containerd: Auth flow should not require scope in auth header

Description containerd currently requires that a scope be returned in WWW-Authenticate header, it is unclear to me why this is required, especially as docker authenticates correctly without it.

This is returned by the registry in the Unauthorized response:

Bearer realm="http://rt.local:80/artifactory/api/docker/dummy-docker-local/v2/token",service="rt.local:80"

When the check for zero length scope https://github.com/containerd/containerd/blob/c6da899e2fd5ec5f0863d4be5ff683ee785d155c/remotes/docker/authorizer.go#L199 is disabled we see a properly generated request URI including the added pull scope:

/artifactory/api/docker/dummy-docker-local/v2/token?scope=&scope=repository%3Adummy-docker-local%2Fbusybox%3Apull&service=rt.local%3A80

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 19 (6 by maintainers)

Most upvoted comments

k3s is also affected, since it’s using containerd

+7
jizusun on Nov 14, 2019

@btashton is my problem with Artifactory the same as yours?

Today I’ve tried Containerd 1.3.0-rc2 and I’m getting this message:

no scope specified for token auth challenge

Artifactory works together with earlier Containerd 1.2.8.

New debug log:

# ctr --debug images pull k8s.artifactory.example.com/metrics-server:v0.3.4
time="2019-09-21T21:01:20+02:00" level=debug msg=fetching image="k8s.artifactory.example.com/metrics-server:v0.3.4"
time="2019-09-21T21:01:20+02:00" level=debug msg=resolving host=k8s.artifactory.example.com
time="2019-09-21T21:01:20+02:00" level=debug msg="do request" host=k8s.artifactory.example.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, *" request.header.user-agent=containerd/v1.3.0-rc.2 request.method=HEAD url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4"
time="2019-09-21T21:01:20+02:00" level=debug msg="fetch response received" host=k8s.artifactory.example.com response.header.connection=keep-alive response.header.content-type="application/json;charset=ISO-8859-1" response.header.date="Sat, 21 Sep 2019 19:01:20 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.server=Artifactory/6.12.2 response.header.www-authenticate="Bearer realm=\"https://k8s.artifactory.example.com:443/api/docker/k8s/v2/token\",service=\"k8s.artifactory.example.com:443\"" response.header.x-artifactory-id="40971a43072de368:-78d5be6:16d55267bcc:-8000" response.status="401 Unauthorized" url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4"
time="2019-09-21T21:01:20+02:00" level=debug msg=Unauthorized header="Bearer realm=\"https://k8s.artifactory.example.com:443/api/docker/k8s/v2/token\",service=\"k8s.artifactory.example.com:443\"" host=k8s.artifactory.example.com
ctr: failed to resolve reference "k8s.artifactory.example.com/metrics-server:v0.3.4": no scope specified for token auth challenge

Old debug log:

