Mapping of credentials for docker.io and index.docker.io is not working properly for head requests.

[simskij]

Yeah, it's looking for credentials for the repository docker.io but the key in the config.json is index.docker.io

2021-11-12T10:43:55Z [D] No credentials for docker.io found
                        config_file: /config.json
2021-11-12T10:43:55Z [D] Got image name: docker.io/eeeeb/satisfactory-dserver:latest

I execute docker login -u eeeeb and use a generated access token (from my dockerhub account) as the password.

You need to supply the registry name, like this:

docker login docker.io -u eeeeb 

Edit: Actually, never mind. I just tried it, and it adds the entry as https://index.docker.io/v1/ anyway. Perhaps @simskij knows how this is supposed to work?

There is probably some magic going on in the docker client that automagically maps docker.io to https://index.docker.io/v1/, hence why docker pull works. Since we are directly communicating with the docker daemon, and not using the docker CLI no such conversion is being done.

Originally posted by @piksel in #1129 (reply in thread)

Yeah, this is likely a bug we need to solve.

[Katawann]

Hello !

Is there a workaround for that yet ? I tried the solution to change the url to docker.io in the config.json but it did not change anything on my side...

I tried with the command of linked issue:

docker run --name watchtower-test -v /var/run/docker.sock:/var/run/docker.sock -v /home/user/.docker/config.json:/config.json   index.docker.io/containrrr/watchtower:latest -i 5 --debug

and with the command docker login which generated the config.json file:

{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "XXXXXXXXXXXXXXXXXXXXXXXXXX"
                }
        }
}

but at the end I get the issue below:

time="2022-02-02T21:21:17Z" level=debug
time="2022-02-02T21:21:17Z" level=debug msg="Sleeping for a second to ensure the docker api client has been properly initialized."
time="2022-02-02T21:21:18Z" level=debug msg="Making sure everything is sane before starting"
time="2022-02-02T21:21:18Z" level=debug msg="Retrieving running containers"
time="2022-02-02T21:21:18Z" level=debug msg="There are no additional watchtower containers"
time="2022-02-02T21:21:18Z" level=debug msg="Watchtower HTTP API skipped."
time="2022-02-02T21:21:18Z" level=info msg="Watchtower 1.4.0"
time="2022-02-02T21:21:18Z" level=info msg="Using no notifications"
time="2022-02-02T21:21:18Z" level=info msg="Checking all containers (except explicitly disabled with label)"
time="2022-02-02T21:21:18Z" level=info msg="Scheduling first run: 2022-02-02 21:21:33 +0000 UTC"
time="2022-02-02T21:21:18Z" level=info msg="Note that the first check will be performed in 14 seconds"
time="2022-02-02T21:21:33Z" level=debug msg="Checking containers for updated images"
time="2022-02-02T21:21:33Z" level=debug msg="Retrieving running containers"
time="2022-02-02T21:21:33Z" level=debug msg="Trying to load authentication credentials." container=/watchtower-test image="index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:33Z" level=debug msg="Loaded auth credentials for user aero41, on registry index.docker.io/containrrr/watchtower:latest, from file /config.json"
time="2022-02-02T21:21:33Z" level=debug msg="Got image name: index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:33Z" level=debug msg="Credentials loaded"
time="2022-02-02T21:21:33Z" level=debug msg="Checking if pull is needed" container=/watchtower-test image="index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:33Z" level=debug msg="Building challenge URL" URL="https://index.docker.io/v2/"
time="2022-02-02T21:21:33Z" level=debug msg="Got response to challenge request" header="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\"" status="401 Unauthorized"
time="2022-02-02T21:21:33Z" level=debug msg="Checking challenge header content" realm="https://auth.docker.io/token" service=registry.docker.io
time="2022-02-02T21:21:33Z" level=debug msg="Setting scope for auth token" image=index.docker.io/containrrr/watchtower scope="repository:containrrr/watchtower:pull"
time="2022-02-02T21:21:33Z" level=debug msg="Credentials found."
time="2022-02-02T21:21:33Z" level=debug msg="Parsing image ref" host=index.docker.io image=containrrr/watchtower normalized="docker.io/containrrr/watchtower:latest" tag=latest
time="2022-02-02T21:21:33Z" level=debug msg="Doing a HEAD request to fetch a digest" url="https://index.docker.io/v2/containrrr/watchtower/manifests/latest"
time="2022-02-02T21:21:34Z" level=warning msg="Could not do a head request for \"index.docker.io/containrrr/watchtower:latest\", falling back to regular pull." container=/watchtower-test image="index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:34Z" level=warning msg="Reason: registry responded to head request with \"401 Unauthorized\", auth: \"Bearer realm=\\\"https://auth.docker.io/token\\\",service=\\\"registry.docker.io\\\",scope=\\\"repository:containrrr/watchtower:pull\\\"\"" container=/watchtower-test image="index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:34Z" level=debug msg="Pulling image" container=/watchtower-test image="index.docker.io/containrrr/watchtower:latest"
time="2022-02-02T21:21:35Z" level=debug msg="No new images found for /watchtower-test"
time="2022-02-02T21:21:35Z" level=debug msg="This is the watchtower container /watchtower-test"
time="2022-02-02T21:21:35Z" level=info msg="Session done" Failed=0 Scanned=1 Updated=0 notify=no
time="2022-02-02T21:21:35Z" level=debug msg="Scheduled next run: 2022-02-02 21:21:48 +0000 UTC"

Happy to provide more information if necessary. Unfortunately it means for me that I can't use Watchtower to handle my updates unless there is another solution I missed

[AdamKearn]

+1 I am also having this issue.

Even copying the generated token from my system /home/username/.docker/config.json
I am having the same issue?

[piksel]

@Katawann, your log seems even weirder... It correctly finds the correct credentials, but still get a 401:

Loaded auth credentials for user aero41, on registry index.docker.io/containrrr/watchtower:latest, from file /config.json
Got image name: index.docker.io/containrrr/watchtower:latest
Credentials loaded

...

Reason: registry responded to head request with "401 Unauthorized, 
auth: "Bearer 
  realm="https://auth.docker.io/token",
  service="registry.docker.io",
  scope="repository:containrrr/watchtower:pull"
container=/watchtower-test 
image="index.docker.io/containrrr/watchtower:latest"

(the issue is about when it can't find the credentials, due to them being put in the config.json as index.docker.io/v1/, but the "actual" repository URL for dockerhub is docker.io, which the docker daemon automagically maps but we don't)

[romprod]

I have pretty much this issue but I always get the following

time="2022-05-23T18:41:52Z" level=debug msg="No credentials for docker_nextcloud:latest found" config_file=/config.json

Super frustrating as watchtower is currently unable to update any containers

[piksel]

@romprod, what image are you using? There is no docker_nextcloud on dockerhub. But create a separate discussion for this, since this issue is about a very specific (well known) problem. Yours might be related to it, and we can add more to this issue if that is the case.

[myusuf3]

is this still broken?

[akib1689]

This is still broken. Or do anyone has a workaround to this problem? I'm facing the same issue

[fong123]

Any solution for this?

[hack2012]

+1 I am also having this issue.