Unable to push Docker image for service web: Unable to retrieve .docker/config.json authentication details.

[ruddra]

I got this error while running: kompose up
I have been using the following docker-compose.yml:

version: '3'

services:
db:
image: mysql:5.5
container_name: db-container
ports:
- "3406:3306"
environment:
MYSQL_ROOT_PASSWORD: mypassword
MYSQL_USER: root
MYSQL_DATABASE: mydb
web:
build: .
container_name: web-container
command: python3 manage.py runserver 0.0.0.0:8000
volumes:
- .:/code
image: "ruddra/web-image"
ports:
- "8000:8000"
depends_on:
- db

I ran the following commands:

kompose convert --provider=openshift
kompose up --provider=openshift

I was able to push to my dockerhub repository using:
docker-compose push

[cdrage]

Hey @ruddra I've been trying to diagnose this issue.

I'm assuming you're using OS X?

[ruddra]

I am using macOS high sierra :)

[cdrage]

@ruddra That'd be why :) Docker is running in a VM and I believe they changed the configuration location. I'll have to investigate.

Just wondering, but where is the configuration file specifically on your machine?

[ruddra]

In '~/.docker/config.json'

[coodix]

Same issue for me. Trying use local private repo, but even after docker login keep getting error "FATA Error while deploying application: k.Transform failed: Unable to push Docker image for service proxy: Unable to retrieve .docker/config.json authentication details. Check that 'docker login' works successfully on the command line.: Failed to read authentication from dockercfg".

~/.docker/config.json is in place

[cdrage]

Hey @coodix @ruddra @kbroughton

I got time this week to get around to this issue, unfortunately, I don't have a Mac and I'm unable to run a VM (against licensing :() to diagnose it. So I need your help.

I'd like you all (or at least one of you) to these two things:

From this issue (pachyderm/pachyderm#2446) , let's try this:

1. Can you please output what your DOCKER_CONFIG variable is for me. If it's blank, try the command below the run Kompose again and see if it succeeds.

echo $DOCKER_CONFIG
export DOCKER_CONFIG=~/.docker/ 

From this issue (fsouza/go-dockerclient#677)

2. Can you output your .docker/config.json details for me and see if it contains osxkeychain? If you decide to comment in this issue with the configuration details, make sure you omit the auth variable 👍

I'm going to see if I can borrow a friends Mac or at least find one at the company lab which has one I can remote into!

Seems at the moment this issue is only affected Mac users.

Many thanks 💯

[coodix]

@cdrage , $DOCKER_CONFIG is empty by default. I tried to set it to "~/.docker/" but it didn't help. Same error appeared.
Content of my ~/.docker/config.json:
{ "auths": { "https://index.docker.io/v1/": {}, "localhost:5000": {} }, "credsStore": "osxkeychain" }

But it became so after I execute "docker login localhost:5000" trying to make it work. In all cases same error.

[coodix]

@cdrage , I've found out what's the problem. It's because dockerclient isn't integrated with osxkeychain. See fsouza/go-dockerclient#677

Also it relates to docker/for-mac#1584
Docker for Mac by default uses osxkeychain for storing credentials.

So the current solution is to edit config.json:
{ "auths": { "localhost:5000": { "auth": "...base64encoded credentials..." } }, "credsStore": "osxkeychain" }
And need to ensure that there are no auths without auth string (fsouza/go-dockerclient#677 (comment) ).

[coodix]

@cdrage , do you consider adding empty AuthConfiguration as it stated in comment for PushImage method (github.com/fsouza/go-dockerclient/image.go):
// An empty instance of AuthConfiguration may be used for unauthenticated // pushes. // // See https://goo.gl/zPtZaT for more details. func (c *Client) PushImage(opts PushImageOptions, auth AuthConfiguration) error {

At least in case if no one auth was found by dockerlib.NewAuthConfigurationsFromDockerCfg?

