Unable to pull image from public registry nabo.codimd.dev #5503
Description
Description
I'm unable to pull the public image nabo.codimd.dev/hackmdio/hackmd:2.1.0 using containerd on Azure Kubernetes Service and kind. nabo.codimd.dev seems to be a Amazon CloudFront CDN that has been placed in front of the docker.io registry by CodiMD.
Pulling the same image directly from docker.io (docker.io/hackmdio/hackmd:2.1.0) works without issues.
I've uploaded HAR files for requests being made for the following commands in a gist https://gist.github.com/tongpu/09afa9d712f19d332455772481ad8753:
ctr image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0ctr image pull docker.io/hackmdio/hackmd:2.1.0docker pull hackmdio/hackmd:2.1.0
Steps to reproduce the issue:
ctr image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0
Describe the results you received:
I'm unable to pull the image:
$ ctr --debug image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0
DEBU[0000] fetching image="nabo.codimd.dev/hackmdio/hackmd:2.1.0"
DEBU[0000] resolving host=nabo.codimd.dev
DEBU[0000] do request host=nabo.codimd.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.4.0-106-gce4439a8 request.method=HEAD url="https://nabo.codimd.dev/v2/hackmdio/hackmd/manifests/2.1.0"
DEBU[0001] fetch response received host=nabo.codimd.dev response.header.content-length=158 response.header.content-type=application/json response.header.date="Fri, 14 May 2021 10:14:04 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.strict-transport-security="max-age=31536000" response.header.www-authenticate="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:hackmdio/hackmd:pull\"" response.status="401 Unauthorized" url="https://nabo.codimd.dev/v2/hackmdio/hackmd/manifests/2.1.0"
DEBU[0001] Unauthorized header="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:hackmdio/hackmd:pull\"" host=nabo.codimd.dev
Describe the results you expected:
Unable to pull the image because of missing authorization.
What version of containerd are you using:
$ containerd --version
containerd github.com/containerd/containerd v1.4.0-106-gce4439a8 ce4439a8151f77dc50adb655ab4852ee9c366589
Any other relevant information (runC version, CRI configuration, OS/Kernel version, etc.):
runc --version
$ runc --version runc version 1.0.0-rc92 spec: 1.0.2-dev
crictl info
$ crictl info
{
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
},
"cniconfig": {
"PluginDirs": [
"/opt/cni/bin"
],
"PluginConfDir": "/etc/cni/net.d",
"PluginMaxConfNum": 1,
"Prefix": "eth",
"Networks": [
{
"Config": {
"Name": "cni-loopback",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "loopback",
"ipam": {},
"dns": {}
},
"Source": "{\"type\":\"loopback\"}"
}
],
"Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n \"type\": \"loopback\"\n}]\n}"
},
"IFName": "lo"
},
{
"Config": {
"Name": "kindnet",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "ptp",
"ipam": {
"type": "host-local"
},
"dns": {}
},
"Source": "{\"ipMasq\":false,\"ipam\":{\"dataDir\":\"/run/cni-ipam-state\",\"ranges\":[[{\"subnet\":\"10.244.0.0/24\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":1500,\"type\":\"ptp\"}"
},
{
"Network": {
"type": "portmap",
"capabilities": {
"portMappings": true
},
"ipam": {},
"dns": {}
},
"Source": "{\"capabilities\":{\"portMappings\":true},\"type\":\"portmap\"}"
}
],
"Source": "\n{\n\t\"cniVersion\": \"0.3.1\",\n\t\"name\": \"kindnet\",\n\t\"plugins\": [\n\t{\n\t\t\"type\": \"ptp\",\n\t\t\"ipMasq\": false,\n\t\t\"ipam\": {\n\t\t\t\"type\": \"host-local\",\n\t\t\t\"dataDir\": \"/run/cni-ipam-state\",\n\t\t\t\"routes\": [\n\t\t\t\t{\n\t\t\t\t\t\"dst\": \"0.0.0.0/0\"\n\t\t\t\t}\n\t\t\t],\n\t\t\t\"ranges\": [\n\t\t\t[\n\t\t\t\t{\n\t\t\t\t\t\"subnet\": \"10.244.0.0/24\"\n\t\t\t\t}\n\t\t\t]\n\t\t]\n\t\t}\n\t\t,\n\t\t\"mtu\": 1500\n\t\t\n\t},\n\t{\n\t\t\"type\": \"portmap\",\n\t\t\"capabilities\": {\n\t\t\t\"portMappings\": true\n\t\t}\n\t}\n\t]\n}\n"
},
"IFName": "eth0"
}
]
},
"config": {
"containerd": {
"snapshotter": "overlayfs",
"defaultRuntimeName": "runc",
"defaultRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"untrustedWorkloadRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"runtimes": {
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"test-handler": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
}
},
"noPivot": false,
"disableSnapshotAnnotations": false,
"discardUnpackedLayers": false
},
"cni": {
"binDir": "/opt/cni/bin",
"confDir": "/etc/cni/net.d",
"maxConfNum": 1,
"confTemplate": ""
},
"registry": {
"mirrors": {
"docker.io": {
"endpoint": [
"https://registry-1.docker.io"
]
}
},
"configs": null,
"auths": null,
"headers": null
},
"imageDecryption": {
"keyModel": ""
},
"disableTCPService": true,
"streamServerAddress": "127.0.0.1",
"streamServerPort": "0",
"streamIdleTimeout": "4h0m0s",
"enableSelinux": false,
"selinuxCategoryRange": 1024,
"sandboxImage": "k8s.gcr.io/pause:3.3",
"statsCollectPeriod": 10,
"systemdCgroup": false,
"enableTLSStreaming": false,
"x509KeyPairStreaming": {
"tlsCertFile": "",
"tlsKeyFile": ""
},
"maxContainerLogSize": 16384,
"disableCgroup": false,
"disableApparmor": false,
"restrictOOMScoreAdj": false,
"maxConcurrentDownloads": 3,
"disableProcMount": false,
"unsetSeccompProfile": "",
"tolerateMissingHugetlbController": true,
"disableHugetlbController": true,
"ignoreImageDefinedVolumes": false,
"containerdRootDir": "/var/lib/containerd",
"containerdEndpoint": "/run/containerd/containerd.sock",
"rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
"stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
},
"golang": "go1.13.15",
"lastCNILoadStatus": "OK"
}
uname -a
$ uname -a Linux kind-control-plane 5.11.16-arch1-1 #1 SMP PREEMPT Wed, 21 Apr 2021 17:22:13 +0000 x86_64 x86_64 x86_64 GNU/Linux