docker2aci fix: appc/docker2aci#113

Thx!

I'm running rkt 1.0.0 and I'm still having this exact problem.

I'm running rkt 1.0.0 and I'm still having this exact problem.

I just tested with a local docker registry and this file:

# /etc/rkt/auth.d/docker.json
{
    "rktKind": "dockerAuth",
    "rktVersion": "v1",
    "registries": ["localhost:5000"],
    "credentials": {
        "user": "iago",
        "password": "password"
    }
}

It seems to work for me:

$ rkt --insecure-options=image,http fetch docker://localhost:5000/busybox
image: remote fetching from URL "docker://localhost:5000/busybox"
Downloading sha256:eeee0535bf3: [==============================] 676 KB/676 KB 
Downloading sha256:a3ed95caeb0: [==============================] 32 B/32 B
sha512-2463c14e8f6f49cb03c3416d7bb15c48

Can you give more information about your scenario and paste your auth config? (with passwords redacted, of course :)).

@iaguis Sure. I guess I should have from the start. This is my auth config:

{
    "rktKind": "dockerAuth",
    "rktVersion": "v1",
    "registries": ["index.docker.io"],
    "credentials": {
        "user": "shortusername",
        "password": "password"
    }
}

The user is my short username on docker hub, the password is the password. Dockers own config likes it to be the email and base64 of "shortusername:password" in the auth field it seems. I've tried several combinations in the auth config but none of them seem to work. I get 401:s every time. It's a private repo on docker hub I'm trying to fetch.

Also the error from rkt is this:

image: remote fetching from URL "docker://usernamehere/repohere"
fetch: unexpected http code: 401, URL: https://registry-1.docker.io/v2/usernamehere/repohere/manifests/latest

Can you try changing the registry url in the auth config to registry-1.docker.io?

Yeah I tried that just now with the same result. Is this implemented in rkt:

https://docs.docker.com/registry/spec/auth/token/ - that seems to be what the v2 docker hub requires. To me it seems as if that 401 might be expected and the client should handle it by talking to the authentication service.

After a quick look, It seems it is implemented.

I could reproduce it with one of my private repos , I'll have a look.

The problem was that we weren't passing the username and password for the default docker registry.

When we implemented the v2 API in docker2aci, we modified the Docker URL parsing function to not infer the default registry URL because it could be index.docker.io (API v1) or registry-1.docker.io (API v2). The function was returning an empty registry, which means we weren't getting the password from the auth config file.

We can now infer the default registry URL because the API v1 is deprecated in the default registry. With that change, this issue is fixed.

Fix in docker2aci: appc/docker2aci#120

Not fixed yet, godep not updated.