="Registering tags"
May 28 14:29:12 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:12-03:00" level=debug msg="https://tpa-eld4003:5000/v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:12 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:12-03:00" level=debug msg="hostDir: /etc/docker/certs.d/tpa-eld4003:5000"
May 28 14:29:12 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:12-03:00" level=debug msg="crt: /etc/docker/certs.d/tpa-eld4003:5000/ca.crt"
May 28 14:29:13 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:13-03:00" level=debug msg="Error pulling image (latest) from docker.io/centos, mirror: https://tpa-eld4003:5000/v1/, Server error: 404 trying to fetch remote history for fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75"
May 28 14:29:13 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:13-03:00" level=debug msg="https://registry-1.docker.io/v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:13 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:13-03:00" level=debug msg="hostDir: /etc/docker/certs.d/registry-1.docker.io"
May 28 14:29:14 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:14-03:00" level=debug msg="Ancestry: [\"fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75\", \"41459f052977938b824dd011e1f2bec2cb4d133dfc7e1aa0e90f7c5d337ca9c4\", \"6941bfcbbfca7f4f48becd38f2639157042b5cf9ab8c080f1d8b6d047380ecfc\"]"
May 28 14:29:14 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:14-03:00" level=debug msg="https://registry-1.docker.io/v1/images/41459f052977938b824dd011e1f2bec2cb4d133dfc7e1aa0e90f7c5d337ca9c4/json -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:14 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:14-03:00" level=debug msg="hostDir: /etc/docker/certs.d/registry-1.docker.io"
May 28 14:29:15 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:15-03:00" level=debug msg="https://registry-1.docker.io/v1/images/41459f052977938b824dd011e1f2bec2cb4d133dfc7e1aa0e90f7c5d337ca9c4/layer -- HEADERS: map[User-Agent:[docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64]]"
May 28 14:29:15 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:15-03:00" level=debug msg="hostDir: /etc/docker/certs.d/registry-1.docker.io"
May 28 14:29:21 tpa-eld4001 docker[12788]: time="2015-05-28T14:29:21-03:00" level=debug msg="server doesn't support resume"
[...]

Logs from my v1 registry:

172.17.0.42 - - [28/May/2015:17:25:09 +0000] "GET /v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry HTTP/1.0" 404 28 "-" "docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64"
28/May/2015:17:29:12 +0000 DEBUG: args = {'image_id': u'fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75'}
28/May/2015:17:29:12 +0000 DEBUG: api_error: Image not found
28/May/2015:17:29:12 +0000 DEBUG: Source provided, registry acts as mirror
28/May/2015:17:29:12 +0000 DEBUG: Request: GET https://registry-1.docker.io/v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry
Headers: {'Accept-Encoding': u'gzip', 'X-Forwarded-For': u'10.26.103.222', 'User-Agent': u'docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64', 'Connection': u'close', 'X-Forwarded-Proto': u'https', 'X-Real-Ip': u'10.26.103.222'}
Args: ImmutableMultiDict([])
28/May/2015:17:29:12 +0000 INFO: Starting new HTTPS connection (1): registry-1.docker.io
28/May/2015:17:29:13 +0000 DEBUG: "GET /v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry HTTP/1.1" 401 35
28/May/2015:17:29:13 +0000 DEBUG: Source responded to request with non-200 status
28/May/2015:17:29:13 +0000 DEBUG: Response: 401
{"error": "Requires authorization"}

172.17.0.42 - - [28/May/2015:17:29:13 +0000] "GET /v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry HTTP/1.0" 404 28 "-" "docker/1.6.0 go/go1.4.2 kernel/3.19.7-200.fc21.x86_64 os/linux arch/amd64"

Using curl also gives me a 401:

curl -v -X GET https://registry-1.docker.io/v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry
* Hostname was NOT found in DNS cache
*   Trying 162.242.195.84...
* Connected to registry-1.docker.io (162.242.195.84) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=*.docker.io,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)15,OU=GT98568428
*   start date: Mar 19 17:34:32 2015 GMT
*   expire date: Apr 21 01:51:52 2018 GMT
*   common name: *.docker.io
*   issuer: CN=RapidSSL SHA256 CA - G3,O=GeoTrust Inc.,C=US
> GET /v1/images/fd44297e2ddb050ec4fa9752b7a4e3a8439061991886e2091e7c1f007c906d75/ancestry HTTP/1.1
> User-Agent: curl/7.37.0
> Host: registry-1.docker.io
> Accept: */*
> 
< HTTP/1.1 401 UNAUTHORIZED
* Server gunicorn/18.0 is not blacklisted
< Server: gunicorn/18.0
< Date: Thu, 28 May 2015 17:38:54 GMT
< Connection: close
< Expires: -1
< Content-Type: application/json
< WWW-Authenticate: Token
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Length: 35
< X-Docker-Registry-Version: 0.8.3
< X-Docker-Registry-Config: prod
< Strict-Transport-Security: max-age=3153600
< 
* Closing connection 0
{"error": "Requires authorization"}

My compose settings:

datanginx:
  build: "datanginx"

nginx:
  build: "nginx"
  ports:
    - "5000:5000"
  links:
    - registryv1:registryv1
    - registryv2:registryv2
  volumes_from:
    - datanginx

registryv1:
  image: registry
  ports:
    - "5000"
  environment:
    - SEARCH_BACKEND=sqlalchemy
    - STANDALONE=false
    - MIRROR_SOURCE=https://registry-1.docker.io
    - MIRROR_SOURCE_INDEX=https://index.docker.io
    - DISABLE_TOKEN_AUTH=true
registryv2:
  build: "../../"
  ports:
    - "5000"

Edit: forgot compose settings

Note: The timestamps are wrong. Probably a timezone issue.

I honestly don't know what I'm missing. I couldn't find why in the code either.

dmp42 commented 9 years ago

ping @shin-

skuzye commented 9 years ago

Did I stumble on a bug or something? Does anyone using the feature have any tip?