Docker image pull fails with not found: manifest - docker

I'm using Docker version 20.10.8, build 3967b7d on CentOS-7.9 host and Sonatype Nexus Repository Manager version - OSS 3.30.1-01 being used as private docker registry. When i tried to pull the image using docker-compose it always fails with below error.
$ docker-compose up -d
Pulling prometheus (internal-registry.com:8335/prometheus:latest)...
ERROR: manifest for internal-registry.com:8335/prometheus:latest not found: manifest unknown: manifest unknown
Error from Sonatype Nexus server log as follows.
2021-10-11 10:35:41,307+0530 WARN [qtp657241891-125] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: HEAD /v2/library/prometheus/manifests/latest: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required
2021-10-11 10:35:42,106+0530 WARN [qtp657241891-560] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/library/prometheus/manifests/latest: 401 - org.sonatype.nexus.repository.docker.internal.V2Exception: authentication required.
Docker host docker login to our private registry is successful.
1) Repo - Allow clients to use the V1 API to interact with this repository (Tick mark enabled).
2) DockerHub(Proxy) - Allow clients to use the V1 API to interact with this repository (Tick mark enabled).
3) Group - Allow clients to use the V1 API to interact with this repository (Tick mark enabled).
4) Nexus UI > Security > Anonymous Access > Allow anonymous users to access the server - (Tick mark enabled).
Username: anonymous
Realm: Local Autherizing Realm
5) Nexus UI > Security > Role > Create role > Create Nexus role > Created new role
Privileges: nx-repository-view-*-*-*-broswe
nx-repository-view-*-*-*-read
Roles: Contained - nx-anonymous
6) Nexus UI > Security > Users > anonymous(Active)
Roles: Granted: read_and-browse
7) Nexus UI > Security > Realms - Docker Bearer Token Realm (Is in Active List)
Still getting not found: manifest unknown: manifest unknown error while pulling docker image. How do i solve this problem? Any pointer would be helpful. Thanks!

This looks like some kind of network/memory/hardware issue, probably on internal-registry.com, assuming that prometheus is an available image on that registry. I would first load test that service, then verify dns, then the firewall, then the memory, then the power supply, then the hardware of that service to troubleshoot it.
Finally, I would try to recreate this error in another environment, again, against internal-registry.com. If you can't, then the issue is with the docker client, but I suspect that you will be able to replicate this issue on other clients.

Make sure the docker image (Above was wrong).
This Link has helped to create a Read & Browse privilege on Repository in the Nuxus side. Post that able to pull the image successfully.

Related

Nexus - authentication password: must not be blank

our Nexus (Nexus3 3.38.0) is currently down and just keeps on restarting, we use docker to run nexus as a container and when we check the container logs, we get this error:
javax.validation.constraintViolationExceiption: attributes[httpclient].authentication.password: must not be blank
We got this error logs after shutting down nexus and restarting docker service.
we suspect it might be due to one of the proxy repository password field that became blank (which we usually update using curl by a jenkins job)
Can you please suggest if:
There is any workaround for this issue
Since we can’t open into nexus portal, can we fix this using backend / config files?
Is there any way to disable / delete docker proxy repository using nexus data / config files?
Any other suggestion which might help us here

How to deploy To Azure App Service WebSite from Docker Hub using Bicep

Summary:
I have made many attempts to deploy simple C# Blazor image in public DockerHub repo to Azure App Service web site. All attempts using bicep and the azure portal have failed.
Goal:
Use bicep inside of a Github action (CI/CD pipeline) to deploy from public DockerHub repo to Azure App Service Web Site. (I'm also curious as to how to do it on the portal).
What Works:
This powershell command successfully deploys my DockerHub image to the Azure App Service Web site:
az.cmd webapp create --name DockerhubDeployDemo004 --resource-group rg_ --plan Basic-ASP -s siegfried01 -w topsecretet --deployment-container-image-name siegfried01/demovisualstudiocicdforblazorserver
This bicep for creating an azure container instance also works.
Error Messages from Failed Attempts:
From the log files in the azure portal I get:
2022-05-20T21:50:35.914Z ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for demovisualstudiocicdforblazorserver, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
2022-05-20T21:50:35.915Z ERROR - Pulling docker image docker.io/demovisualstudiocicdforblazorserver failed:
2022-05-20T21:50:35.916Z WARN - Image pull failed. Defaulting to local copy if present.
2022-05-20T21:50:35.923Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
2022-05-20T21:50:35.928Z INFO - Stopping site dockerdeploydemo003 because it failed during startup.
/home/LogFiles/2022_05_20_lw1sdlwk000FX5_docker.log (https://dockerdeploydemo003.scm.azurewebsites.net/api/vfs/LogFiles/2022_05_20_lw1sdlwk000FX5_docker.log)
2022-05-20T21:35:47.559Z WARN - Image pull failed. Defaulting to local copy if present.
2022-05-20T21:35:47.562Z ERROR - Image pull failed: Verify docker image configuration and credentials (if using private repository)
Failing Bicep Code:
I tried exporting the ARM code from the successful powershell deployment and the failed portal attempts and converting it to bicep. In both cases the code was very similar. In both cases I had to add/edit the app settings containing the dockerhub URL, account and password. I always received the above error messages. After deploying using bicep code, I could go back into the portal and view the appsettings (dockerhub creds & URL). They looked correct.
References:
Nice DockerHub example but no bicep code.. Says to use index.docker.io for the server and I tried that (did not work). I also tried using https://index.docker.io/v1/ for the server URL and that did not work either.
Nice Bicep Example but uses ACR instead of DockerHub
Another nice Bicep Example that uses ACR instead of DockerHub.
I was surprised I could not find the documentation on the DockerHub site!
Please help me correct my bicep code. I suspect I'm not specifying the correct URL or server for DockerHub.
Thanks
Siegfried
I could not find the web page on Dockerhub that gave the detailed information I was looking for (like the URL). However, the docker Info command as described here was very helpful.
This bicep code did the trick for me (with some help from the bicep support on github):
var appConfigNew = {
DOCKER_ENABLE_CI: 'true'
DOCKER_REGISTRY_SERVER_PASSWORD: dockerhubPassword
DOCKER_REGISTRY_SERVER_URL: 'https://index.docker.io/v1/'
DOCKER_REGISTRY_SERVER_USERNAME: dockerUsername
}
resource appSettings 'Microsoft.Web/sites/config#2021-01-15' = {
name: 'appsettings'
parent: web
properties: appConfigNew
}
And lastly, I discovered this by trial and error:
linuxFxVersion: 'DOCKER|${dockerUsername}/demovisualstudiocicdforblazorserver:${tag}'
Wow! I really worked hard for this one!

