Description
I'm unable to pull the public image nabo.codimd.dev/hackmdio/hackmd:2.1.0 using containerd on Azure Kubernetes Service and kind. nabo.codimd.dev seems to be a Amazon CloudFront CDN that has been placed in front of the docker.io registry by CodiMD.
Pulling the same image directly from docker.io (docker.io/hackmdio/hackmd:2.1.0) works without issues.
I've uploaded HAR files for requests being made for the following commands in a gist https://gist.github.com/tongpu/09afa9d712f19d332455772481ad8753:
Steps to reproduce the issue:
ctr image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0
Describe the results you received:
I'm unable to pull the image:
$ ctr --debug image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0
DEBU[0000] fetching image="nabo.codimd.dev/hackmdio/hackmd:2.1.0"
DEBU[0000] resolving host=nabo.codimd.dev
DEBU[0000] do request host=nabo.codimd.dev request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.4.0-106-gce4439a8 request.method=HEAD url="https://nabo.codimd.dev/v2/hackmdio/hackmd/manifests/2.1.0"
DEBU[0001] fetch response received host=nabo.codimd.dev response.header.content-length=158 response.header.content-type=application/json response.header.date="Fri, 14 May 2021 10:14:04 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.strict-transport-security="max-age=31536000" response.header.www-authenticate="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:hackmdio/hackmd:pull\"" response.status="401 Unauthorized" url="https://nabo.codimd.dev/v2/hackmdio/hackmd/manifests/2.1.0"
DEBU[0001] Unauthorized header="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\",scope=\"repository:hackmdio/hackmd:pull\"" host=nabo.codimd.dev
Describe the results you expected:
Unable to pull the image because of missing authorization.
What version of containerd are you using:
$ containerd --version
containerd github.com/containerd/containerd v1.4.0-106-gce4439a8 ce4439a8151f77dc50adb655ab4852ee9c366589
Any other relevant information (runC version, CRI configuration, OS/Kernel version, etc.):
runc --version
$ runc --version
runc version 1.0.0-rc92
spec: 1.0.2-dev
crictl info
$ crictl info
{
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
},
"cniconfig": {
"PluginDirs": [
"/opt/cni/bin"
],
"PluginConfDir": "/etc/cni/net.d",
"PluginMaxConfNum": 1,
"Prefix": "eth",
"Networks": [
{
"Config": {
"Name": "cni-loopback",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "loopback",
"ipam": {},
"dns": {}
},
"Source": "{\"type\":\"loopback\"}"
}
],
"Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n \"type\": \"loopback\"\n}]\n}"
},
"IFName": "lo"
},
{
"Config": {
"Name": "kindnet",
"CNIVersion": "0.3.1",
"Plugins": [
{
"Network": {
"type": "ptp",
"ipam": {
"type": "host-local"
},
"dns": {}
},
"Source": "{\"ipMasq\":false,\"ipam\":{\"dataDir\":\"/run/cni-ipam-state\",\"ranges\":[[{\"subnet\":\"10.244.0.0/24\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":1500,\"type\":\"ptp\"}"
},
{
"Network": {
"type": "portmap",
"capabilities": {
"portMappings": true
},
"ipam": {},
"dns": {}
},
"Source": "{\"capabilities\":{\"portMappings\":true},\"type\":\"portmap\"}"
}
],
