https://bugzilla.redhat.com/show_bug.cgi?id=1037830 --- Comment #1 from John Eckersberg <jeckersb(a)redhat.com&gt; --- Ok, some more detail at least on the "Authentication is required" bit. GetRemoteHistory contains the following line: req.Header.Set("Authorization", "Token "+strings.Join(token, ", ")) However, token is a slice with only a single element, and this single string appears to be a previously joined list of tokens. Most importantly is that it appears to have been joined with "," instead of ", " and that makes a difference. Here's two curl calls to illustrate the difference. The first doesn't contain the extra space after the comma, and this is the way the code as written is sending the request. You can see it returns a 401 status code (Unauthorized). $ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609... --header 'Authorization: Token signature=545980deb5d0238c5c1fdbe4bc20867932fa8aee,repository="mattdm/fedora",access=read' HTTP/1.1 401 Unauthorized Server: cloudflare-nginx Date: Wed, 04 Dec 2013 00:28:12 GMT Content-Type: application/json Content-Length: 41 Connection: keep-alive Set-Cookie: __cfduid=de296b6a53b52e2ff5883a0e6b303fc811386116891989; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly expires: -1 www-authenticate: Token pragma: no-cache cache-control: no-cache x-docker-registry-version: 0.6.2 x-docker-registry-config: prod CF-RAY: d74600eeb9c03f4 { "error": "Requires authorization" } The second call adds that extra space, and completes successfully. $ curl -i https://cdn-registry-1.docker.io/v1/images/a567e6f3d26a5736d00a5e9be9a609... --header 'Authorization: Token ignature=545980deb5d0238c5c1fdbe4bc20867932fa8aee, repository="mattdm/fedora", access=read' HTTP/1.1 200 OK Server: cloudflare-nginx Date: Wed, 04 Dec 2013 00:28:26 GMT Content-Type: application/json Content-Length: 74 Connection: keep-alive Set-Cookie: __cfduid=d493453bb50165de54a9a9cc1021b890d1386116906549; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.docker.io; HttpOnly last-modified: Thu, 01 Jan 1970 00:00:00 GMT pragma: no-cache cache-control: public, max-age=31536000 expires: Thu, 04 Dec 2014 00:28:26 GMT x-docker-registry-version: 0.6.2 x-docker-registry-config: prod CF-RAY: d746069e53c03fa [ "a567e6f3d26a5736d00a5e9be9a609b44ab13f0e43fc466f45beaa7ea9054766" ] I'm assuming that part of the bug is that the token string slice shouldn't ever be passed in like this. I still need to trace it back and figure out where it's getting joined ahead of time. That's probably the right place to fix it. I see nine places in registry.go where it sets the Authorization header in this manner. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1037830 --- Comment #3 from John Eckersberg <jeckersb(a)redhat.com&gt; --- I've provisioned a clean RHEL 6.5 VM and cannot reproduce this issue there, so whatever the issue is seems to be isolated to this one system. Also of note is that I get the exact same error if I use the docker binary as provided upstream here - https://docs.docker.io/en/latest/installation/binaries/ - so whatever is going on isn't a packaging issue. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1037830 --- Comment #5 from John Eckersberg <jeckersb(a)redhat.com&gt; --- I think you'll get the 404 at the end if any of the downloads fail. I think this patch upstream fixes that part: https://github.com/dotcloud/docker/commit/d47507791e14908e78cf38d415a9863... -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1037830 Daniel Walsh <dwalsh(a)redhat.com&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE Last Closed| |2014-05-28 14:19:03 -- You are receiving this mail because: You are on the CC list for the bug.