[cdrage]

@coodix Yeah, that's for investigating.. It's difficult with oxskeychain, we'd have to either contribute an upstream change to the go-dockerclient library or implement Docker's client library.

We can try to do empty authentication to fix it.

[geekflyer]

I'm having the same issue on OSX when trying to push to gcr.io using the gcr credential helper.
I'm trying to update my pipeline with
pc update-pipeline -f pipeline.json --push-images
and I'm getting
error parsing auth: open /Users/geekflyer/.dockercfg: no such file or directory, try running docker login

my ~/.docker/config.json looks like this:

{
	"auths": {
		"gcr.io": {},
		"https://registry.gitlab.com": {},
		"registry.gitlab.com": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/17.09.0-ce (darwin)"
	},
	"credsStore": "osxkeychain",
	"credHelpers": {
		"asia.gcr.io": "gcr",
		"eu.gcr.io": "gcr",
		"gcr.io": "gcr",
		"staging-k8s.gcr.io": "gcr",
		"us.gcr.io": "gcr"
	}
}% 

What is the workaround for this? This is really blocking me to iterate on some pipelines.

[geekflyer]

on a related issue: While digging I found that the podspec pachyderm creates for pipeline workers contains imagePullPolicy: IfNotPresent . I'm somewhat new to k8s, but wouldn't it be better to simply specify imagePullPolicy: Always which would make specifying the --push-images flag obsolete?

[Matthieulvt]

I got this issue on my project. This is my ~./docker/config.json :

        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "<somekey>="
                },
                "registry.gitlab.com": {
                        "auth": "<somekey>="
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.02.0-ce (linux)"
        }
}

My docker-compose file :

version: '2'

services:

  agon:
    build:
      context: ./agon
      dockerfile: Dockerfile
    image: agonnode:tag  
    container_name: Agon_iri
    hostname: agon
    volumes:
      - ./volumes/iota/iota.ini:/iri/iota.ini:ro
      - ./volumes/iota/ixi:/iri/ixi:rw
      - ./volumes/iota/mainnetdb:/iri/mainnetdb:rw
      - /etc/localtime:/etc/localtime:ro
    expose: 
      - "5556"
    ports:
      - "14600:14600/udp"
      - "15600:15600/tcp"
      - "14265:14265"
    restart: 'on-failure'

Here's my try to push the image :

➜  ultra-devops git:(kuberpod) ✗ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a DockerID, head over to https://hub.docker.com to create one.
Username (hystenal): hystenal
Password:
Login Succeeded

➜  ultra-devops git:(kuberpod) ✗ docker-compose push
Pushing agon (agonnode:tag)...
The push refers to repository [docker.io/library/agonnode]
070ea77bff68: Preparing
8760e8a8ec65: Preparing
89f1160177db: Preparing
64a60834482b: Preparing
ce26c278ee53: Preparing
b30530a0b009: Waiting
7c4b5f9422c0: Waiting
26fac7fe251e: Waiting
db584c622b50: Waiting
52a7ea2bb533: Waiting
52f389ea437e: Waiting
88888b9b1b5b: Waiting
a94e0d5a7c40: Waiting
ERROR: denied: requested access to the resource is denied

➜  ultra-devops git:(kuberpod) ✗ kompose up
WARN Unsupported hostname key - ignoring
INFO Container name in service "agon" has been changed from "Agon_iri" to "Agon-iri"
INFO Build key detected. Attempting to build and push image 'agonnode:tag'
INFO Building image 'agonnode:tag' from directory 'agon'
INFO Image 'agonnode:tag' from directory 'agon' built successfully
INFO Pushing image 'library/agonnode:tag' to registry 'docker.io'
INFO Multiple authentication credentials detected. Will try each configuration.
INFO Attempting authentication credentials 'registry.gitlab.com
ERRO Unable to push image 'library/agonnode:tag' to registry 'docker.io'. Error: unauthorized: incorrect username or password
INFO Attempting authentication credentials 'https://index.docker.io/v1/
ERRO Unable to push image 'library/agonnode:tag' to registry 'docker.io'. Error: denied: requested access to the resource is denied
FATA Error while deploying application: k.Transform failed: Unable to push Docker image for service agon: unable to push docker image(s). Check that `docker login` works successfully on the command line

[hangyan]

@huntal seems like not a kompose issue, because docker-compose push is not working too. Maybe wrong dockerhub user namespace. The output shows that you are trying to push to library, this is the official image account.. The image format is <you-user-name>/<image-name>:<tag> I think.

