acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Unable to Import public Docker image

Open karatedog opened this issue 4 years ago • 9 comments

Describe the bug I'm unable to import certain images from Docker Hub to Azure Container Registry using 'az acr import'

Deployment failed. Correlation ID: 039d8a3f-5938-467f-b97d-5b5f403d6439. Operation registries-feeccf4f-0f04-11eb-aecd-0b70a1ccdcda failed. Resource /subscriptions/5170570b-48b6-414d-86b4-xxxxxxxxxx/resourceGroups/prod-rg-devtools/providers/Microsoft.ContainerRegistry/registries/prodacrelectool Invalid message Unauthorized Unauthorized {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/axoniq/axonserver","Action":"pull"}]}]}

To Reproduce

  1. az acr import --name prodacrelectool --source "docker.io/library/axoniq/axonserver:latest" --image "axoniq/axonserver:latest" --subscription "5170570b-48b6-414d-86b4-xxxxxxxxxx"

However, for certain images, the import is successful, ie. 'python', 'hello-world' images: az acr import --name prodacrelectool --source "docker.io/library/python" --subscription "5170570b-48b6-414d-86b4-xxxxxxxxxx" works fine.

The only difference I found so far that all the successful imports were 1.) using official images, 2.) from verified vendor 3.) the image names were not using slash.

Expected behavior Successfully import any public images from Docker Hub

Environment information

  • OS: Xubuntu 20.04 in VirtualBox
  • Azure CLI version: 2.13.0
  • Docker version: 19.03.13

karatedog avatar Oct 15 '20 17:10 karatedog

This looks like a bug to me CC @nathana1

yugangw-msft avatar Oct 15 '20 19:10 yugangw-msft

@karatedog - Looks like this image requires authentication- I was not able to view this image.

docker manifest inspect docker.io/library/axoniq/axonserver:latest
errors:
denied: requested access to the resource is denied
unauthorized: authentication required

I think the image you might be wanting to import is

docker.io/~library~/axoniq/axonserver:latest

Verified that I was able to import that image

az acr import docker.io/axoniq/axonserver:latest --image axoniq/axonserver:latest

sajayantony avatar Oct 15 '20 19:10 sajayantony

This issue states the opposite: https://github.com/Azure/acr/issues/196 , that the 'library/' is a must.

To summarize:

  1. --source docker.io/library/python creates a "library/python" repository at the ACR end.
  2. --source docker.io/python fails with same error as "docker.io/library/axoniq/axonserver:latest" -> authentication required
  3. --source docker.io/library/hello-world:latest creates a "hello-world" repository at the ACR end (leaving out "library/").
  4. --source docker.io/library/axoniq/axonserver:latest fails
  5. --source docker.io/axoniq/axonserver:latest works

I can't see the logic when "library/" is needed or not.

karatedog avatar Oct 16 '20 08:10 karatedog

If the image is in the library repository (https://hub.docker.com/u/library) then library is needed. axoniq is it's own repostiory (https://hub.docker.com/u/axoniq). In general it doesn't appear that there are 'multi-level' repositories in docker hub.

nathana1 avatar Oct 19 '20 16:10 nathana1

Docker has a special casing for official images that live under library. This is part of the special casing of a default registry. Which, we're hoping to change in the future: Is It Time to Change How We Reference Container Images?

So, unfortunately, while we could special-case this behavior in ACR Import, it would be just that, special casing we'd like to avoid.

SteveLasker avatar Oct 27 '20 15:10 SteveLasker

If the image is in the library repository (https://hub.docker.com/u/library) then library is needed. axoniq is it's own repostiory (https://hub.docker.com/u/axoniq). In general it doesn't appear that there are 'multi-level' repositories in docker hub.

But as a newbie, I don't have a clue if an image is in the "library" as the Docker site of a certain image does not contain this information directly. The 'docker pull' format are the same for axonserver and hello-world as well which means the differences of library and non-library are handled behind the scenes (or irrelevant). The 'Hello world' Docker site is: https://hub.docker.com/_/hello-world, the URL does not show the '/u/library' which could be identified that this images is in the 'library'.

I tried to naively check https://docker.io/library/ in a browser if it would return a list of images, but it redirected me to https://www.docker.com/

karatedog avatar Oct 27 '20 18:10 karatedog

All great points. There's some auth work (#281) and performance work we need to improve with import, so we'll queue this up for our next semester planning (2021-h1) as who doesn't want to get past 2020 ASAP. Thanks for the post and reminder to keep the internal complexities from the users.

SteveLasker avatar Oct 27 '20 19:10 SteveLasker

I have the same issue importing az acr import -n xxx --source docker.io/library/rabittmq:3.9.13-management-alpine -t xxx/xxx:3.9.13-management-alpine I am getting the exact same pull error.. tried with docker.io/rabittmq but that does not work either. Any suggestions @karatedog

thoefkens avatar Mar 16 '22 16:03 thoefkens

Hi @thoefkens, have you tried assigning contributor rights to the identity used for the import?

SteveLasker avatar Mar 17 '22 00:03 SteveLasker