Docker 28.3.3: clients apparently can no longer push unauthenticatedly to registry without X-Registry-Auth header present

[felixfontein]

Description

I noticed that once Docker daemon is updated to 28.3.3, that I can no longer push to an unprotected registry without providing X-Registry-Auth. This happens for example when using Docker SDK for Python's APIClient.push(), which only provides X-Registry-Auth when credentials are present.

Setting X-Registry-Auth to {} or e30= (Base64 of {}) seems to fix the issue.

I got the idea to send a non-empty header from #50415. The registry in question is distribution:2.8.3 (https://github.com/distribution/distribution/releases/tag/v2.8.3), if that's relevant.

(I reproduced this with Ansible's community.docker's docker_image module, both on RHEL 9.6 and on Arch Linux, with Docker 28.3.3.)

Reproduce

Start a distribution:2.8.3 registry.
Use Docker SDK for Python to push an image to it.

Expected behavior

It works.

docker version

28.3.3

docker info

(should not be relevant)

Additional Info

No response

[felixfontein]

Reproducer:

Run on shell:

docker run --name registry --publish 5000:5000 --detach registry:2.8.3
docker pull hello-world:latest
docker tag hello-world:latest localhost:5000/hello-world:latest

Run in Python, with Docker SDK for Python available:

import docker
list(docker.APIClient().push("localhost:5000/hello-world:latest", stream=True, decode=True))

Result:

Traceback (most recent call last):
  File "/usr/lib/python3.13/http/client.py", line 579, in _get_chunk_left
    chunk_left = self._read_next_chunk_size()
  File "/usr/lib/python3.13/http/client.py", line 546, in _read_next_chunk_size
    return int(line, 16)
ValueError: invalid literal for int() with base 16: b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.13/http/client.py", line 597, in _read_chunked
    while (chunk_left := self._get_chunk_left()) is not None:
                         ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/http/client.py", line 581, in _get_chunk_left
    raise IncompleteRead(b'')
http.client.IncompleteRead: IncompleteRead(0 bytes read)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 779, in _error_catcher
    yield
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 904, in _raw_read
    data = self._fp_read(amt, read1=read1) if not fp_closed else b""
           ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 887, in _fp_read
    return self._fp.read(amt) if amt is not None else self._fp.read()
           ~~~~~~~~~~~~~^^^^^
  File "/usr/lib/python3.13/http/client.py", line 473, in read
    return self._read_chunked(amt)
           ~~~~~~~~~~~~~~~~~~^^^^^
  File "/usr/lib/python3.13/http/client.py", line 609, in _read_chunked
    raise IncompleteRead(b''.join(value)) from exc
http.client.IncompleteRead: IncompleteRead(0 bytes read)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    list(docker.APIClient().push("localhost:5000/hello-world:latest", stream=True, decode=True))
    ~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/path/to/docker-py/docker/api/client.py", line 360, in _stream_helper
    yield from json_stream(self._stream_helper(response, False))
  File "/path/to/docker-py/docker/utils/json_stream.py", line 60, in split_buffer
    for data in stream_as_text(stream):
                ~~~~~~~~~~~~~~^^^^^^^^
  File "/path/to/docker-py/docker/utils/json_stream.py", line 16, in stream_as_text
    for data in stream:
                ^^^^^^
  File "/path/to/docker-py/docker/api/client.py", line 365, in _stream_helper
    data = reader.read(1)
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 980, in read
    data = self._raw_read(amt)
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 903, in _raw_read
    with self._error_catcher():
         ~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/contextlib.py", line 162, in __exit__
    self.gen.throw(value)
    ~~~~~~~~~~~~~~^^^^^^^
  File "/usr/lib/python3.13/site-packages/urllib3/response.py", line 806, in _error_catcher
    raise ProtocolError(f"Connection broken: {e!r}", e) from e
urllib3.exceptions.ProtocolError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

[felixfontein]

When using list(docker.APIClient().push("localhost:5000/hello-world:latest", stream=True, decode=True, auth_config={})), which sends X-Registry-Auth as e30=, it works fine.

[felixfontein]

(Might be caused by #50371.)

[mdaffad]

Hi, I'm willing to investigate this further!

[thaJeztah]

This should be fixed by #50730, which was backported #50738 to be included in the 28.4 release