Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. App Wishlist
  3. Docker registry

Docker registry

Scheduled Pinned Locked Moved Solved App Wishlist
65 Posts 9 Posters 28.3k Views 12 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli
    App Dev
    wrote on last edited by
    #43

    Yeah, Quay and Harbor are definitely the big players in this space. Very similar products - harbor is CNCF graduated and Quay is upstream for the corresponding Red Hat product. Either (or both) would be good UI adds.

    marioM 1 Reply Last reply
    1
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #44

      Last I checked harbor was impractical to package (as in way too much effort, it's really geared for the k8s crowd). Quay is a good option, but let me get this basic docker registry out first, I am almost there.

      1 Reply Last reply
      3
      • jimcavoliJ jimcavoli

        Yeah, Quay and Harbor are definitely the big players in this space. Very similar products - harbor is CNCF graduated and Quay is upstream for the corresponding Red Hat product. Either (or both) would be good UI adds.

        marioM Offline
        marioM Offline
        mario
        App Dev
        wrote on last edited by
        #45

        @jimcavoli Quay afaik implements the protocol as well, so no need for registry separately.

        1 Reply Last reply
        0
        • girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #46

          So strange, I am getting a "invalid checksum digest format" whenever I push now to this registry. Has anyone seen such an error before?

          The push refers to repository [xxx.xxx.xxx/cloudron/base]
          fcdfeda3e242: Layer already exists 
          0ea3bde29271: Layer already exists 
          d75ccb14b8b6: Layer already exists 
          74b4389a43ab: Layer already exists 
          5f38ae1e1a63: Layer already exists 
          3479c151673d: Layer already exists 
          7a307b866f25: Layer already exists 
          ce3a66c20e17: Layer already exists 
          7197b970ebb9: Layer already exists 
          16542a8fc3be: Layer already exists 
          6597da2e2e52: Layer already exists 
          977183d4e999: Layer already exists 
          c8be1b8f4d60: Layer already exists 
          invalid checksum digest format
          
          marioM 1 Reply Last reply
          0
          • girishG girish

            So strange, I am getting a "invalid checksum digest format" whenever I push now to this registry. Has anyone seen such an error before?

            The push refers to repository [xxx.xxx.xxx/cloudron/base]
            fcdfeda3e242: Layer already exists 
            0ea3bde29271: Layer already exists 
            d75ccb14b8b6: Layer already exists 
            74b4389a43ab: Layer already exists 
            5f38ae1e1a63: Layer already exists 
            3479c151673d: Layer already exists 
            7a307b866f25: Layer already exists 
            ce3a66c20e17: Layer already exists 
            7197b970ebb9: Layer already exists 
            16542a8fc3be: Layer already exists 
            6597da2e2e52: Layer already exists 
            977183d4e999: Layer already exists 
            c8be1b8f4d60: Layer already exists 
            invalid checksum digest format
            
            marioM Offline
            marioM Offline
            mario
            App Dev
            wrote on last edited by
            #47

            @girish local filesystem?

            girishG 1 Reply Last reply
            0
            • marioM mario

              @girish local filesystem?

              girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by girish
              #48

              @mario Yes, with the local storage. I wonder if it's something to do with the proxy auth. I am trying it without auth now.

              edit: indeed, something to do with the proxy auth. It works fine without proxy auth. Debugging.

              mehdiM 1 Reply Last reply
              0
              • girishG girish

                @mario Yes, with the local storage. I wonder if it's something to do with the proxy auth. I am trying it without auth now.

                edit: indeed, something to do with the proxy auth. It works fine without proxy auth. Debugging.

                mehdiM Offline
                mehdiM Offline
                mehdi
                App Dev
                wrote on last edited by
                #49

                @girish Are you on 6.1 ? Maybe your 2FA implementation broke something with the basic auth ?

                girishG 1 Reply Last reply
                0
                • mehdiM mehdi

                  @girish Are you on 6.1 ? Maybe your 2FA implementation broke something with the basic auth ?

                  girishG Offline
                  girishG Offline
                  girish
                  Staff
                  wrote on last edited by
                  #50

                  @mehdi yeah, i had that in mind and tried with 6.0 as well. fails the same. I am pretty sure this worked when I tested it back then, so I must have broke something !

                  mehdiM 1 Reply Last reply
                  0
                  • girishG girish

                    @mehdi yeah, i had that in mind and tried with 6.0 as well. fails the same. I am pretty sure this worked when I tested it back then, so I must have broke something !

                    mehdiM Offline
                    mehdiM Offline
                    mehdi
                    App Dev
                    wrote on last edited by
                    #51

                    @girish You can try with an app-password, or try another Basic Auth ProxyAuth app, like Transmission (with an android app or a browser extension)

                    1 Reply Last reply
                    0
                    • girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #52

                      What I am seeing is that docker doesn't send any authorization header at all. The issue is very similar to https://stackoverflow.com/questions/55516317/docker-login-not-passing-basic-authentication-headers-to-nginx . I can curl just fine.

