Docker registry
-
@girish depends on what the community needs. I'm more than happy to have a separate registry + other things as separate apps for those who need it.
If I needed to pick the best registry solution with UI and everything else that's well maintained and suitable for Cloudron, I'd probably look at Quay which supports LDAP auth.
-
Last I checked harbor was impractical to package (as in way too much effort, it's really geared for the k8s crowd). Quay is a good option, but let me get this basic docker registry out first, I am almost there.
-
So strange, I am getting a "invalid checksum digest format" whenever I push now to this registry. Has anyone seen such an error before?
The push refers to repository [xxx.xxx.xxx/cloudron/base] fcdfeda3e242: Layer already exists 0ea3bde29271: Layer already exists d75ccb14b8b6: Layer already exists 74b4389a43ab: Layer already exists 5f38ae1e1a63: Layer already exists 3479c151673d: Layer already exists 7a307b866f25: Layer already exists ce3a66c20e17: Layer already exists 7197b970ebb9: Layer already exists 16542a8fc3be: Layer already exists 6597da2e2e52: Layer already exists 977183d4e999: Layer already exists c8be1b8f4d60: Layer already exists invalid checksum digest format
-
-
-
What I am seeing is that docker doesn't send any authorization header at all. The issue is very similar to https://stackoverflow.com/questions/55516317/docker-login-not-passing-basic-authentication-headers-to-nginx . I can curl just fine.
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@fbartels said in Docker registry:
That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?
Yes, pretty much. It's just a proxy that redirects to login page and auths against LDAP. The code itself is very small, just ~100 lines or so.