[Matthieulvt]

Yup you were right my bad, just had to change the image tag key to your format @hangyan thanks again

[nullifiedaccount3]

I pushed it manually and removed build from compose file. It worked!

It feels like kompose is having issues accessing the credentials to push the images.

[beltran]

Could kubernetes/kubernetes#63874 be related to this?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[PeterBocan]

This is still not working properly. I have no idea what's the problem (permissions? corrupted cache?)

INFO Build key detected. Attempting to build and push image 'x/fetcher'
INFO Building image 'x/fetcher' from directory 'x-fetcher'
INFO Image 'x/fetcher' from directory 'x-fetcher' built successfully
INFO Pushing image 'x/fetcher:latest' to registry 'docker.io'
WARN Unable to retrieve .docker/config.json authentication details. Check that 'docker login' works successfully on the command line.: Failed to read authentication from dockercfg
INFO Authentication credentials are not detected. Will try push without authentication.
INFO Attempting authentication credentials 'docker.io
ERRO Unable to push image 'x/fetcher:latest' to registry 'docker.io'. Error: denied: requested access to the resource is denied
FATA Error while deploying application: k.Transform failed: Unable to push Docker image for service fetcher: unable to push docker image(s). Check that `docker login` works successfully on the command line

note that both docker and docker-compose are pushing properly and I am running macOS 10.14 Mojave.

It seems like a file permission issue with kubernetes, which I've installed via homebrew. Also my kubectl is not reading anything from my desktop folder.

[ruddra]

/remove-lifecycle rotten

[eic-aibee]

@cdrage , I've found out what's the problem. It's because dockerclient isn't integrated with osxkeychain. See fsouza/go-dockerclient#677

Also it relates to docker/for-mac#1584
Docker for Mac by default uses osxkeychain for storing credentials.

So the current solution is to edit config.json:
{ "auths": { "localhost:5000": { "auth": "...base64encoded credentials..." } }, "credsStore": "osxkeychain" }
And need to ensure that there are no auths without auth string (fsouza/go-dockerclient#677 (comment) ).

First thank you very much, solve my problems, here I have some supplements.
"base64encoded credentials" can be generated by
echo -n "username:password" | base64
-n used to omit '\n' which added by echo

[alanbly]

So I'd like to add a bit to what everyone else has said. The message WARN Unable to retrieve .docker/config.json authentication details seems to be caused by there being ANY empty auth objects in the ~/.docker/config.json file. docker login in many cases seems to create empty auth blocks so doing as the warning tells you can actually make this problem happen. Now if you, like me, do not want to put your personal google credentials into a text file, there is a way to make this work for a JSON key file (as described here https://cloud.google.com/container-registry/docs/advanced-authentication#json_key_file).

Once you have the key file, you can generate a base-64-encoded auth block using the same method they use for the docker login command. Combining that with the answer above from @eic-aibee , what you want to do is run this command: echo -n "_json_key:$(cat key.json)" | base64 which will spit out the auth block to the console.

[wuestkamp]

So I solved this on OSX by disabling the keychain password storage:

1. rm ~/.docker/config.json (maybe skip this part actually)
2. in Docker for Mac preferences, untick "Securely store Docker logins in macOS keychain"
3. restart Docker for Mac
4. docker login

Or for glcoud and pushing to gcr:
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io

now your ~/.docker/config.json should contain base64 encoded passwords. Working, not safe though!

If someone gets the keychain storage to work that would be nice...

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ruddra]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.