Description
I was experimenting with the WASM runtime setup documented here. I enabled the containerd image store feature and I got my simple docker image working I pushed to Docker Hub. I have to say, that felt really cool and awesome.
Then all of a sudden I could not get any of my images I had for the product I work for. After digging quite a bit, I found the issue. A one liner in the NativeStore Get method for the docker credential helpers does not set the ServerAddress property on the AuthConfig object. Which gets propagated all the way down to a line of code in dockerd of the moby/moby project.
Reproduce
- Enable containerd image store as documented here.
- Restart docker daemon
- Setup credential helper as documented here
- docker pull image that will use that credential helper
Expected behavior
The authorization should just keep on working like normal and as is the case with credential stores.
docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.24
GitCommit: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
runc:
Version: 1.1.9
GitCommit: v1.1.9-0-gccaecfc
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client: Docker Engine - Community
Version: 24.0.7
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.21.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 8
Server Version: 24.0.7
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
runc version: v1.1.9-0-gccaecfc
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.5.6-76060506-generic
Operating System: Pop!_OS 22.04 LTS
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 31.07GiB
Name: pop-os
ID: XZSV:MMHH:Z4R5:AILG:YYNZ:7YBN:YITO:UCQH:KFKN:EPAA:VWX2:F4HF
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: greagnath
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
In the logs of dockerd you will find the following line:
WARN[2023-11-10T16:29:20.476763317+01:00] Host doesn't match cfgHost=registry-1.docker.io host=hub.foundries.io
That is what narrowed it down for me. I already have a PR planned for this issue. I will link them together.
Description
I was experimenting with the WASM runtime setup documented here. I enabled the containerd image store feature and I got my simple docker image working I pushed to Docker Hub. I have to say, that felt really cool and awesome.
Then all of a sudden I could not get any of my images I had for the product I work for. After digging quite a bit, I found the issue. A one liner in the
NativeStore Getmethod for the docker credential helpers does not set theServerAddressproperty on theAuthConfigobject. Which gets propagated all the way down to a line of code indockerdof themoby/mobyproject.Reproduce
Expected behavior
The authorization should just keep on working like normal and as is the case with credential stores.
docker version
Client: Docker Engine - Community Version: 24.0.7 API version: 1.43 Go version: go1.20.10 Git commit: afdd53b Built: Thu Oct 26 09:07:41 2023 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 24.0.7 API version: 1.43 (minimum version 1.12) Go version: go1.20.10 Git commit: 311b9ff Built: Thu Oct 26 09:07:41 2023 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.24 GitCommit: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523 runc: Version: 1.1.9 GitCommit: v1.1.9-0-gccaecfc docker-init: Version: 0.19.0 GitCommit: de40ad0docker info
Additional Info
In the logs of
dockerdyou will find the following line:That is what narrowed it down for me. I already have a PR planned for this issue. I will link them together.