search

redhat-cop / openshift-toolkit

A collection of code samples to help you get started with OpenShift
Apache License 2.0
234 stars 150 forks source link

docker-registry-sync.py does not support registry.redhat.io #69

Closed trent-melcher closed 5 years ago

trent-melcher commented 5 years ago

We would like the disconnected registry to pull from the new registry.redhat.io site, appear the python script line 68 has hardcoded registry.access.redhat.com, so we changed it to registry.redhat.io as seen below, but now we get the error below.

Code snippet from docker-registry-sync.py

 67         for image in config_file_dict[dictionary_key][namespace]:
 68             docker_json_link = "https://registry.redhat.io/v2/%s/%s/tags/list" % (namespace, image)
 69             list_to_populate.append(docker_json_link)
 70

We successfully logged into registry.redhat.io using our Service Account

docker login -u='#####|username' -p THATS_A_REALLY_LONG_HASH  registry.redhat.io

And ran the script...

./docker-registry-sync.py --from=registry.redhat.io \
--to=myregistry.myoffice.com:5000 \
--file=./docker_tags.json \
--openshift-version=3.11

Error after shell script ran

Traceback (most recent call last):
  File "./docker-registry-sync.py", line 179, in <module>
    get_latest_tag_from_api(retrieve_v_tags_from_redhat_list, latest_tag_list, failed_images)
  File "./docker-registry-sync.py", line 89, in get_latest_tag_from_api
    image_name = image_tag_dictionary['name']
KeyError: 'name'
etsauer commented 5 years ago

@trent-melcher I did some digging here and added some more debug logging to the script, and it looks like that error is due to and authorization issue:

$ ./docker-registry-sync.py --from=registry.redhat.io --to=localhost:5000 --file=./docker_tags.json --openshift-version=3.11
root        : DEBUG    Trying URL: https://registry.redhat.io/v2/openshift3/apb-base/tags/list
urllib3.connectionpool: DEBUG    Starting new HTTPS connection (1): registry.redhat.io:443
urllib3.connectionpool: DEBUG    https://registry.redhat.io:443 "GET /v2/openshift3/apb-base/tags/list HTTP/1.1" 401 111
root        : DEBUG    Result: <Response [401]>
root        : INFO     {u'errors': [{u'message': u'access to the requested resource is not authorized', u'code': u'UNAUTHORIZED', u'detail': []}]}
Traceback (most recent call last):
  File "./docker-registry-sync.py", line 182, in <module>
    get_latest_tag_from_api(retrieve_v_tags_from_redhat_list, latest_tag_list, failed_images)
  File "./docker-registry-sync.py", line 92, in get_latest_tag_from_api
    image_name = image_tag_dictionary['name']
KeyError: 'name'

Now, I'm not completely sure how registry.redhat.io is different, or if paths have changed from one to the other, but at least that gives us something to go on.

@sabre1041 @oybed do you guys have any idea?

etsauer commented 5 years ago

oh, on second thought... i see what's going on... The script does some raw http GETs against the registry to try and figure out which tags are available, and tries to match up the version that is passed in with a tag. Since we are running raw requests rather than docker commands, its not using ~/.docker/config.json to authenticate.

sabre1041 commented 5 years ago

@etsauer @trent-melcher The registry implements the docker authorization flow

Upon a 401 which is returned, the www-authenticate header is returned which provides the value Bearer realm="https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth",service="docker-registry" which tells us how to authenticate through the flow.

Support for this feature needs to be added to the script

aizuddin85 commented 5 years ago

@sabre1041 @etsauer add support for www-authenticate. Appreciate for review.

sabre1041 commented 5 years ago

@aizuddin85 reviewed and provided comments