Describe the bug
I can not upload my image from azure devops to aws ecr
To reproduce
2019-11-28T18:34:36.0850956Z ##[section]Starting: Push Image: latest
2019-11-28T18:34:36.0854117Z ==============================================================================
2019-11-28T18:34:36.0854220Z Task : Amazon ECR Push
2019-11-28T18:34:36.0854276Z Description : Push a Docker image to an Amazon Elastic Container Registry on AWS
2019-11-28T18:34:36.0854352Z Version : 1.5.0
2019-11-28T18:34:36.0854400Z Author : Amazon Web Services
2019-11-28T18:34:36.0854537Z Help : Please refer to Amazon Elastic Container Registry documentation for working with this service.
More information on this task can be found in the task reference.
####Task Permissions
This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):
- ecr:DescribeRepositories
- ecr:CreateRepository
- ecr:GetAuthorizationToken
2019-11-28T18:34:36.0854910Z ==============================================================================
2019-11-28T18:34:36.4034903Z Configuring credentials for task
2019-11-28T18:34:36.4040620Z 91a5d750-74c1-47c1-9738-38125f5bf13a exists true
2019-11-28T18:34:36.4042384Z …configuring AWS credentials from service endpoint ’91a5d750-74c1-47c1-9738-38125f5bf13a’
2019-11-28T18:34:36.4042487Z …endpoint defines standard access/secret key credentials
2019-11-28T18:34:36.4065167Z Configuring region for task
2019-11-28T18:34:36.4068292Z …configured to use region us-east-1, defined in task.
2019-11-28T18:34:36.4159990Z Pushing image ‘brasil317-odin-svc:latest’
2019-11-28T18:34:36.4164294Z Obtaining authentication token for ECR login
2019-11-28T18:34:37.2408133Z Testing existence of repository ‘brasil317-odin-svc’
2019-11-28T18:34:37.7461702Z Adding tag ‘999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest’ to image ‘brasil317-odin-svc:latest’
2019-11-28T18:34:37.7463673Z Invoking ‘/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker’ with command ‘tag’
2019-11-28T18:34:37.7479916Z [command]/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker tag brasil317-odin-svc:latest 999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest
2019-11-28T18:34:37.7720571Z Invoking ‘/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker’ with command ‘login’
2019-11-28T18:34:39.0661318Z Pushing image ‘999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest’ to Elastic Container Registry
2019-11-28T18:34:39.0662011Z Invoking ‘/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker’ with command ‘push’
2019-11-28T18:34:39.0687661Z [command]/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker push 999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest
2019-11-28T18:34:39.0952156Z The push refers to repository [999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc]
2019-11-28T18:34:39.5776826Z 8fb7077905f4: Preparing
2019-11-28T18:34:39.5778400Z 5534385be237: Preparing
2019-11-28T18:34:39.5778547Z 0dadcf4d9cca: Preparing
2019-11-28T18:34:39.5778664Z 7aec04de5457: Preparing
2019-11-28T18:34:39.5779016Z a74cc5d23d85: Preparing
2019-11-28T18:34:39.5779350Z 975d2c9c8b2c: Preparing
2019-11-28T18:34:39.5779530Z 4cc0dcd1fc04: Preparing
2019-11-28T18:34:39.5779694Z ff069951ece4: Preparing
2019-11-28T18:34:39.5779915Z ade02cbbac9a: Preparing
2019-11-28T18:34:39.5780072Z e36299e0cdf7: Preparing
2019-11-28T18:34:39.5780361Z 1be02b18dfe7: Preparing
2019-11-28T18:34:39.5780520Z 831c5620387f: Preparing
2019-11-28T18:34:39.5780735Z ff069951ece4: Waiting
2019-11-28T18:34:39.5780897Z ade02cbbac9a: Waiting
2019-11-28T18:34:39.5781337Z e36299e0cdf7: Waiting
2019-11-28T18:34:39.5781499Z 1be02b18dfe7: Waiting
2019-11-28T18:34:39.5781709Z 831c5620387f: Waiting
2019-11-28T18:34:39.5781866Z 975d2c9c8b2c: Waiting
2019-11-28T18:34:39.5782021Z 4cc0dcd1fc04: Waiting
2019-11-28T18:34:42.1361943Z error parsing HTTP 403 response body: unexpected end of JSON input: «»
2019-11-28T18:34:42.1473731Z ##[error]Error: The process ‘/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker’ failed with exit code 1
2019-11-28T18:34:42.1485598Z ##[section]Finishing: Push Image: latest
Expected behavior
should work upload image to ecr
Screenshots
Your Environment
Azure Devops with latest version
Additional context
hunterwerlla
added
the
bug
We can reproduce the issue and confirmed it is a bug.