"Source": "\n{\n\t\"cniVersion\": \"0.3.1\",\n\t\"name\": \"kindnet\",\n\t\"plugins\": [\n\t{\n\t\t\"type\": \"ptp\",\n\t\t\"ipMasq\": false,\n\t\t\"ipam\": {\n\t\t\t\"type\": \"host-local\",\n\t\t\t\"dataDir\": \"/run/cni-ipam-state\",\n\t\t\t\"routes\": [\n\t\t\t\t{\n\t\t\t\t\t\"dst\": \"0.0.0.0/0\"\n\t\t\t\t}\n\t\t\t],\n\t\t\t\"ranges\": [\n\t\t\t[\n\t\t\t\t{\n\t\t\t\t\t\"subnet\": \"10.244.0.0/24\"\n\t\t\t\t}\n\t\t\t]\n\t\t]\n\t\t}\n\t\t,\n\t\t\"mtu\": 1500\n\t\t\n\t},\n\t{\n\t\t\"type\": \"portmap\",\n\t\t\"capabilities\": {\n\t\t\t\"portMappings\": true\n\t\t}\n\t}\n\t]\n}\n"
},
"IFName": "eth0"
}
]
},
"config": {
"containerd": {
"snapshotter": "overlayfs",
"defaultRuntimeName": "runc",
"defaultRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"untrustedWorkloadRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"runtimes": {
"runc": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
},
"test-handler": {
"runtimeType": "io.containerd.runc.v2",
"runtimeEngine": "",
"PodAnnotations": null,
"ContainerAnnotations": null,
"runtimeRoot": "",
"options": null,
"privileged_without_host_devices": false,
"baseRuntimeSpec": ""
}
},
"noPivot": false,
"disableSnapshotAnnotations": false,
"discardUnpackedLayers": false
},
"cni": {
"binDir": "/opt/cni/bin",
"confDir": "/etc/cni/net.d",
"maxConfNum": 1,
"confTemplate": ""
},
"registry": {
"mirrors": {
"docker.io": {
"endpoint": [
"https://registry-1.docker.io"
]
}
},
"configs": null,
"auths": null,
"headers": null
},
"imageDecryption": {
"keyModel": ""
},
"disableTCPService": true,
"streamServerAddress": "127.0.0.1",
"streamServerPort": "0",
"streamIdleTimeout": "4h0m0s",
"enableSelinux": false,
"selinuxCategoryRange": 1024,
"sandboxImage": "k8s.gcr.io/pause:3.3",
"statsCollectPeriod": 10,
"systemdCgroup": false,
"enableTLSStreaming": false,
"x509KeyPairStreaming": {
"tlsCertFile": "",
"tlsKeyFile": ""
},
"maxContainerLogSize": 16384,
"disableCgroup": false,
"disableApparmor": false,
"restrictOOMScoreAdj": false,
"maxConcurrentDownloads": 3,
"disableProcMount": false,
"unsetSeccompProfile": "",
"tolerateMissingHugetlbController": true,
"disableHugetlbController": true,
"ignoreImageDefinedVolumes": false,
"containerdRootDir": "/var/lib/containerd",
"containerdEndpoint": "/run/containerd/containerd.sock",
"rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
"stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
},
"golang": "go1.13.15",
"lastCNILoadStatus": "OK"
}
uname -a
$ uname -a
Linux kind-control-plane 5.11.16-arch1-1 #1 SMP PREEMPT Wed, 21 Apr 2021 17:22:13 +0000 x86_64 x86_64 x86_64 GNU/Linux
Description
I'm unable to pull the public image
nabo.codimd.dev/hackmdio/hackmd:2.1.0using containerd on Azure Kubernetes Service and kind.nabo.codimd.devseems to be a Amazon CloudFront CDN that has been placed in front of the docker.io registry by CodiMD.Pulling the same image directly from docker.io (
docker.io/hackmdio/hackmd:2.1.0) works without issues.I've uploaded HAR files for requests being made for the following commands in a gist https://gist.github.com/tongpu/09afa9d712f19d332455772481ad8753:
ctr image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0ctr image pull docker.io/hackmdio/hackmd:2.1.0docker pull hackmdio/hackmd:2.1.0Steps to reproduce the issue:
ctr image pull nabo.codimd.dev/hackmdio/hackmd:2.1.0Describe the results you received:
I'm unable to pull the image:
Describe the results you expected:
Unable to pull the image because of missing authorization.
