-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP GET a plugin manifest by version fails with 401 #2107
Comments
Hi @rgl I can't comment on how are you getting these results based on your screenshots, but I can see you're getting back Registry should let you grab Get the registry authorization token:
Make sure the token you get back has the right scope -- in this case thats
Grab the tagged manifest (NOTE: I've picked one of the available tags, but the same should work for any of them):
|
@milosgajdos, please, make sure you try that in a docker plugin image like the grafana/loki-docker-driver:2.2.1. |
We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days. |
@milosgajdos, did you get a chance to look into this? |
Unfortunately I have no update on this, I'm afraid. For the time being I'd recommend to continue to use the current flow. |
Looks like hub is returning this when you attempt to fetch a plugin:
Whereas it should be:
(note the |
This has been fixed - the issue was around the scope handling on the authorization server with how plugins required a "class" to be appended ( |
@jcarter3, thx for the follow up! does that mean we no longer need to use the |
That's correct, the plugin part is no longer needed. It can still be sent so that existing tooling continues to work, but is ultimately ignored. |
Problem description
While trying to understand why I could not use regular tools to download a docker plugin manifest, I discovered something that I think is a bug in the current docker hub registry api.
When we try to HTTP GET a plugin manifest by version (e.g.
2.2.1
) that request wrongly fails with 401. It only works by digest (e.g.sha256:c7cf4544f8eee4e9d55e701e01f6ec5a290a807f0e75dfaf14ec463e3d973963
).Here is how I found the differences between what docker daemon does versus what a library like Docker.Registry.DotNet does.
To install a docker plugin with docker daemon, one uses something like:
And this is how the docker daemon contacts the docker hub registry and is able to download the image manifest:
And this is how this library
GetManifestAsync
does it but fails to download the image manifest:The difference is, the docker daemon first manifest request uses a
HEAD
request to translate the manifest reference from the version2.2.1
to the digestsha256:c7cf4544f8eee4e9d55e701e01f6ec5a290a807f0e75dfaf14ec463e3d973963
(which it obtained from theHEAD
responsedocker-content-digest
header), and only then, it uses aGET
request to obtain the actual manifest.For cross-reference, this is also being tracked at ChangemakerStudios/Docker.Registry.DotNet#12.
The text was updated successfully, but these errors were encountered: