daemon/server: remove compatibility with API v1.4 auth-config on push#50371
Merged
AkihiroSuda merged 1 commit intomoby:masterfrom Jul 10, 2025
Merged
daemon/server: remove compatibility with API v1.4 auth-config on push#50371AkihiroSuda merged 1 commit intomoby:masterfrom
AkihiroSuda merged 1 commit intomoby:masterfrom
Conversation
Docker [API v1.4] and lower expected registry authentication to be sent in
the request body when pushing or pulling ("creating") images. [API v1.5]
(Docker v0.6.1) changed this to this to use a `X-Registry-Auth` header
instead.
This change was implemented in d04beb7,
which kept a fallback for clients using old (< v1.5) API versions which
would send authentication in the request body.
Given that we no longer support API versions older than v1.24, and clients
using API v1.5 would be over 12 Years old.
[API v1.4]: https://github.com/moby/moby/blob/v0.6.1/docs/sources/api/docker_remote_api_v1.4.rst#push-an-image-on-the-registry
[API v1.5]: https://github.com/moby/moby/blob/v0.6.2/docs/sources/api/docker_remote_api_v1.5.rst#push-an-image-on-the-registry
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Benehiko
approved these changes
Jul 10, 2025
AkihiroSuda
approved these changes
Jul 10, 2025
This was referenced Jul 22, 2025
openstack-mirroring
pushed a commit
to openstack/kolla
that referenced
this pull request
Aug 6, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
openstack-mirroring
pushed a commit
to openstack/openstack
that referenced
this pull request
Aug 6, 2025
* Update kolla from branch 'master'
to 5563c32e652153e9e7856b2c01075c3cdf45403d
- Merge "send empty X-Registry-Auth for anonymous pushes"
- send empty X-Registry-Auth for anonymous pushes
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
openstack-mirroring
pushed a commit
to openstack/kolla
that referenced
this pull request
Aug 6, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit ddac7ca)
openstack-mirroring
pushed a commit
to openstack/kolla
that referenced
this pull request
Aug 6, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit ddac7ca)
openstack-mirroring
pushed a commit
to openstack/kolla
that referenced
this pull request
Aug 6, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit ddac7ca)
Alex-Welsh
pushed a commit
to stackhpc/kolla
that referenced
this pull request
Aug 11, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
Alex-Welsh
pushed a commit
to stackhpc/kolla
that referenced
this pull request
Aug 11, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit ddac7ca)
Alex-Welsh
pushed a commit
to stackhpc/kolla
that referenced
this pull request
Aug 11, 2025
Since Docker 28.3.3 the daemon rejects a push that carries no
`X-Registry-Auth` header [1]. The SDK already sets this header when it
finds credentials, so the breakage happens only on anonymous pushes.
During `PushTask.push_image()` we now check whether the SDK can resolve
credentials for the target registry; if it cannot, we inject
`auth_config={}`, causing the SDK to send the minimal "{}" header that
satisfies the daemon while leaving authenticated pushes unchanged.
Drop this addition when [2] is fixed.
[1] moby/moby#50371
[2] docker/docker-py#3348
Closes-Bug: #2119619
Change-Id: I7a2f3fce223afd74741b40bf62836b325fca5b19
Signed-off-by: Bartosz Bezak <bartosz@stackhpc.com>
(cherry picked from commit ddac7ca)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
relates to:
Docker API v1.4 and lower expected registry authentication to be sent in the request body when pushing or pulling ("creating") images. API v1.5 (Docker v0.6.1) changed this to this to use a
X-Registry-Authheader instead.This change was implemented in d04beb7, which kept a fallback for clients using old (< v1.5) API versions which would send authentication in the request body.
Given that we no longer support API versions older than v1.24, and clients using API v1.5 would be over 12 Years old.
- What I did
- How I did it
- How to verify it
- Human readable description for the release notes
- A picture of a cute animal (not mandatory but encouraged)