server returned 401

[vmahuli]

I am getting below problem. I am trying to sign a xyz image. Can anyone help? you are not authorized to perform this operation: server returned 401. Do we need any specific version of docker?

$ docker pull nginx:latest Pull (1 of 1): nginx:latest@sha256:37350fbb4afbb1c01b6e542fe1537dd701e4430983d6d9c673cbb5eccdbec357 sha256:37350fbb4afbb1c01b6e542fe1537dd701e4430983d6d9c673cbb5eccdbec357: Pulling from library/nginx 2a72cbf407d6: Pull complete 04b2d3302d48: Pull complete e7f619103861: Pull complete Digest: sha256:37350fbb4afbb1c01b6e542fe1537dd701e4430983d6d9c673cbb5eccdbec357 Status: Downloaded newer image for nginx@sha256:37350fbb4afbb1c01b6e542fe1537dd701e4430983d6d9c673cbb5eccdbec357 Tagging nginx@sha256:37350fbb4afbb1c01b6e542fe1537dd701e4430983d6d9c673cbb5eccdbec357 as nginx:latest $ docker tag nginx:latest localhost:5000/nginx:latest $ export DOCKER_CONTENT_TRUST=1 $ docker push localhost:5000/nginx:latest The push refers to a repository [localhost:5000/nginx] 77e23640b533: Pushed 757d7bb101da: Pushed 3358360aedad: Pushed latest: digest: sha256:a08ed346dfbb55cf7819dbe60f574f19fe387f2e7486cdc2073f1272d1344ec9 size: 948 Signing and pushing trust metadata you are not authorized to perform this operation: server returned 401.

$ docker --version Docker version 17.03.0-ce, build 60ccb22

$ notary version notary Version: 0.6.1 Git commit: d6e1431f

[cyli]

Could you specify what is being run on localhost:5000?

Is it just a registry? Is it a registry + notary server served using nginx?

If it's just a registry, you need a notary server to push the metadata to. Otherwise, it will attempt to use the public notary server, https://notary.docker.io, and you don't have permission to write to that namespace on the public server. It does not have to run on the same port or machine as the registry, but you do need one.

[vmahuli]

I am now getting below problem: $ docker push userid/build:latest

The push refers to a repository [docker.io/userid/build] d37b1b1e6c60: Pushed a8de0e025d94: Layer already exists a5e66470b281: Layer already exists ac7299292f8b: Layer already exists e1a9a6284d0d: Layer already exists fccbfa2912f0: Layer already exists latest: digest: sha256:4444a9a66f34b4b9a748733932f97803114917a596daf7b82a66fdd37f4b33b5 size: 1564 Signing and pushing trust metadata ERRO[0034] couldn't add target to targets/releases: could not find necessary signing keys, at least one of these keys must be available: abae9a9bfa49f3847fc3824f86bb1b00e0801e39165af977da5fb5c33fa27b9f Failed to sign "docker.io/userid/build":latest - could not find necessary signing keys, at least one of these keys must be available: abae9a9bfa49f3847fc3824f86bb1b00e0801e39165af977da5fb5c33fa27b9f Error: could not find signing keys for remote repository docker.io/userid/build, or could not decrypt signing key: could not find necessary signing keys, at least one of these keys must be available: abae9a9bfa49f3847fc3824f86bb1b00e0801e39165af977da5fb5c33fa27b9f

I have tried below commands...

1. openssl genrsa -out delegation.key 2048

2. openssl req -new -sha256 -key delegation.key -out delegation.csr

3. openssl x509 -req -sha256 -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt

4. alias notary="notary -s https://notary.docker.io -d $HOME/.docker/trust"

5. cat $HOME/.notary/config.json { "trust_dir" : "~/.docker/trust", "remote_server": { "url": "https://notary.docker.io" } }

6. notary list docker.io/userid/build

7. notary delete --remote docker.io/userid/build

8. notary key rotate docker.io/userid/build snapshot -r

9. notary delegation add docker.io/userid/build targets/releases delegation.crt --all-paths

