Closed jonjohnsonjr closed 2 years ago
regclient is also affected by this.
This is a pretty big deal for the buildpacks project and platforms built of top of it all of which are suddenly broken for dockerhub users.
Thanks for reporting; I see the team is working on this; looks like a fix was merged (not sure if it's deployed already)
This is affecting users of Earthly too
WARN: (Load metadata linux/amd64) pull access denied, repository does not exist or may require authorization: authorization status: 401: authorization failed
Error: build target: build main: bkClient.Build: failed to solve: pull access denied, repository does not exist or may require authorization: authorization status: 401: authorization failed
Also believe this is affecting us at Servd too. https://status.servd.host
The fix for this should be deployed, please let us know if the issue persists.
@jcarter3 the issue still persists
@jcarter3 Yep still seeing the error persisting our end too.
Seems to be affecting Kubernetes image pulls from a private repo too, cannot pull images atm
Failed to pull image "privateregistry/redacted>": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/privateregistry/redacted": failed to resolve reference "docker.io/privateregistry/redacted": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
I see some evidence that this is at least partially fixed.
Earlier:
$ curl -s "https://auth.docker.io/token?scope=repository:library/nginx:pull&scope=repository:library/mysql:pull%20repository:library/ubuntu:pull&service=registry.docker.io" | jq -r .access_token | cut -d . -f2 | base64 -d | jq .access
[
{
"type": "repository",
"name": "library/nginx",
"actions": [
"pull"
],
"parameters": {
"pull_limit": "100",
"pull_limit_interval": "21600"
}
}
]
Now:
$ curl -s "https://auth.docker.io/token?scope=repository:library/nginx:pull&scope=repository:library/mysql:pull%20repository:library/ubuntu:pull&service=registry.docker.io" | jq -r .access_token | cut -d . -f2 | base64 -d | jq .access
base64: invalid input
[
{
"type": "repository",
"name": "library/mysql",
"actions": [
"pull"
],
"parameters": {
"pull_limit": "100",
"pull_limit_interval": "21600"
}
},
{
"type": "repository",
"name": "library/nginx",
"actions": [
"pull"
],
"parameters": {
"pull_limit": "100",
"pull_limit_interval": "21600"
}
},
{
"type": "repository",
"name": "library/ubuntu",
"actions": [
"pull"
],
"parameters": {
"pull_limit": "100",
"pull_limit_interval": "21600"
}
}
]
We're failing to pull all images in k8s too which I assume is related to this:
"docker.io/library/busybox:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Seeing the same here on Buildkite:
[2022-03-02T20:28:47Z] > [1/9] FROM docker.io/library/ubuntu:18.04:
[2022-03-02T20:28:47Z] ------
[2022-03-02T20:28:47Z] pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
Same here with docker login on mac, and API key:
Error saving credentials: error storing credentials - err: exit status 1, out: Post "http://ipc/registry/credstore-updated": dial unix Library/Containers/com.docker.docker/Data/backend.sock: connect: connection refused
Several K8s clusters failing to pull images (private & public): Users of Digital Ocean managed K8s might be affected
Failed to pull image "redis:latest": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/redis:latest": failed to resolve reference "docker.io/library/redis:latest": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
And bitbucket pipelines using docker.
Hope it can help 🙏
If somebody from docker is working on it and knows this is an issue, could you please update the https://status.docker.com/ page.
We're starting to see pulls succeed again 🙌
Previous changes have all been reverted at this point as we continue to investigate this issue.
Thanks for resolving the issue ❤️
To add to what jgreat said, the communication from Docker really needs to improve in case of outages.
Theses things happens, we get that, but I shouldn't need to search for a obscure Github issue 3 hours into the outage to get updates on something that has that big of an impact.
I trust that you'll bring this up internally to improve on this matter.
Sorry for the issues this caused. We've identified the root cause - the exact nature of this bug made it difficult to pinpoint and we are experimenting with ways that we can monitor this going forward.
@jcarter3 We're currently seeing this issue reappear. This is an error from one of our kubernetes pods thats failing to pull a private image (image name partially changed):
Failed to pull image "docker.io/servdhosting/xxx": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/servdhosting/xxx": failed to resolve reference "docker.io/servdhosting/xxx": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
It was working earlier today, seems to have started in the past hour or two.
@joeforshaw This is likely a different issue as there haven't been any changes made to the services in some time. Can you replicate this with a different user? Is it a new/different tag that is not working?
Sorry @jcarter3, looks like a false alarm. User error! 🤦♂️
We made some security upgrades a few weeks ago which prevented our docker hub auth requests from being sent in certain circumstances. Apologies!
Phew! We were just looking into that 😅. Thanks for the update @joeforshaw
Sorry about that! Customers are the worst. 🤪
It seems like Docker Hub recently updated their behavior in the token endpoint causing a regression in scope handling. There are a handful of affected clients, including containerd and go-containerregistry.
From https://docs.docker.com/registry/spec/auth/token/#requesting-a-token:
(Emphasis mine.)
@ekcasey encountered this issue:
Thanks @dmikusa-pivotal for discovering that using space-separated scopes in the token exchange does work, but using multiple scope parameters ~(as described in the documentation)~ does not work.
Edit: Re-reading this I see that the Www-Authenticate header returned actually has a single
scope
parameter, so perhaps we should be handling this differently, but the initial request asks for equivalent scopes:But Docker Hub seems to ignore them?
Task List