search

docker / hub-feedback

Feedback and bug reports for the Docker Hub
https://hub.docker.com
233 stars 48 forks source link

`docker login` success false positive for Docker Hub registry #2337

Closed cavcrosby closed 10 months ago

cavcrosby commented 10 months ago

Problem description

docker login registry-1.docker.io returns success when using a username and personal access token for the Docker Hub registry (or registry-1.docker.io). However, I am unable to pull any of my private images once successfully authenticated. For example, when I run docker pull cavcrosby/k8s101-hello-go I receive the following error: Error response from daemon: pull access denied for cavcrosby/k8s101-hello-go, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.

I don't appear to be the only one either who has run into this issue either, see https://github.com/docker/hub-feedback/issues/2285#issuecomment-1308979392. However, said individual from the linked issue reported getting things to work with a user(name) and password but in 2023 MFA/2FA is a no-brainer and I can't see myself turning it off.

That said, I managed to work around this issue by modifying the registry portion of my image to explicitly mention the Docker Hub registry. So the command now was docker pull registry-1.docker.io/cavcrosby/k8s101-hello-go. This worked, but it isn't something I would have expected to append considering I believe the Docker Hub registry is the default registry used for Docker images.

Perhaps I'm just missing something here.

docker info output

Docker Info:

Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 41
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
 Kernel Version: 6.4.6-76060406-generic
 Operating System: Pop!_OS 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 62.71GiB
 Name: Ron
 ID: YNLD:RFIN:MX4C:4EK2:ZBZB:4MDY:7J77:RJUE:5HYE:2ALU:TTIM:6XQ4
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 22
  Goroutines: 34
  System Time: 2023-08-14T23:08:47.699611061-04:00
  EventsListeners: 0
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Task List

ingshtrom commented 10 months ago

When you run docker login registry-1.docker.io the authentication details are put in your local credential store based on the key of the registry you are authenticating against. In this case, that is registry-1.docker.io. Then, when you run docker pull cavcrosby/k8s101-hello-go Docker engine looks up authentication details in the credential store based on the key http://index.docker.io and there is nothing there, so it thinks you are not authenticated against Docker Hub.

I recommend that whatever registry you use in one docker command should be used in all others.

e.g. docker login registry-1.docker.io and docker pull registry-1.docker.io/cavcrosby/k8s101-hello-go e.g. docker login and docker pull cavcrosby/k8s101-hello-go

Either of these examples should work. As humans, we know those point to the same registry, Docker Hub Registry, but Docker engine doesn't understand that.

cavcrosby commented 10 months ago

I appreciate the clarifications, this gives me a better idea of what's going then. I will now close this issue out because it seems this behavior is intended.