10. notary delegation list docker.io/userid/build

11. notary publish docker.io/userid/build

12. notary delegation list docker.io/userid/build

13. notary key import delegation.key --role targets/releases

14. export DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io

15. export DOCKER_CONTENT_TRUST_DELEGATION_PASSPHRASE=contrail123

16. export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=contrail123

17. export DOCKER_CONTENT_TRUST=1

18. export DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io

$ cat $HOME/sshd/Dockerfile FROM ubuntu MAINTAINER Vinay RUN apt-get update && apt-get install -y openssh-server RUN mkdir -p /var/run/sshd

19. docker build -t userid/sshd .
20. docker tag userid/sshd:latest userid/build:latest
21. docker push userid/build:latest

Am I missing anything here?

[vmahuli]

ubuntu@nodei40:~$ tree .docker .docker |-- config.json |-- trust |-- private | |-- 9303573f270ab33abbb6fca4007233cf5670f2801a2c9875c73d84aa9e140207.key | |-- abae9a9bfa49f3847fc3824f86bb1b00e0801e39165af977da5fb5c33fa27b9f.key | |-- cb21ba50a3bb35ff45c8679ef88801e6fabc0aa1a7f79a401d01ad81377dd28c.key |-- tuf |-- docker.io |-- library | |-- ubuntu | |-- metadata | |-- root.json | |-- snapshot.json | |-- targets.json | |-- timestamp.json |-- userid |-- build |-- changelist | |-- 01523869554311286448_833c32b4-5dda-4005-ae59-0391d37890ba.change |-- metadata |-- root.json |-- snapshot.json |-- targets.json |-- timestamp.json

[vmahuli]

It is just a registry which is being run on localhost:5000? I am using notary.docker.io for notary server.

[cyli]

Apologies for the trouble, you may have to use notary 0.4.x with docker 17.03, unfortunately, or upgrade your docker version: https://github.com/theupdateframework/notary/releases/tag/v0.6.0.

Newly generated keys are now stored encrypted and encoded in PKCS#8 format. This is not forwards-compatible against notary<0.6.0 and docker<17.12.x. Also please note that docker>=17.12.x is not forwards compatible with notary<0.6.0

[vmahuli]

Thank you. It worked. Just a thought... Is it possible to make use of https://notary.docker.io, and push the images to my local registry [localhost:5000] ?

[leeadh]

HI vmahuli, is there a way to use the notary.docker.io?

I tried to automate this via jenkins . Basically, I exported my passphrase + exported the notary into the /etc/profile and ran on jenkins.

export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="XXX!" export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="XXX!" export DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io

Signing and pushing trust metadata you are not authorized to perform this operation: server returned 401.

Any help please? Do we really need to create a notary service because looking at the standard documentation of content trust(https://docs.docker.com/engine/security/trust/content_trust/#content-trust-operations-and-keys) , u can export docker content trust =1 and i will be able to push the signed image to docker hub

[cyli]

@vmahuli @leeadh - the way you would do so is not to use DOCKER_CONTENT_TRUST=1 - you would have to use the notary client itself to sign images, and the notary client to verify images.

Docker uses the full image name - e.g. <registry>/owner/imagename - if you docker push to docker hub, that registry is docker.io. If you docker push to your own registry, it'd be localhost:5000. The public notary server will not authenticate any full image name not beginning with docker.io. The public notary service is provided for validate images on docker hub specifically.

[leeadh]

Hello @cyli

I am able to push in command line

But when I try this in jenkins , i had this issue

[ananth07reddy]

@leeadh do you have any update on this issue? I am also facing the same issue with the pipeline

[YanezDeGomeyra]

I have discovered that when the pipeline job creates a fresh folder for the checkout, it also reassign the DOCKER_CONFIG environment variable to point to the new temp folder, so that when docker looks for the .docker folder where the root/target/delegation keys are stored, it looks for them in the newly created temp directory, and not in the /home/jenkins/.docker folder. Qualifying the docker command with the appropriate --config parameter to point to /home/jenkins seems to have fixed the issue in my case.