label
Dec 2, 2019
That message is coming from docker, it was unable to connect to the repository and got a 403. This probably indicates an issue with your credentials.
rainabba, 14corman, MaritzaFiesco, cabadam, JamesFrost, nags28, ilovelili, wethreetrees, Wopple, marjorg, and 7 more reacted with thumbs down emoji
NathanielRN reacted with confused emoji
I just spent the evening determining the absolute minimum set of permissions to do a docker push to ecr. I’m here because I was also getting the JSON error, but it turned out to be buggy error reporting hiding missing permissions (source of hint). Below are the needed permissions. Be sure to replace ${REGION}, ${ACCONT_ID} and ${REGISTRY_NAME} accordingly (the arn there is the ECR registry arn).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
giodamelio, kzkv, kaiba42, wilson1000-MoJ, mihail-i4v, samcdavid, Noste, danielcbaldwin, dakshshah96, marwan116, and 39 more reacted with hooray emoji
kzkv, gyrospectre, romikoops, wederribas, samcdavid, aroder, Noste, AlessandroLorenzi, dakshshah96, marwan116, and 59 more reacted with heart emoji
tudordascalu, kzkv, romikoops, mancier, faruuko, samcdavid, Noste, dakshshah96, marwan116, siammridha, and 36 more reacted with rocket emoji
This worked for me. Thank you.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}" }, { "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" } ] }
Helped with finally get it working, thanks!
Open
Issue created Jun 29, 2016 by
registry & s3: pushing fails with ‘error parsing HTTP 403 response body: unexpected end of JSON input: «»‘
gitlab-ce:8.9.2
docker: 1.11.2 (centos7 build) OR 1.12.0-rc2 (osx beta) — reproduced this issue on both.
We’ve set up gitlab’s registry to use s3 as a storage backend. Whenever we try to push an image, we get an error message that looks like this:
[root@lenny tmp]# docker -D push gitlab-registry.b-lex.com/b-lex/servermanagement:webhare-ci
The push refers to a repository [gitlab-registry.b-lex.com/b-lex/servermanagement]
4fe15f8d0ae6: Pushing [==================================================>] 5.046 MB
error parsing HTTP 403 response body: unexpected end of JSON input: ""docker login worked fine. The 403 is being sent from S3, after disabling encryption I was able to catch the request:
0x0020: 5018 00e5 c981 0000 4845 4144 202f 646f P.......HEAD./do
0x0030: 636b 6572 2f72 6567 6973 7472 792f 7632 cker/registry/v2
0x0040: 2f62 6c6f 6273 2f73 6861 3235 362f 6531 /blobs/sha256/e1
.........
0x0000: 4500 0145 ddc4 4000 3206 a2f8 36e7 82d3 E..E..@.2...6...
0x0010: 0a08 0334 0050 9d66 5d1e 9d1c 5162 565a ...4.P.f]...QbVZ
0x0020: 5018 003e febb 0000 4854 5450 2f31 2e31 P..>....HTTP/1.1
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 782d 616d 7a2d 7265 7175 6573 742d 6964 x-amz-request-idThe full signed URL was:
http://webhare-docker-registry.s3-eu-west-1.amazonaws.com/docker/registry/v2/blobs/sha256/e1/e110a4a1794126ef308a49f2d65785af2f25538f06700721aad8283b81fdfa58/data?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJY4NHZNPXN6T3YBA%2F20160629%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20160629T193758Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host&X-Amz-Signature=f190333bcbabc644d1d06f4b13113cbf9c5543ec286443037fa79c2ae6da8827Doing a GET on this URL works fine, so the signature is valid. However, the HTTP verb is part of a signed URL in S3, so the same URL can’t work for both GET & HEAD. Apparently the registry is passing an URL expecting docker to use GET (since that’s what the URL is signed for) but the docker client decides to use a HEAD request ?
