lifecycle icon indicating copy to clipboard operation
lifecycle copied to clipboard

Published 20 hours ago verified publisher icon buildpacks

Registry authentication fail using config.json file

Open cxrus opened this issue 2 years ago • 3 comments

Summary

When running lifecycle/creator inside the builder image container, if I create and configure authentication information inside the config.json file and use it as an authentication token, I will get an unauthorized error when exporting to the remote registry. But if I set the CNB_REGISTRY_AUTH directly, it success. I think this should be a bug. Error message:

*** Images (sha256:61df3085fd834eacf97d756aefbfd09e7987c197d1545b029423dd634c0a99f1):
      [docker.io/USERNAME/creator-test:0.1](http://docker.io/USERNAME/creator-test:0.1) - HEAD https://index.docker.io/v2/USERNAME/creator-test/blobs/sha256:3e75ef87b0aa607c36a6052ef22e1f9f90caddaf52da18a03dec6de1681b5779: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)
ERROR: failed to export: failed to write image to the following tags: [[docker.io/USERNAME/creator-test:0.1](http://docker.io/USERNAME/creator-test:0.1): HEAD https://index.docker.io/v2/USERNAME/creator-test/blobs/sha256:3e75ef87b0aa607c36a6052ef22e1f9f90caddaf52da18a03dec6de1681b5779: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)]

Reproduction

Steps
  1. Run docker.io/cnbs/sample-builder:bionic container
  2. mkdir ~/.docker
  3. create a config.json file, and configure authentication info using the following format:
{
    "auths": {
        "https://index.docker.io/v1": {
            "auth": "username:password | base64"
        }
    }
}
  1. run
/cnb/lifecycle/creator -app=. docker.io/USERNAME/creator-test:0.1
Current behavior

Get 401 unauthorized error when export to remote registry

Expected

Export successfully to remote registry

Context

lifecycle version
platform version(s)
anything else?

cxrus avatar Sep 02 '22 22:09 cxrus

@cxrus this is odd - this should work; config.json is how we provide auth in platforms such as Tekton. Did you confirm that the file is readable by the creator user?

natalieparellano avatar Sep 03 '22 14:09 natalieparellano

I would say yes. Since it also gave me the same 401 error when I created the config.json file inside the /workspace and set DOCKER_CONFIG point to the absolute path of the config.json file. The /workspace should be able to r/w by all users even the cnb user. That's why I think it is not the file's permission that causes this problem.

cxrus avatar Sep 03 '22 16:09 cxrus

@cxrus just had a closer look at your config.json file - can you try it with a trailing slash i.e., https://index.docker.io/v1/?

natalieparellano avatar Sep 13 '22 14:09 natalieparellano

I'm going to close this issue as it's been hanging out for a while, but please feel free to reopen if further help is needed.

natalieparellano avatar Aug 08 '23 16:08 natalieparellano