Compute Engine fails to connect to Container Registry

I am trying to pull my Container Registry docker image but it fails with:
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I am on a compute engine instance so I believe its already configured to pull? I also checked the service account and roles
I even added storage viewer role to my compute engine service account
What is wrong here?
In addition to permissions you need to authenticate your compute engine to connect to container registry. Please see Advanced Authentication for more details

Unable to anonymously pull images from okd/openshift-origin docker registry using docker pull

Using okd/openshift-origin 3.11 (and previous versions) we've been unable to get anonymous image pulls working.
We've tried adding various groups to the registry-viewer role as indicated by the instructions from the merge request where the feature was added.
We've tried:
oc policy add-role-to-user registry-viewer system:anonymous -n <project>
oc policy add-role-to-user registry-viewer system:unauthenticated -n <project>
When viewing the registry in the GUI the access policy shows Anonymous: Allow all unauthenticated users to pull images
Yet this is the result when trying to pull:
docker pull docker-registry-default.$cluster/$project/$image:latest
Error response from daemon: Get https://docker-registry-default.$cluster/v2/$project/$image/manifests/latest: unauthorized: authentication required
What are we missing?
If there is a $HOME/.docker/config.json credential file on the client machine, could you try whether you can pull the image after removing the credential file (or backup) ?
Because docker pull is using $HOME/.docker/config.json by default, it can cause unexpected authorization trouble like this by authenticating as the credential file. As removing docker credential file(config.json) you can verify whether docker pull is conducted by unauthenticated.

Nexus Docker Registry - Failling anonymous pull

I'm using Sonatype Nexus as a Private Docker Registry.
While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.
Using the Nexus UI (not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.
The following is a capture stream of communication between the Docker Client and the Nexus repository:
Wireshark packet capture
This is strange, as the anonymous access is enabled, and according to the docs, I may have a Docker Hosted Registry (with RW access through HTTPs port) and a Docker Group Registry, pointing to a Docker Hosted Registry, with RO/Anonymous access.
This feature was added in Nexus 3.6. According to the documentation:
Under Security > Realms, enable the “Docker Bearer Token Realm”
Uncheck “Force basic authentication” in the repository configuration
Nexus caused me quite some headache until i found a rather obscure sonatype post
that states not to change the anonymous realm.
So the steps I followed to get this working: (tested in Nexus 3.19.1 to 3.38.1)
Same as the Answer by #andrewdotn (Enable the Docker Bearer Token
Realm in the Security > Realms section)
Enable the anonymous access FOR the Local Authorizing Realm (as stated in the above mentioned link)
Create the docker(proxy) Repository (in this example to proxy hub.docker.com)
3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)
3.2. enable "Allow anonymous docker pull (Docker Bearer Token Realm required)"
3.3. enter "https://registry-1.docker.io" as "Location of the remote repository" (for the docker-hub)
3.4. set the "Docker Index" to use the docker hub index (aka.: "Use Docker Hub")
3.5. save
make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)
4.1. (OPTIONAL) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role "nx-docker_read" (or similar) and give it the "nx-repository-view-docker--read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)
4.2. (if u did 4.1) now all that's left is to change the group of the anon user to ur new role (in my example "nx-docker_read") and remove it from "nx-anonymous" => anon-users can no longer brows nexus on the web-ui but can still pull images
Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3.
Dockerhub always requires an access token, even for pulls.
But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users.
This mecanism is not available for the moment with Nexus 3.0.1.
Perhaps it will be implemented (https://issues.sonatype.org/browse/NEXUS-10813).
So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).

Resources