Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 53s (non-voting)

@AkihiroSuda I will submit the cherry-pick PR once this PR has been merged.

I do agree we should not retry on 500. However MSR is a product that people can install and update on their own cadence. Even Mirantis fixes the issue, it may take weeks/months to actually have the fix in all MSR installations.

One thing we could do is checking MSR based on a heuristic logic regarding the JSON response like below and only have a fallback when it is like MSR. It wouldn't address the risk of misbehaving though.

DEBU[0000] token request failed                          body="{\"details\":\"internal error\",\"message\":\"please contact an administrator to resolve this issue\",\"request_id\":\"6b05d3a1-73a5-4397-8e97-47b5caada2f6\"}\n" host=example.com status="500 Internal Server Error" url="https://example.com/v2/admin/busybox/manifests/latest"

Another path we could take is having a configuration option to use GET instead.

@dmcgowan This is the DTR codebase, from what I understand, but maybe it is being fronted by something else as I don't think we had any issues reported with original DTR/Docker EE and containerd?

Sorry, seems "MSR doesn't support POST" is oversimplification of the situation. Here is what Docker does. POST to /auth/token actually works here.

72.21.198.64 - - [31/Mar/2021:16:17:41 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "docker/20.10.5 go/go1.13.15 git-commit/363e9a8 kernel/4.19.121-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.5 \x5C(darwin\x5C))"
72.21.198.64 - - [31/Mar/2021:16:17:41 +0000] "POST /auth/token HTTP/1.1" 200 713 "-" "docker/20.10.5 go/go1.13.15 git-commit/363e9a8 kernel/4.19.121-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.5 \x5C(darwin\x5C))"
72.21.198.64 - - [31/Mar/2021:16:17:42 +0000] "HEAD /v2/admin/busybox/manifests/latest HTTP/1.1" 401 0 "-" "docker/20.10.5 go/go1.13.15 git-commit/363e9a8 kernel/4.19.121-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.5 \x5C(darwin\x5C))"
72.21.198.64 - - [31/Mar/2021:16:17:42 +0000] "GET /v2/admin/busybox/manifests/latest HTTP/1.1" 401 156 "-" "docker/20.10.5 go/go1.13.15 git-commit/363e9a8 kernel/4.19.121-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.5 \x5C(darwin\x5C))"

And here is what containerd does.

54.148.61.113 - - [31/Mar/2021:16:19:43 +0000] "HEAD /v2/admin/busybox/manifests/latest HTTP/1.1" 401 0 "-" "containerd/v1.5.0-beta.4-92-gceb67edfd.m"
54.148.61.113 - admin [31/Mar/2021:16:19:43 +0000] "POST /auth/token HTTP/1.1" 500 147 "-" "Go-http-client/1.1"

Docker's POST above was actually getting an refresh token, whereas containerd was getting an access token. So the correct summary of the issue is "Mirantis Secure Registry doesn't support POST for getting an access token".

@dmcgowan How about adding another AuthorizerOpt that let authHandler uses FetchToken() before FetchTokenWithOAuth() instead of the current order of the operations (FetchTokenWithOAuth() -> FetchToken())?

I tried to reach out to the Mirantis team through our joined slack channel to have a look at this

Oh, actually; I have some GitHub handles; @corhere @squizzi could one of you have a look? (I think you are working on Mirantis Secure Registry ?)

How about adding another AuthorizerOpt that let authHandler uses FetchToken() before FetchTokenWithOAuth() instead of the current order of the operations (FetchTokenWithOAuth() -> FetchToken())?

The Authorizer is already interfaced to allow for using a custom authorizer. If there needs to be more options to override the authorizer, we should make that change. This implementation of the authorizer shouldn't have any changes which alter the protocol though.

I'm going to close this one, but this can be tracked further in an issue until we find an acceptable solution or the bug is fixed by the registry operators.

@thaJeztah the bug has been fixed in MSR 2.9.0.

Thanks @corhere 👍