time="2019-09-21T21:07:32+02:00" level=debug msg=fetching image="k8s.artifactory.example.com/metrics-server:v0.3.4" 
time="2019-09-21T21:07:32+02:00" level=debug msg=resolving 
time="2019-09-21T21:07:32+02:00" level=debug msg="do request" request.headers=map[Accept:[application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, *]] request.method=HEAD url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4" 
time="2019-09-21T21:07:32+02:00" level=debug msg="fetch response received" response.headers=map[Content-Type:[application/json;charset=ISO-8859-1] Connection:[keep-alive] Server:[Artifactory/6.12.2] X-Artifactory-Id:[40971a43072de368:-78d5be6:16d55267bcc:-8000] Docker-Distribution-Api-Version:[registry/2.0] Www-Authenticate:[Bearer realm="https://k8s.artifactory.example.com:443/api/docker/k8s/v2/token",service="k8s.artifactory.example.com:443"] Date:[Sat, 21 Sep 2019 19:07:32 GMT]] status="401 Unauthorized" url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4" 
time="2019-09-21T21:07:32+02:00" level=debug msg=Unauthorized header="Bearer realm="https://k8s.artifactory.example.com:443/api/docker/k8s/v2/token",service="k8s.artifactory.example.com:443"" 
time="2019-09-21T21:07:33+02:00" level=debug msg="do request" request.headers=map[Accept:[application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, *] User-Agent:[containerd/v1.2.7]] request.method=HEAD url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4" 
time="2019-09-21T21:07:33+02:00" level=debug msg="fetch response received" response.headers=map[X-Checksum-Md5:[986d8ec1454fb0c18e833f3a201a834d] X-Checksum-Sha1:[ba29ae3bb81253b82534a83be17050b002baf6b5] Cache-Control:[no-store] Server:[Artifactory/6.12.2] Last-Modified:[Sat, 21 Sep 2019 19:07:33 GMT] Etag:[ba29ae3bb81253b82534a83be17050b002baf6b5] Docker-Content-Digest:[sha256:e51071a0670e003e3936190cfda74cfd6edaa39e0d16fc0b5a5f09dbf09dd1ff] Connection:[keep-alive] X-Artifactory-Id:[40971a43072de368:-78d5be6:16d55267bcc:-8000] Content-Length:[738] X-Checksum-Sha256:[e51071a0670e003e3936190cfda74cfd6edaa39e0d16fc0b5a5f09dbf09dd1ff] Accept-Ranges:[bytes] X-Artifactory-Filename:[manifest.json] Content-Disposition:[attachment; filename="manifest.json"] Docker-Distribution-Api-Version:[registry/2.0] Date:[Sat, 21 Sep 2019 19:07:33 GMT] Content-Type:[application/vnd.docker.distribution.manifest.v2+json]] status="200 OK" url="https://k8s.artifactory.example.com/v2/metrics-server/manifests/v0.3.4" 
time="2019-09-21T21:07:33+02:00" level=debug msg=resolved desc.digest=sha256:e51071a0670e003e3936190cfda74cfd6edaa39e0d16fc0b5a5f09dbf09dd1ff 
time="2019-09-21T21:07:33+02:00" level=debug msg=fetch digest=sha256:e51071a0670e003e3936190cfda74cfd6edaa39e0d16fc0b5a5f09dbf09dd1ff mediatype="application/vnd.docker.distribution.manifest.v2+json" size=738 
time="2019-09-21T21:07:33+02:00" level=debug msg=fetch digest=sha256:5d092e4b984acc2661bb4d2752ddd98ac87004d58c56ff41f768b1136a63a1f2 mediatype="application/vnd.docker.container.image.v1+json" size=1784 
time="2019-09-21T21:07:33+02:00" level=debug msg=fetch digest=sha256:733d58551ccda5e1dcbaf56131aee83dacbf26815b70cf4ea9e6c478df4f47c0 mediatype="application/vnd.docker.image.rootfs.diff.tar.gzip" size=9885614 
time="2019-09-21T21:07:33+02:00" level=debug msg=fetch digest=sha256:e8d8785a314f385d3675a017f4e2df1707c528c06e7a7989663fdab4900bd8ff mediatype="application/vnd.docker.image.rootfs.diff.tar.gzip" size=654467 
time="2019-09-21T21:07:33+02:00" level=debug msg=unpacking image="k8s.artifactory.example.com/metrics-server:v0.3.4" 
unpacking linux/amd64 sha256:e51071a0670e003e3936190cfda74cfd6edaa39e0d16fc0b5a5f09dbf09dd1ff...
+4
towolf on Sep 21, 2019

https://www.jfrog.com/jira/browse/RTFACT-20170

+2
towolf on Oct 17, 2019

Got in touch with JFrog, they say they will look into it.

+1
towolf on Sep 23, 2019
Read more comments on GitHub
← containerd: [Arch Linux package] Error response from daemon: ttrpc: closed: unknown
containerd: Can not run containerd as non-root user →