denied: Anonymous users are only allowed read access on public repos

context

We want to create a docker image with the oci-cli and fn-cli in it for CI/CD purposes. The docker image is based in oraclelinux-slim. In order to deploy functions from inside the docker image, a docker login is needed.

DOCKERFILE

FROM oraclelinux:7-slim
#
ENV OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
#
# install needed  stuff
RUN yum-config-manager --enable ol7_developer 
RUN yum -y install oraclelinux-developer-release-el7
RUN yum -y install java-1.8.0-openjdk-devel jar docker-cli jq git vi
#
# install ocicli
#
RUN yum install -y python36-oci-cli
#
# install fncli
#
RUN curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh 
#
#EOF

BUILD THE IMAGE

docker build -t oci-tools .

RUN THE IMAGE

Run the image from your home directory (assuming you have oci cli configured in <yourhome>/.oci.

docker  run --rm -it -v ociconf:/root/.oci -v /var/run/docker.sock:/var/run/docker.sock oci-tools bash

CREATE A FN EXAMPLE

Perform the folloning commands marked in bold:

bash-4.2# fn init --runtime go my-func
Creating function at: ./my-func
Function boilerplate generated.
func.yaml created.
bash-4.2# cd my-func
bash-4.2# fn create context xplr --provider oracle
Successfully created context: xplr 
bash-4.2# fn use context xplr
Now using context: xplr 
bash-4.2# fn update context oracle.compartment-id ocid1.comp1..aaa...ea
Current context updated oracle.compartment-id with ocid1....ea
bash-4.2# fn update context api-url https://functions.eu-frankfurt-1.oraclecloud.com
Current context updated api-url with https://functions.eu-frankfurt-1.oraclecloud.com
bash-4.2# fn update context registry fra.ocir.io/xplr                   
Current context updated registry with fra.ocir.io/xplr
bash-4.2# docker login -u 'xplr/oracleidentitycloudservice/toribio' fra.ocir.io
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
bash-4.2# fn deploy --app func-oag-es-dev
Deploying my-func to app: func-oag-es-dev
Bumped to version 0.0.3
Using Container engine docker
Building image fra.ocir.io/xplr/my-func:0.0.3 .....
Parts:  [fra.ocir.io xplr my-func:0.0.3]
Using Container engine docker to push
faa09373b6c6: Preparing 
242bd8444c32: Preparing 
0c51690908d3: Preparing 
b27eec72a58e: Preparing 
denied: Anonymous users are only allowed read access on public repos
Fn: error running docker push, are you logged?: exit status 1
See 'fn <command> --help' for more information. Client version: 0.6.13

THE PROBLEM

When doing the fn deploy, even though the docker login succeeded, the push to ocir (same happens to whatever docker compatible repo) throws the error “denied: Anonymous users are only allowed read access on public repos”

THE ROOT CAUSE

It seems the problem is related with a docker push operation. As we ccan see as follows, whether you implicitly login to docker repo or not, the push operation throws the same error than above, interesting!

bash-4.2# docker images
REPOSITORY                                    TAG                 IMAGE 
fra.ocir.io/xplrwznk/jubuntu              latest              54c9d8
bash-4.2# docker push fra.ocir.io/xplrr/jubuntu
The push refers to repository [fra.ocir.io/xplrwznk/jubuntu]
36ffdceb4c77: Preparing 
denied: Anonymous users are only allowed read access on public repos
bash-4.2# docker login fra.ocir.io
Username: xplr/oracleidentitycloudservice/xxxxxxxx
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
bash-4.2# docker push fra.ocir.io/xplr/jubuntu
The push refers to repository [fra.ocir.io/xplr/jubuntu]
36ffdceb4c77: Preparing 
denied: Anonymous users are only allowed read access on public repos

WHAT HAPPENS IF DOCKER IMAGE IS BASED IN UBUNTU?

Let’s do in a temporarily image first:

root@ef12015f79d1:~/development/python# docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v /Users/javiermugueta/.oci:/root/.oci ubuntu:latest sh -c "apt-get update ; apt-get install docker.io -y ; bash"
...
root@ef12015f79d1:~/development/python# apt install python3.8-venv
...
root@ef12015f79d1:~/development/python# mkdir -p ~/development/python && cd ~/development/python
...
root@ef12015f79d1:~/development/python# python3 -m venv oracle-cli
...
root@ef12015f79d1:~/development/python# source oracle-cli/bin/activate
...
root@ef12015f79d1:~/development/python# apt-get install curl
...
root@ef12015f79d1:~/development/python# bash -c "$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"
...
root@ef12015f79d1:~/development/python# . /root/.bashrc
...
root@ef12015f79d1:~/development/python# oci os ns get
...
{
  "data": "xplr"
}
root@ef12015f79d1:~/development/python# curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh 
...
root@ef12015f79d1:~/development/python# fn -version
fn version 0.6.13
root@ef12015f79d1:~/development/python# 
root@ef12015f79d1:~/development/python# fn init --runtime go my-func
Creating function at: ./my-func
Function boilerplate generated.
func.yaml created.
root@ef12015f79d1:~/development/python# cd my-func
root@ef12015f79d1:~/development/python/my-func# fn create context xplr --provider oracle
Successfully created context: xplr 
root@ef12015f79d1:~/development/python/my-func# fn use context xplr
Now using context: xplr 
root@ef12015f79d1:~/development/python/my-func# fn update context oracle.compartment-i...ea
Current context updated oracle.compartment-id with ocid1.comp...ea
root@ef12015f79d1:~/development/python/my-func# fn update context api-url https://functions.eu-frankfurt-1.oraclecloud.com
Current context updated api-url with https://functions.eu-frankfurt-1.oraclecloud.com
root@ef12015f79d1:~/development/python/my-func# fn update context registry fra.ocir.io/xplr             
Current context updated registry with fra.ocir.io/xplr/xplr
root@ef12015f79d1:~/development/python/my-func# docker login -u 'xplr/oracleidentitycloudservice/toribio' fra.ocir.io
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@ef12015f79d1:~/development/python/my-func# fn deploy --app func-oag-es-dev
Deploying my-func to app: func-oag-es-dev
Bumped to version 0.0.2
Using Container engine docker
...
faa09373b6c6: Pushed 
...
0.0.2: digest: sha256:a0f5e5a0fe063131c4e4d9bdaef30f96a0a7b377a6392e6395310f945b610103 size: 1155
Updating function my-func using image fra.ocir.io/xplr/my-func:0.0.2...
Successfully created function: my-func with fra.ocir.io/xplr/my-func:0.0.2
root@ef12015f79d1:~/development/python/my-func# 

It works!!!

THE UBUNTU DOCKERFILE

FROM ubuntu:latest
#
ENV OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
#
# install needed  stuff
RUN apt-get update
RUN apt -y install python3.8-venv default-jdk
RUN apt-get -y install jq curl docker.io zip
#
# install ocicli
#
RUN curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh > x.sh
RUN chmod 700 x.sh
RUN ./x.sh --accept-all-defaults
#
# install fncli
#
RUN curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh 

conclusion

The oraclelinux image must have security restrictions that prevent from doing what is intended.

Hope it helps! 🙂