This might very well be a docker upstream issue, but as I can’t see anyone else reporting similar issues, and this seems pretty bad, it seemed best to check with gitlab first.
Troubleshooting the GitLab Container Registry
Basic Troubleshooting
-
Check to make sure that the system clock on your Docker client and GitLab server have
been synchronized (e.g. via NTP). -
If you are using an S3-backed Registry, double check that the IAM
permissions and the S3 credentials (including region) are correct. See the
sample IAM policy
for more details. -
Check the Registry logs (e.g.
/var/log/gitlab/registry/current) and the GitLab production logs
for errors (e.g./var/log/gitlab/gitlab-rails/production.log). You may be able to find clues
there.
Advanced Troubleshooting
NOTE: The following section is only recommended for experts.
Sometimes it’s not obvious what is wrong, and you may need to dive deeper into
the communication between the Docker client and the Registry to find out
what’s wrong. We will use a concrete example in the past to illustrate how to
diagnose a problem with the S3 setup.
Unexpected 403 error during push
A user attempted to enable an S3-backed Registry. The docker login step went
fine. However, when pushing an image, the output showed:
The push refers to a repository [s3-testing.myregistry.com:4567/root/docker-test]
dc5e59c14160: Pushing [==================================================>] 14.85 kB
03c20c1a019a: Pushing [==================================================>] 2.048 kB
a08f14ef632e: Pushing [==================================================>] 2.048 kB
228950524c88: Pushing 2.048 kB
6a8ecde4cc03: Pushing [==> ] 9.901 MB/205.7 MB
5f70bf18a086: Pushing 1.024 kB
737f40e80b7f: Waiting
82b57dbc5385: Waiting
19429b698a22: Waiting
9436069b92a3: Waiting
error parsing HTTP 403 response body: unexpected end of JSON input: ""
This error is ambiguous, as it’s not clear whether the 403 is coming from the
GitLab Rails application, the Docker Registry, or something else. In this
case, since we know that since the login succeeded, we probably need to look
at the communication between the client and the Registry.
The REST API between the Docker client and Registry is described
here. Normally, one would just
use Wireshark or tcpdump to capture the traffic and see where things went
wrong. However, since all communication between Docker clients and servers
are done over HTTPS, it’s a bit difficult to decrypt the traffic quickly even
if you know the private key. What can we do instead?
One way would be to disable HTTPS by setting up an insecure
Registry. This could introduce a
security hole and is only recommended for local testing. If you have a
production system and can’t or don’t want to do this, there is another way:
use mitmproxy, which stands for Man-in-the-Middle Proxy.
mitmproxy
mitmproxy allows you to place a proxy between your
client and server to inspect all traffic. One wrinkle is that your system
needs to trust the mitmproxy SSL certificates for this to work.
The following installation instructions assume you are running Ubuntu:
- Install mitmproxy (see http://docs.mitmproxy.org/en/stable/install.html)
- Run
mitmproxy --port 9000to generate its certificates.
Enter CTRL—C to quit. -
Install the certificate from
~/.mitmproxyto your system:sudo cp ~/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt sudo update-ca-certificates
If successful, the output should indicate that a certificate was added:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
To verify that the certificates are properly installed, run:
mitmproxy --port 9000
This will run mitmproxy on port 9000. In another window, run:
curl --proxy http://localhost:9000 https://httpbin.org/status/200
If everything is setup correctly, you will see information on the mitmproxy window and
no errors from the curl commands.