What version of containerd are you using:
Any other relevant information (runC version, CRI configuration, OS/Kernel version, etc.):
runc --versioncrictl info$ crictl info { "status": { "conditions": [ { "type": "RuntimeReady", "status": true, "reason": "", "message": "" }, { "type": "NetworkReady", "status": true, "reason": "", "message": "" } ] }, "cniconfig": { "PluginDirs": [ "/opt/cni/bin" ], "PluginConfDir": "/etc/cni/net.d", "PluginMaxConfNum": 1, "Prefix": "eth", "Networks": [ { "Config": { "Name": "cni-loopback", "CNIVersion": "0.3.1", "Plugins": [ { "Network": { "type": "loopback", "ipam": {}, "dns": {} }, "Source": "{\"type\":\"loopback\"}" } ], "Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n \"type\": \"loopback\"\n}]\n}" }, "IFName": "lo" }, { "Config": { "Name": "kindnet", "CNIVersion": "0.3.1", "Plugins": [ { "Network": { "type": "ptp", "ipam": { "type": "host-local" }, "dns": {} }, "Source": "{\"ipMasq\":false,\"ipam\":{\"dataDir\":\"/run/cni-ipam-state\",\"ranges\":[[{\"subnet\":\"10.244.0.0/24\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":1500,\"type\":\"ptp\"}" }, { "Network": { "type": "portmap", "capabilities": { "portMappings": true }, "ipam": {}, "dns": {} }, "Source": "{\"capabilities\":{\"portMappings\":true},\"type\":\"portmap\"}" } ], "Source": "\n{\n\t\"cniVersion\": \"0.3.1\",\n\t\"name\": \"kindnet\",\n\t\"plugins\": [\n\t{\n\t\t\"type\": \"ptp\",\n\t\t\"ipMasq\": false,\n\t\t\"ipam\": {\n\t\t\t\"type\": \"host-local\",\n\t\t\t\"dataDir\": \"/run/cni-ipam-state\",\n\t\t\t\"routes\": [\n\t\t\t\t{\n\t\t\t\t\t\"dst\": \"0.0.0.0/0\"\n\t\t\t\t}\n\t\t\t],\n\t\t\t\"ranges\": [\n\t\t\t[\n\t\t\t\t{\n\t\t\t\t\t\"subnet\": \"10.244.0.0/24\"\n\t\t\t\t}\n\t\t\t]\n\t\t]\n\t\t}\n\t\t,\n\t\t\"mtu\": 1500\n\t\t\n\t},\n\t{\n\t\t\"type\": \"portmap\",\n\t\t\"capabilities\": {\n\t\t\t\"portMappings\": true\n\t\t}\n\t}\n\t]\n}\n" }, "IFName": "eth0" } ] }, "config": { "containerd": { "snapshotter": "overlayfs", "defaultRuntimeName": "runc", "defaultRuntime": { "runtimeType": "", "runtimeEngine": "", "PodAnnotations": null, "ContainerAnnotations": null, "runtimeRoot": "", "options": null, "privileged_without_host_devices": false, "baseRuntimeSpec": "" }, "untrustedWorkloadRuntime": { "runtimeType": "", "runtimeEngine": "", "PodAnnotations": null, "ContainerAnnotations": null, "runtimeRoot": "", "options": null, "privileged_without_host_devices": false, "baseRuntimeSpec": "" }, "runtimes": { "runc": { "runtimeType": "io.containerd.runc.v2", "runtimeEngine": "", "PodAnnotations": null, "ContainerAnnotations": null, "runtimeRoot": "", "options": null, "privileged_without_host_devices": false, "baseRuntimeSpec": "" }, "test-handler": { "runtimeType": "io.containerd.runc.v2", "runtimeEngine": "", "PodAnnotations": null, "ContainerAnnotations": null, "runtimeRoot": "", "options": null, "privileged_without_host_devices": false, "baseRuntimeSpec": "" } }, "noPivot": false, "disableSnapshotAnnotations": false, "discardUnpackedLayers": false }, "cni": { "binDir": "/opt/cni/bin", "confDir": "/etc/cni/net.d", "maxConfNum": 1, "confTemplate": "" }, "registry": { "mirrors": { "docker.io": { "endpoint": [ "https://registry-1.docker.io" ] } }, "configs": null, "auths": null, "headers": null }, "imageDecryption": { "keyModel": "" }, "disableTCPService": true, "streamServerAddress": "127.0.0.1", "streamServerPort": "0", "streamIdleTimeout": "4h0m0s", "enableSelinux": false, "selinuxCategoryRange": 1024, "sandboxImage": "k8s.gcr.io/pause:3.3", "statsCollectPeriod": 10, "systemdCgroup": false, "enableTLSStreaming": false, "x509KeyPairStreaming": { "tlsCertFile": "", "tlsKeyFile": "" }, "maxContainerLogSize": 16384, "disableCgroup": false, "disableApparmor": false, "restrictOOMScoreAdj": false, "maxConcurrentDownloads": 3, "disableProcMount": false, "unsetSeccompProfile": "", "tolerateMissingHugetlbController": true, "disableHugetlbController": true, "ignoreImageDefinedVolumes": false, "containerdRootDir": "/var/lib/containerd", "containerdEndpoint": "/run/containerd/containerd.sock", "rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri", "stateDir": "/run/containerd/io.containerd.grpc.v1.cri" }, "golang": "go1.13.15", "lastCNILoadStatus": "OK" }uname -a