Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized error when pull image in containerd #64

Closed
STARRY-S opened this issue Sep 14, 2024 · 1 comment · Fixed by #63
Closed

Unauthorized error when pull image in containerd #64

STARRY-S opened this issue Sep 14, 2024 · 1 comment · Fixed by #63

Comments

@STARRY-S
Copy link
Contributor

STARRY-S commented Sep 14, 2024
edited
Loading

Description

Unauthorized when pull image using containerd:

$ sudo k3s ctr image pull docker.hxstarrys.me/library/nginx:latest
WARN[0000] DEPRECATION: The `configs` property of `[plugins."io.containerd.grpc.v1.cri".registry]` is deprecated since containerd v1.5 and will be removed in containerd v2.0. Use `config_path` instead. 
docker.hxstarrys.me/library/nginx:latest: resolving      |--------------------------------------| 
elapsed: 30.8s                            total:   0.0 B (0.0 B/s)                                         
INFO[0031] trying next host                              error="failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%3Alibrary%2Fnginx%3Apull&service=registry.docker.io\": dial tcp 66.220.147.11:443: i/o timeout" host=docker.hxstarrys.me
ctr: failed to resolve reference "docker.hxstarrys.me/library/nginx:latest": failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Alibrary%2Fnginx%3Apull&service=registry.docker.io": dial tcp 66.220.147.11:443: i/o timeout

Containerd is getting access token by accessing auth.docker.io/token instead of docker.hxstarrys.me/v2/auth, and the auth.docker.io is unable to access in China regions.

Reason

Containerd is using different logic to get access token from registry server by accessing https://<REGISTRY>/v2/<REPO>/<IMAGE>/manifests/<TAG> directly instead of accessing https://<REGISTRY>/v2/ first before pulling images.

Workflow logs

{
  "truncated": false,
  "outcome": "ok",
  "scriptVersion": {
    "id": "a3767ee3-4ecf-4522-9578-c7a3d7f7c7c7"
  },
  "scriptName": "cloudflare-docker-proxy",
  "diagnosticsChannelEvents": [],
  "exceptions": [],
  "logs": [],
  "eventTimestamp": 1726288203286,
  "event": {
    "request": {
      "url": "https://docker.hxstarrys.me/v2/library/nginx/manifests/latest",
      "method": "HEAD",
      "headers": {
        "accept": "application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*",
        "accept-encoding": "gzip, br",
        "cf-connecting-ip": "123.244.84.117",
        "cf-ipcountry": "CN",
        "cf-ray": "8c2da3b679bd771d",
        "cf-visitor": "{\"scheme\":\"https\"}",
        "connection": "Keep-Alive",
        "host": "docker.hxstarrys.me",
        "user-agent": "containerd/v1.7.20-k3s1",
        "x-forwarded-proto": "https",
        "x-real-ip": "123.244.84.117"
      },
      "cf": {
        "clientTcpRtt": 184,
        "longitude": "120.46370",
        "latitude": "41.57150",
        "tlsCipher": "AEAD-AES128-GCM-SHA256",
        "continent": "AS",
        "asn": 4134,
        "country": "CN",
        "tlsClientAuth": {
          "certIssuerDNLegacy": "",
          "certIssuerSKI": "",
          "certSubjectDNRFC2253": "",
          "certSubjectDNLegacy": "",
          "certFingerprintSHA256": "",
          "certNotBefore": "",
          "certSKI": "",
          "certSerial": "",
          "certIssuerDN": "",
          "certVerified": "NONE",
          "certNotAfter": "",
          "certSubjectDN": "",
          "certPresented": "0",
          "certRevoked": "0",
          "certIssuerSerial": "",
          "certIssuerDNRFC2253": "",
          "certFingerprintSHA1": ""
        },
        "verifiedBotCategory": "",
        "tlsExportedAuthenticator": {
          "clientFinished": "6536e41bad0ab4625b27ee0c0a312e9cecca3fcba0f51ef58433417bb6ee149d",
          "clientHandshake": "b2dd58d91843041279aaadd240d634a65a6880b29298938cae10325868e269e2",
          "serverHandshake": "47170079a6bc425441acbe4408aed865b20c475f76312efa7490c90b3878f7c1",
          "serverFinished": "1f71387e4db4c13f7a97582326ec51fdcf540b3ff3e8a5de65036139377579ce"
        },
        "tlsVersion": "TLSv1.3",
        "colo": "LHR",
        "timezone": "Asia/Shanghai",
        "tlsClientHelloLength": "252",
        "edgeRequestKeepAliveStatus": 1,
        "requestPriority": "",
        "tlsClientExtensionsSha1": "l3/hnilBcqxaD0e8H0fM4mdcRJw=",
        "region": "Liaoning",
        "city": "Chaoyang",
        "regionCode": "LN",
        "asOrganization": "China Telecom",
        "tlsClientRandom": "Fg+IXt5uDhO5It02QHAMNT7Xk8XhHA+XdvRFIArH7zI=",
        "httpProtocol": "HTTP/1.1",
        "botManagement": {
          "corporateProxy": false,
          "verifiedBot": false,
          "jsDetection": {
            "passed": false
          },
          "staticResource": false,
          "detectionIds": {},
          "score": 99
        }
      }
    },
    "response": {
      "status": 401
    }
  },
  "id": 0
}
@STARRY-S STARRY-S mentioned this issue Sep 14, 2024
Merged
@ChaceYang
Copy link

Thanks

@ciiiii ciiiii closed this as completed in #63 Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix containerd unauthorized response header STARRY-S/cloudflare-docker-proxy
2 participants
@ChaceYang @STARRY-S