Comments (13)
I've spent a lot of time trying to work on this, but I've ended up getting stuck on auth in the new API. I'm going to write down my current state and issue, and hopefully someone else can tell me where things are going wrong.
Any requests I make against the v2 registry at registry-1.docker.io
return a 401 Unauthorized, which is expected. It sets the www-authenticate
header to something like:
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"
According to the docs that describe the auth process, after getting this 401 error the client should go get an auth token based on that header. This just requires making a GET request against the realm specified, with the get parameters service and scope set to the values from the header.
curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"
That results in a token being returned (what the token contains is documented here). There are 3 sections, separated by a .
, and the second one is a base64 encoded json blob, in which it'll describe what things the token is good for accessing.
Every token I've gotten has had the access array in that 2nd section empty, which means it doesn't have permission to access anything, and using it just results in more 401 Unauthorized responses with identical www-authenticate
headers set.
from docker2aci.
Two things to consider -- one big use case is unauthenticated private registries, for which the authentication is not relevant. So maybe that part can be finished first, independent of public registry support.
Second, maybe this is a good question to post to either the docker/distribution repo or the mailing lists?
from docker2aci.
Are you aware of an unauthenticated registry I could test this against? I'm pretty sure I could get this working without too much trouble if the auth was irrelevant.
I guess I'll send something to one of the mailing lists, hopefully someone will know what's up.
from docker2aci.
I'm not aware of any publicly accessible ones, but running a test instance locally is nearly trivial
from docker2aci.
@dgonyeo have you tried actually passing basic auth credentials..?
On Wed, Nov 4, 2015 at 9:21 PM Derek Gonyeo [email protected]
wrote:
I've spent a lot of time trying to work on this, but I've ended up getting
stuck on auth in the new API. I'm going to write down my current state and
issue, and hopefully someone else can tell me where things are going wrong.Any requests I make against the v2 registry at registry-1.docker.io
return a 401 Unauthorized, which is expected. It sets the www-authenticate
header to something like:Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"
According to the docs https://docs.docker.com/registry/spec/auth/token/
that describe the auth process, after getting this 401 error the client
should go get an auth token based on that header. This just requires making
a GET request against the realm specified, with the get parameters service
and scope set to the values from the header.curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"
That results in a token being returned (what the token contains is
documented here https://docs.docker.com/registry/spec/auth/jwt/). There
are 3 sections, separated by a ., and the second one is a base64 encoded
json blob, in which it'll describe what things the token is good for
accessing.Every token I've gotten has had the access array in that 2nd section
empty, which means it doesn't have permission to access anything, and using
it just results in more 401 Unauthorized responses with identical
www-authenticate headers set.—
Reply to this email directly or view it on GitHub
#46 (comment).
from docker2aci.
Pretty sure I did, but I'll double check that again when I get to the office. I don't believe we should need creds though for the public docker hub.
On Nov 5, 2015, at 03:05, Jonathan Boulle [email protected] wrote:
@dgonyeo have you tried actually passing basic auth credentials..?
On Wed, Nov 4, 2015 at 9:21 PM Derek Gonyeo [email protected]
wrote:I've spent a lot of time trying to work on this, but I've ended up getting
stuck on auth in the new API. I'm going to write down my current state and
issue, and hopefully someone else can tell me where things are going wrong.Any requests I make against the v2 registry at registry-1.docker.io
return a 401 Unauthorized, which is expected. It sets the www-authenticate
header to something like:Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"
According to the docs https://docs.docker.com/registry/spec/auth/token/
that describe the auth process, after getting this 401 error the client
should go get an auth token based on that header. This just requires making
a GET request against the realm specified, with the get parameters service
and scope set to the values from the header.curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"
That results in a token being returned (what the token contains is
documented here https://docs.docker.com/registry/spec/auth/jwt/). There
are 3 sections, separated by a ., and the second one is a base64 encoded
json blob, in which it'll describe what things the token is good for
accessing.Every token I've gotten has had the access array in that 2nd section
empty, which means it doesn't have permission to access anything, and using
it just results in more 401 Unauthorized responses with identical
www-authenticate headers set.―
Reply to this email directly or view it on GitHub
#46 (comment).―
Reply to this email directly or view it on GitHub.
from docker2aci.
Well I now have docker2aci supporting the v2 api, and even better it's able to gracefully drop back to the v1 api if the v2 api isn't supported. Still doesn't support auth though, so after I spend some time making the v2 code less messy I'll take another shot at figuring that out.
from docker2aci.
nice! Do you want to put up a preliminary PR for v2-sans-auth?
from docker2aci.
I'm working on adding authentication support for v2 registries (if anybody is doing it right now)
from docker2aci.
Oh hey, this issue probably should've been closed when #99 was merged. I would've expected that PR to support authentication, but I can't remember if I tested it or not.
If you're interested in adding authentication support, please check that it's not already supported, and if it's not then thanks for the help!
from docker2aci.
from my tests:
auth against private registries with basic autentication isn't supported
auth against Public docker registry with private repository isn't supported
insecure registries wrongly try endpoints w/o disabling tls in the client
layers aren't fixed before download
I'm making a PR to address the points above
from docker2aci.
opened #121 for authentication - I'm about to make other PRs to fix up Registry v2 support
from docker2aci.
After #99 and #121 this can be closed.
from docker2aci.
Related Issues (20)
- Infinite loop vulnerability in retrieving images chain HOT 7
- a malicious ACI created during layer archive extraction via symlink or hardlink attack HOT 6
- Keep docker image labels around after conversion HOT 12
- lib: allow to specify registry and mediatype options HOT 3
- Specify destination file name for created image HOT 2
- Wrong v2 registry check url
- Need to support docker registries that store v1 and v2 images HOT 11
- build fails HOT 4
- [Feature request] Layer caching HOT 1
- docker://debian wrong symlink container/var/lock -> /run/lock HOT 5
- environment variable does not have valid identifier HOT 1
- Manifest differ with same image HOT 10
- Clarify release executables' target, provide statically linked ones HOT 1
- Support image manifest lists / index
- Some images in gcr.io can't be fetched HOT 5
- Converting local files from buildah fails "Could not find image" HOT 3
- failed install docke2aci
- Error: conversion error: error generating ACI: archive/tar: cannot encode header HOT 4
- FTBFS on multiple architectures: error generating ACI: "unknown arch tuple"
- FTBFS with image-spec 1.0.1: undefined: v1.MediaTypeImageManifestList HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker2aci.