Docker registry
-
So strange, I am getting a "invalid checksum digest format" whenever I push now to this registry. Has anyone seen such an error before?
The push refers to repository [xxx.xxx.xxx/cloudron/base] fcdfeda3e242: Layer already exists 0ea3bde29271: Layer already exists d75ccb14b8b6: Layer already exists 74b4389a43ab: Layer already exists 5f38ae1e1a63: Layer already exists 3479c151673d: Layer already exists 7a307b866f25: Layer already exists ce3a66c20e17: Layer already exists 7197b970ebb9: Layer already exists 16542a8fc3be: Layer already exists 6597da2e2e52: Layer already exists 977183d4e999: Layer already exists c8be1b8f4d60: Layer already exists invalid checksum digest format -
@mario Yes, with the local storage. I wonder if it's something to do with the proxy auth. I am trying it without auth now.
edit: indeed, something to do with the proxy auth. It works fine without proxy auth. Debugging.
-
@girish Are you on 6.1 ? Maybe your 2FA implementation broke something with the basic auth ?
-
@mehdi yeah, i had that in mind and tried with 6.0 as well. fails the same. I am pretty sure this worked when I tested it back then, so I must have broke something !
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
It seems that v2 registry auth does not use the basic bearer based authentication at all. https://docs.docker.com/registry/recipes/nginx/ is possibly obsolete, but I am trying to setup a registry from scratch now to double check.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@mario thanks! i needed such a confident statement to help me keep looking further
I managed to get it to work. The issue is that proxyAuth on an auth fail redirects to the login page. But the docker registry wants it to return a 401 with a www-authenticate header. The header also causes issues with browsers since it starts popping up the login dialog.
In essence, even though the basic auth works, proxyAuth is not compatible. I thought about adding an flag to the manifest to have a different behavior but then again I don't like the current approach where we just install this registry and land on an empty page (any page even some static html with instructions would be better).
I ended up packaging it together the docker registry UI and a small LDAP server (from https://git.cloudron.io/cloudron/cloudron-serve). I haven't pushed the changes since they are not working entirely. But it's what I am working on in parallel with getting 6.1 out.
-
@girish said in Docker registry:
I ended up packaging it together the docker registry UI and a small LDAP server
That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?
@fbartels said in Docker registry:
That sounds intriguing. What role does the ldap server serve? Just for auth against the registry ui?
Yes, pretty much. It's just a proxy that redirects to login page and auths against LDAP. The code itself is very small, just ~100 lines or so.
-
@girish I think the best approach would be to do a bit of user-agent parsing magic... Yeah, it would be quite specific for this use-case, but
@mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place
So.. I ended up making a node server. -
@mehdi Right, I considered UA string hack but I think dropping users in a blank page is a bit rough. So, my first step was to do the UA testing with nginx in the app itself. But, that brought the dreaded browser auth modal dialog which I really dislike. It's the main reason I ended up making proxyAuth in the first place
So.. I ended up making a node server.@girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.
-
@girish No, I mean, after testing you could keep the proxyAuth, but do a test on the proxyAuth that could show the page for browsers, and send the expected 401 for docker client. Then we could have the best of both worlds : integration with platform LDAP, a simple registry UI, and working CLI.
@mehdi Ah, understood you better now. I am actually ok to add this hack in proxy auth code. We will still need some nginx/apache in the app code though to serve the registry UI (which is just static html).
Suddenly, I am tempted to abandon my node server because I am struggling to make this proxy middleware work. It seems to have some bug with PATCH requests which docker registry uses.
-
Adding Quay
https://github.com/quay/quay
Project Quay builds, stores, and distributes your container images.High-level features include:
- Docker Registry Protocol v2
- Docker Manifest Schema v2.1, v2.2
- AppC Image Discovery via on-demand transcoding
- Image Squashing via on-demand transcoding
- Authentication provided by LDAP, Keystone, OIDC, Google, and GitHub
- ACLs, team management, and auditability logs
- Geo-replicated storage provided by local filesystems, S3, GCS, Swift, and Ceph
- Continuous Integration integrated with GitHub, Bitbucket, GitLab, and git
- Security Vulnerability Analysis via Clair
- Swagger-compliant HTTP API
-
@robi Thanks,
Quay is a Free alternative to DockerHub. Hopefully, Cloudron makes good use of it... ?
@LoudLemur You can already use it by pointing your Cloudron to it.
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
