`docker manifest inspect` requires `push` permission

[dtretyakov]

Description

Steps:

1. Login to the private registry with read-only credentials
2. Try to docker manifest inspect some image in the this registry

AR:

~ docker manifest inspect --verbose registry/docker/image:tag
Get "https://registry/v2/docker/image/manifests/tag": denied: Write permission required to access 'docker' repository

Underneath it sends the following request to the registry:

GET https://registry/oauth/token?account=xxx&scope=repository:docker/image:push,pull&service=registry

ER: It requires the same permissions as docker login xxx

Reproduce

1. docker login xxx
2. docker manifest inspect xxx

Expected behavior

No response

docker version

Client:
 Cloud integration: v1.0.31
 Version:           23.0.5
 API version:       1.42
 Go version:        go1.19.8
 Git commit:        bc4487a
 Built:             Wed Apr 26 16:12:52 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.19.0 (106363)
 Engine:
  Version:          23.0.5
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.8
  Git commit:       94d3ad6
  Built:            Wed Apr 26 16:17:14 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /Users/user/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /Users/user/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/user/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.19
    Path:     /Users/user/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.4
    Path:     /Users/user/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/user/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/user/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  v0.10.0
    Path:     /Users/user/.docker/cli-plugins/docker-scout

Server:
 Containers: 14
  Running: 10
  Paused: 0
  Stopped: 4
 Images: 14
 Server Version: 23.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.49-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 5
 Total Memory: 7.667GiB
 Name: docker-desktop
 ID: 6f34d44c-03b5-41b6-a146-70092a903f5b
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[thaJeztah]

What kind of private registry is this? Is that a self-hosted registry? Is so, what kind of registry?

This error looks to be coming from the registry

[rkrmr33]

Hey @thaJeztah, I can reproduce this issue with the following public gcr.io image: gcr.io/spotinst-artifacts/kubernetes-cluster-controller:1.0.94.

When I try to run docker manifest inspect gcr.io/spotinst-artifacts/kubernetes-cluster-controller:1.0.94 I get the following error:

Get "https://gcr.io/v2/spotinst-artifacts/kubernetes-cluster-controller/manifests/1.0.94": unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

Actually I tried to debug the docker cli and saw that we try to create a registry token before making the GET https://gcr.io/v2/spotinst-artifacts/kubernetes-cluster-controller/manifests/1.0.94 request and saw that we try to create a token with both the pull and push scopes, when in fact we only the pull scope is required for getting the manifest. Adding the push scope is what's causing the token creation request to fail.

The problematic code is located here: https://github.com/docker/cli/blob/7d723e2ba7b8607cf9ca5b3ea541f1ce60c700ec/cli/registry/client/endpoint.go#L102

I used version: Docker version 20.10.24, build 297e128, But this is still the case with the code master branch.

Please let me know if you need additional information.

[HarishKVarada]

what could be the possible resolution for this? Please advise, I was able to fix this by creating a user in docker hub and generating access token for that user with full permission (Read, write and Delete) and embedded docker login in the script. Then I was able to get the result for docker manifest inspect but the token should have full permissions, but for a public repository or images that are publicly available I was able to pull them without any issues (using docker pull). The issue is only with docker manifest inspect command along.