Running the Docker daemon with a proxy
For Docker to connect through a proxy, you must start the Docker daemon with the
proper environment variables. The easiest way is to shutdown Docker (e.g. sudo initctl stop docker)
and then run Docker by hand. As root, run:
export HTTP_PROXY="http://localhost:9000"
export HTTPS_PROXY="https://localhost:9000"
docker daemon --debug
This will launch the Docker daemon and proxy all connections through mitmproxy.
Running the Docker client
Now that we have mitmproxy and Docker running, we can attempt to login and push
a container image. You may need to run as root to do this. For example:
docker login s3-testing.myregistry.com:4567
docker push s3-testing.myregistry.com:4567/root/docker-test
In the example above, we see the following trace on the mitmproxy window:
The above image shows:
- The initial PUT requests went through fine with a 201 status code.
- The 201 redirected the client to the S3 bucket.
- The HEAD request to the AWS bucket reported a 403 Unauthorized.
What does this mean? This strongly suggests that the S3 user does not have the right
permissions to perform a HEAD request.
The solution: check the IAM permissions again.
Once the right permissions were set, the error will go away.
“Unexpected end of JSON input” (or “Uncaught SyntaxError: Unexpected end of JSON input”) is a common error message in JavaScript, occurs when the user tries to convert an invalid JSON string into a native JS object using JSON.parse() method. This short article will try to clarify a few things about the error and possible steps to fix it.
The full form of the message would look like this in the browser’s Console.
Code language: JavaScript (javascript)
Uncaught SyntaxError: Unexpected end of JSON input at JSON.parse (<anonymous>) at <your-script-name.js>
“Unexpected end of JSON input” root cause is a malformed string passed into the JSON.parse() method.
In most cases, it is due to a missing character in the last position of a JSON string that wraps its objects (such as a closing square bracket [] or curly bracket {}).
Sometimes, you may be trying to read an empty JSON file. A valid empty JSON file would still need to have curly brackets to indicate that it contains an empty object.
Code language: JSON / JSON with Comments (json)
// empty.json file contents {}
Let’s look at two examples below to clearly understand what’s missing
| Code containing errors | Corrected code. | |
|---|---|---|
| 1 | var my_json_string = '{"prop1": 5, "prop2": "New York"'; var data = JSON.parse(my_json_string); |
var my_json_string = '{"prop1": 5, "prop2": "New York"}'; var data = JSON.parse(my_json_string); |
| 2 | var my_json_string = '[1, "yellow", 256, "black"'; var data = JSON.parse(my_json_string); |
var my_json_string = '[1, "yellow", 256, "black"]'; var data = JSON.parse(my_json_string); |
In the first example, there’s a missing closing curly bracket at the end of the string. Meanwhile, the second example demonstrate a malformed JSON string with the closing square bracket truncated.
Also check out: Object of type is not JSON serializable in Python
How to fix “Unexpected end of JSON input”
- Locate a statement using the
JSON.parse()method. On the browser’s console, click on the last line of the exception message (which is a reference to the code block that raised that exception). The browser will then bring you to the actual source code. - Inspect the input of
JSON.parse(). Now there are many ways to do this. You can take a close look at the data to spot the error. Usually it’s in the beginning or the end of the string. - If you use popular code editor software like VS Code, Sublime Text, Atom, you’ll also have another way to check the syntax of JSON data: Copy all that JSON data to a completely new file, the default formatter of the software will highlight the syntax error location.
- Alternatively, the browser Console also supports highlighting common JSON syntax error. You would need to click VMxx:x right next to the exception message.
Conclusion
We hope that the article helps you understand why “Unexpected end of JSON input” happens and how you can correct the input to fix it. If you do a lot of JSON manipulation in JavaScript, you may want to check out our guide on JSON end of file expected, which is another very common one. If you have any suggestions or spot an error in the article, feel free to leave a comment below to let us know.
Bug 1749333
— Push to registry failing after OCP upgrade with error parsing HTTP 403 response body: unexpected end of JSON input:
Summary:
Push to registry failing after OCP upgrade with error parsing HTTP 403 respon…
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|