                      1 Reply Last reply
                      0
                      • girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #53

                        It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.

                        marioM mehdiM 2 Replies Last reply
                        2
                        • girishG girish

                          It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.

                          marioM Offline
                          marioM Offline
                          mario
                          App Dev
                          wrote on last edited by
                          #54

                          @girish it definitely can, that's how GitLab etc integration works.

                          girishG 1 Reply Last reply
                          0
                          • girishG girish

                            It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.

                            mehdiM Offline
                            mehdiM Offline
                            mehdi
                            App Dev
                            wrote on last edited by
                            #55

                            @girish Their doc indeed appears to be outdated. Different pages seem to indicate different things ...

                            1 Reply Last reply
                            0
                            • marioM mario

                              @girish it definitely can, that's how GitLab etc integration works.

                              girishG Offline
                              girishG Offline
                              girish
                              Staff
                              wrote on last edited by girish
                              #56

                              @mario thanks! i needed such a confident statement to help me keep looking further 🙂

                              I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.

                              In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).

                              I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.

                              fbartelsF mehdiM 2 Replies Last reply
                              4
                              • girishG girish

                                @mario thanks! i needed such a confident statement to help me keep looking further 🙂

                                I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.

                                In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).

                                I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.

                                fbartelsF Offline
                                fbartelsF Offline
                                fbartels
                                App Dev
                                wrote on last edited by
                                #57

                                @girish said in Docker registry:

                                I ended up packaging it together the docker registry UI and a small LDAP server

                                That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?

                                girishG 1 Reply Last reply
                                0
                                • girishG girish

                                  @mario thanks! i needed such a confident statement to help me keep looking further 🙂

                                  I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.

                                  In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).

                                  I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.

                                  mehdiM Offline
                                  mehdiM Offline
                                  mehdi
                                  App Dev
                                  wrote on last edited by
                                  #58

                                  @girish I think the best approach would be to do a bit of user-agent parsing magic... Yeah, it would be quite specific for this use-case, but 🤷

                                  girishG 1 Reply Last reply
                                  0
                                  • fbartelsF fbartels

                                    @girish said in Docker registry:

                                    I ended up packaging it together the docker registry UI and a small LDAP server

                                    That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?

                                    girishG Offline
                                    girishG Offline
                                    girish
                                    Staff
                                    wrote on last edited by
                                    #59

                                    @fbartels said in Docker registry:

                                    That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?

                                    Yes, pretty much. It's just a proxy that redirects to login page and auths against LDAP. The code itself is very small, just ~100 lines or so.

                                    1 Reply Last reply
                                    0
                                    • mehdiM mehdi

                                      @girish I think the best approach would be to do a bit of user-agent parsing magic... Yeah, it would be quite specific for this use-case, but 🤷

                                      girishG Offline
                                      girishG Offline
                                      girish
                                      Staff
                                      wrote on last edited by
                                      #60

                                      @mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place 😉 So.. I ended up making a node server.

                                      mehdiM 1 Reply Last reply
                                      0
                                      • girishG girish

                                        @mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place 😉 So.. I ended up making a node server.

                                        mehdiM Offline
                                        mehdiM Offline
                                        mehdi
                                        App Dev
                                        wrote on last edited by
                                        #61

                                        @girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.

                                        girishG 1 Reply Last reply
                                        2
                                        • mehdiM mehdi

                                          @girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.

                                          girishG Offline
                                          girishG Offline
                                          girish
                                          Staff
                                          wrote on last edited by
                                          #62

                                          @mehdi Ah, understood you better now. I am actually ok to add this hack in proxy auth code. We will still need some nginx/apache in the app code though to serve the registry UI (which is just static html).

                                          Suddenly, I am tempted to abandon my node server because I am struggling to make this proxy middleware work. It seems to have some bug with PATCH requests which docker registry uses.

                                          1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search