anchore-engine icon indicating copy to clipboard operation
anchore-engine copied to clipboard

Published 20 hours ago verified publisher icon anchore

Can't add image from my private repo

Open antigenius0910 opened this issue 2 years ago • 1 comments

Help

BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: % anchore-cli --version anchore-cli, version 0.9.3

What happened: I can only add image from my own docker hub public repo but not private repo, pulling is ok as long as is it public. but when I make the repo to private, add image doesn't work no more

What did you expect to happen: I should be able to add image from my own docker hub private repo just as I did if it is public repo

% anchore-cli --url http://192.168.144.28:8228/v1/ --u admin --p foobar --debug image add docker.io/yentest/my-alpine:latest 
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "GET /v1/ HTTP/1.1" 200 5
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:POST url=http://192.168.144.28:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 200 2416
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Image Digest: sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a
Parent Digest: sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2021-10-03T11:06:37Z
Image ID: 14119a10abf4669e8cdbdff324a9f9605d99697215a0d21c360fe8dfa8471bab
Dockerfile Mode: Guessed
Distro: alpine
Distro Version: 3.14.2
Size: 6379520
Architecture: amd64
Layer Count: 1

Full Tag: docker.io/library/alpine:latest
Tag Detected At: 2021-10-03T11:06:25Z

Full Tag: docker.io/yentest/my-alpine:latest
Tag Detected At: 2021-10-03T18:27:25Z

Any relevant log output from /var/log/anchore: my docker hub user

% docker-credential-$(                                                                                                                              
  jq -r .credsStore ~/.docker/config.json
) list | jq -r '
  . |
    to_entries[] |
    select(
      .key |
      contains("docker.io")
    ) |
    last(.value)
'

yenenvoy

added registry

% anchore-cli --url http://192.168.144.28:8228/v1/ --u admin --p foobar --debug registry list
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "GET /v1/ HTTP/1.1" 200 5
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:GET url=http://192.168.144.28:8228/v1/registries
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "GET /v1/registries HTTP/1.1" 200 291
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Registry               Name                   Type             User            
index.docker.io        index.docker.io        docker_v2        yenenvoy

try to add private repo

% anchore-cli --url http://192.168.144.28:8228/v1/ --u admin --p foobar --debug image add docker.io/yentest/my-alpine:latest                          
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "GET /v1/ HTTP/1.1" 200 5
DEBUG:anchorecli.clients.apiexternal:As Account = None
DEBUG:anchorecli.clients.apiexternal:POST url=http://192.168.144.28:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.144.28:8228
DEBUG:urllib3.connectionpool:http://192.168.144.28:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 400 717
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 400
Error: cannot fetch image digest/manifest from registry
HTTP Code: 400
Detail: {'error_codes': ['REGISTRY_PERMISSION_DENIED'], 'raw_exception_message': 'Error encountered in skopeo operation. cmd=/bin/sh -c skopeo   inspect --raw --tls-verify=false  docker://docker.io/yentest/my-alpine:latest, rc=1, stdout=None, stderr=b\'time="2021-10-04T02:33:28Z" level=fatal msg="Error parsing image name \\\\"docker://docker.io/yentest/my-alpine:latest\\\\": Error reading manifest latest in docker.io/yentest/my-alpine: errors:\\\\ndenied: requested access to the resource is denied\\\\nunauthorized: authentication required\\\\n"\\n\', error_code=REGISTRY_PERMISSION_DENIED'}

What docker images are you using:

% docker pull docker.io/yentest/my-alpine:latest 
latest: Pulling from yentest/my-alpine
Digest: sha256:69704ef328d05a9f806b6b8502915e6a0a4faa4d72018dc42343f511490daf8a
Status: Image is up to date for yentest/my-alpine:latest

How to reproduce the issue: push a image into docker hub as pub repo and switch to private repo

Anything else we need to know: I have grant permission for my docker hub username for the repo

Screen Shot 2021-10-03 at 9 34 17 PM Screen Shot 2021-10-03 at 9 34 00 PM

antigenius0910 avatar Oct 04 '21 02:10 antigenius0910

Hi @antigenius0910, for docker hub, use 'docker.io' as the registry host instead of index.docker.io. The system will handle that correctly the way docker does. We don't use Docker internally, but maintain the registry host semantics so they align with how you do 'docker pull'. If you set that up and it still doesn't work then let us know.

zhill avatar Oct 22 '21 19:10 zhill