moby: Unclear error messages creating Swarm service with image from local library

Description

unauthorized: authentication required when creating service with attachable network access.

This is using the ARM 32-bit release from: https://github.com/docker/docker/releases/tag/v1.13.0-rc3

Steps to reproduce the issue:

docker network create --attachable -d overlay funker
mrythowxwse3ocwo92l5k80hl

docker service create --name add --network funker add
unable to pin image add to digest: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

tgpvi3qvcafui6tuh7evrykbr

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

pi@pi2swarm7:~ $ docker version
Client:
 Version:      1.13.0-rc3
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   4d92237
 Built:        Tue Dec  6 01:48:38 2016
 OS/Arch:      linux/arm

Server:
 Version:      1.13.0-rc3
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   4d92237
 Built:        Tue Dec  6 01:48:38 2016
 OS/Arch:      linux/arm
 Experimental: false

Linux pi2swarm7 4.4.19-v7+ #906 SMP Tue Aug 23 15:53:06 BST 2016 armv7l GNU/Linux

Output of docker info:

Slightly redacted:

Containers: 7
 Running: 0
 Paused: 0
 Stopped: 7
Images: 17
Server Version: 1.13.0-rc3
Storage Driver: overlay
 Backing Filesystem: extfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 Is Manager: true
 Managers: 1
 Nodes: 1
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 192.168.0.34
 Manager Addresses:
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 51371867a01c467f08af739783b8beafc154c4d7
init version: 949e6fa
Kernel Version: 4.4.19-v7+
Operating System: Raspbian GNU/Linux 8 (jessie)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 925.5 MiB
Name: pi2swarm7
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: alexellis2
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpuset support
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 6
  • Comments: 30 (21 by maintainers)

Most upvoted comments

Hi @nishanttotla. The explanation behind the warning makes perfect sense, but it is not an ideal solution right now since it causes needless anxiety during a typical development scenario, i.e., working with images that haven’t been assigned digests because they haven’t yet been pushed to any registry. Errors, denied and unauthorized appearing in message sound sinister because they should be taken seriously and not ignored – which is of course what you want in a cluster scenario as you noted (but even then the current phrasing doesn’t quite make it clear what’s going on if you don’t already understand the issue).

I don’t know how to phrase it best, but a naive verbose attempt is something like the following:

Warning: unable to pin image pinger to digest because it wasn't found in the registry.
This can lead to problems in a cluster because the image on each node might not be identical
(even though they might have the same tag).

Warning: unable to pin image pinger to digest because authentication is required to access
the registry. This can lead to problems in a cluster because the image on each node might not
be identical (even though they might have the same tag).

Wording stuff is hard! 😉

+12
subfuzion on Jan 21, 2017

If anyone else lands here and if not sure what this means, I’ll try to paraphrase:

This is just a warning and not an error which translated means “we could not find your image on the internet (Hub) or another registry, so we’ll use your local image instead”.

  • You won’t be able to scale your image over multiple hosts unless they have the exact matching image
+9
alexellis on Mar 6, 2017

Thanks @nishanttotla

Regarding the “warning” message: as many others I was confused with it… As you stated: “This happens by contacting the registry to retrieve the digest (#28173). If the digest pinning fails, a warning is returned

IIUC: Docker image picking process checks locally first (before looking on any registry). According to that, -as I provided image:tag- it should match and use it without any warning or checking any registry. At most, it should check local image digest without problems.

So, I don’t understand what the message means. Could you elaborate a bit to better understand what’s going on and improve/remove/whatever the message behavior? Thanks

+5
mostolog on Jan 12, 2017

I am also getting the same issue

unable to pin image my-prometheus to digest: errors:
denied: requested access to the resource is denied
unauthorized: authentication required```
+3
laxmanlax on Feb 18, 2017

@mostolog @nishanttotla im having this exact same issue with local images.

+2
sandys on Feb 18, 2017

@alexellis @mostolog thanks for your suggestions. This is a little tricky and I see all your points. I’m currently working on a PR to make an attempt to make this warning system better, stay tuned.

+2
nishanttotla on Feb 13, 2017

#31713 fixes the warnings received, by making them more concise and explanatory.

+1
nishanttotla on Mar 13, 2017

From the description above, I see that the service was successfully created, but it does seem like the UX is a little confusing in that case. I’ll think about how we can make this better.

I just checked this issue (was AFK when I commented above), and can confirm that the service is created as usual and a 0 exit code is returned, so there’s no regression since 1.12, purely cosmetic / UX

Maybe the error should include “how” docker proceeded (creating service using local image cache)?

+1
thaJeztah on Dec 8, 2016

did this work on docker 1.12 (which also performed a pull when deploying a service)?

docker 1.13 pins images by digest to ensure all instances of a service run exactly the same version of the image; this resolution is handled through the registry. I suspect the error is due to this.

@nishanttotla could you have a look?

+1
thaJeztah on Dec 7, 2016
Read more comments on GitHub
← moby: Unattended upgrades that reload apparmor profiles break Engine 1.13, requiring a restart
moby: Undefined error for `client.NewClientWithOpts` in Go SDK →