Docker registry
-
@girish Are you on 6.1 ? Maybe your 2FA implementation broke something with the basic auth ?
-
@mehdi yeah, i had that in mind and tried with 6.0 as well. fails the same. I am pretty sure this worked when I tested it back then, so I must have broke something !
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@girish said in Docker registry:
I ended up packaging it together the docker registry UI and a small LDAP server
That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?
@fbartels said in Docker registry:
That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?
Yes, pretty much. It's just a proxy that redirects to login page and auths against LDAP. The code itself is very small, just ~100 lines or so.
-
@girish I think the best approach would be to do a bit of user-agent parsing magic... Yeah, it would be quite specific for this use-case, but
@mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place
So.. I ended up making a node server. -
@mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place
So.. I ended up making a node server.@girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.
-
@girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.
@mehdi Ah, understood you better now. I am actually ok to add this hack in proxy auth code. We will still need some nginx/apache in the app code though to serve the registry UI (which is just static html).
Suddenly, I am tempted to abandon my node server because I am struggling to make this proxy middleware work. It seems to have some bug with PATCH requests which docker registry uses.
-
Adding Quay
https://github.com/quay/quay
Project Quay builds, stores, and distributes your container images.High-level features include:
- Docker Registry Protocol v2
- Docker Manifest Schema v2.1, v2.2
- AppC Image Discovery via on-demand transcoding
- Image Squashing via on-demand transcoding
- Authentication provided by LDAP, Keystone, OIDC, Google, and GitHub
- ACLs, team management, and auditability logs
- Geo-replicated storage provided by local filesystems, S3, GCS, Swift, and Ceph
- Continuous Integration integrated with GitHub, Bitbucket, GitLab, and git
- Security Vulnerability Analysis via Clair
- Swagger-compliant HTTP API
-
@robi Thanks,
Quay is a Free alternative to DockerHub. Hopefully, Cloudron makes good use of it... ?
@LoudLemur You can already use it by pointing your Cloudron to it.
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login