kaniko: HTTP 401 returned when trying to push to Dockerhub with correct credentials
Actual behavior
While running a build with correct and valid docker credentials mounted under /kaniko/.docker/config.json and the environment variable DOCKER_CONFIG=/kaniko/.docker, Kaniko fails to pass the “push” permission test to Dockerhub, throwing the error:
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "index.docker.io/myname/kaniko-test:latest": UNAUTHORIZED: authentication required; [map[Type:repository Class: Name:myname/kaniko-test Action:pull] map[Type:repository Class: Name:myname/kaniko-test Action:push]]
NOTE: The “config.json” has confirmed to be valid by running docker --config docker/ build -t myname/testing-push . (with the config pointed to the same file) and confirming that this authenticated successfully against Dockerhub.
Expected behavior That the Build successfully authenticates against Dockerhub
NOTE: This might be related to an issue in an upstream dependency as per: https://github.com/GoogleContainerTools/kaniko/issues/614
To Reproduce Run the following command to build an image and push to a Dockerhub repository you have permissions to, with the Dockerhub “config.json” file under the “docker” directory:
docker run \
-v /path/to/code/kaniko-test:/workspace \
-v docker:/kaniko/.docker \
--env DOCKER_CONFIG=/kaniko/.docker \
gcr.io/kaniko-project/executor:debug \
--dockerfile /workspace/Dockerfile \
--destination yourname/kaniko-test:latest \
--context dir:///workspace/ \
--cache=false
Additional Information
- Dockerfile
FROM nginx
RUN ls -al
RUN ls -al /root/
#RUN ls -al /root/.docker/
#RUN cat /root/.docker/config.json
RUN ls -al /kaniko
RUN ls -al /kaniko/.docker/
RUN cat /kaniko/.docker/config.json
- Build Context sample config.json (secret removed):
{
"auths": {
"https://index.docker.io/v1/": {
"email": "foo@bar.com",
"auth": "ABCDEFGHIJKLMNOP"
}
}
}
- Kaniko Image (fully qualified with digest) Not sure. Latest debug one?
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 16 (4 by maintainers)
Commits related to this issue
- feat(jenkins): add kaniko image to shared pod Use the 0.7.0 image because of https://github.com/GoogleContainerTools/kaniko/issues/641 Use debug image because we need to run sh and the default image ... — committed to fdlk/molgenis-ops-helm by fdlk 5 years ago
- feat(jenkins): add kaniko image to shared pod Use the 0.7.0 image because of https://github.com/GoogleContainerTools/kaniko/issues/641 Use debug image because we need to run sh and the default image ... — committed to fdlk/molgenis-ops-helm by fdlk 5 years ago
We’ve just experienced this many times (on a different GCR repo each time, so seems random) inside Cloud Build, using the latest
v0.21.0. It got resolved after I downgraded tov0.20.0.I’m looking into this today, sorry for the delay I don’t normally subscribe to Kaniko issues.
I believe this issue needs to stay open or a new issue needs to be logged. This clearly stopped working with knative build after 0.7.0.
Thanks for filing! I thought I must be doing something wrong. Can confirm that docker config authentication works fine in 0.7.0 and is broken in 0.8.0 and 0.9.0.
If it helps, when I build the above Dockerfile and get it to print out the contents of
/kaniko/.docker/config.jsonit looks like the contents of the file don’t match what’s being mounted:It’s my first time using Kaniko and I’m not a Docker “layer” expert, but I would expect that the volume mount would replace this file, regardless of the contents of any of the layers.