Make docker2aci compatible with the new Docker Registry 2.0.0 about docker2aci HOT 13 CLOSED

I've spent a lot of time trying to work on this, but I've ended up getting stuck on auth in the new API. I'm going to write down my current state and issue, and hopefully someone else can tell me where things are going wrong.

Any requests I make against the v2 registry at registry-1.docker.io return a 401 Unauthorized, which is expected. It sets the www-authenticate header to something like:

Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"

According to the docs that describe the auth process, after getting this 401 error the client should go get an auth token based on that header. This just requires making a GET request against the realm specified, with the get parameters service and scope set to the values from the header.

curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"

That results in a token being returned (what the token contains is documented here). There are 3 sections, separated by a ., and the second one is a base64 encoded json blob, in which it'll describe what things the token is good for accessing.

Every token I've gotten has had the access array in that 2nd section empty, which means it doesn't have permission to access anything, and using it just results in more 401 Unauthorized responses with identical www-authenticate headers set.

from docker2aci.

Two things to consider -- one big use case is unauthenticated private registries, for which the authentication is not relevant. So maybe that part can be finished first, independent of public registry support.
Second, maybe this is a good question to post to either the docker/distribution repo or the mailing lists?

from docker2aci.

Are you aware of an unauthenticated registry I could test this against? I'm pretty sure I could get this working without too much trouble if the auth was irrelevant.

I guess I'll send something to one of the mailing lists, hopefully someone will know what's up.

from docker2aci.

I'm not aware of any publicly accessible ones, but running a test instance locally is nearly trivial

from docker2aci.

@dgonyeo have you tried actually passing basic auth credentials..?

On Wed, Nov 4, 2015 at 9:21 PM Derek Gonyeo [email protected]
wrote:

I've spent a lot of time trying to work on this, but I've ended up getting
stuck on auth in the new API. I'm going to write down my current state and
issue, and hopefully someone else can tell me where things are going wrong.

Any requests I make against the v2 registry at registry-1.docker.io
return a 401 Unauthorized, which is expected. It sets the www-authenticate
header to something like:

Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"

According to the docs https://docs.docker.com/registry/spec/auth/token/
that describe the auth process, after getting this 401 error the client
should go get an auth token based on that header. This just requires making
a GET request against the realm specified, with the get parameters service
and scope set to the values from the header.

curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"

That results in a token being returned (what the token contains is
documented here https://docs.docker.com/registry/spec/auth/jwt/). There
are 3 sections, separated by a ., and the second one is a base64 encoded
json blob, in which it'll describe what things the token is good for
accessing.

Every token I've gotten has had the access array in that 2nd section
empty, which means it doesn't have permission to access anything, and using
it just results in more 401 Unauthorized responses with identical
www-authenticate headers set.

—
Reply to this email directly or view it on GitHub
#46 (comment).

from docker2aci.

Pretty sure I did, but I'll double check that again when I get to the office. I don't believe we should need creds though for the public docker hub.

On Nov 5, 2015, at 03:05, Jonathan Boulle [email protected] wrote:

@dgonyeo have you tried actually passing basic auth credentials..?

On Wed, Nov 4, 2015 at 9:21 PM Derek Gonyeo [email protected]
wrote:

I've spent a lot of time trying to work on this, but I've ended up getting
stuck on auth in the new API. I'm going to write down my current state and
issue, and hopefully someone else can tell me where things are going wrong.

Any requests I make against the v2 registry at registry-1.docker.io
return a 401 Unauthorized, which is expected. It sets the www-authenticate
header to something like:

Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:centos:pull"

According to the docs https://docs.docker.com/registry/spec/auth/token/
that describe the auth process, after getting this 401 error the client
should go get an auth token based on that header. This just requires making
a GET request against the realm specified, with the get parameters service
and scope set to the values from the header.

curl -v "https://auth.docker.io/token?service=registry.docker.io&scope=repository:coreos:pull"

That results in a token being returned (what the token contains is
documented here https://docs.docker.com/registry/spec/auth/jwt/). There
are 3 sections, separated by a ., and the second one is a base64 encoded
json blob, in which it'll describe what things the token is good for
accessing.

Every token I've gotten has had the access array in that 2nd section
empty, which means it doesn't have permission to access anything, and using
it just results in more 401 Unauthorized responses with identical
www-authenticate headers set.

―
Reply to this email directly or view it on GitHub
#46 (comment).

―
Reply to this email directly or view it on GitHub.

from docker2aci.

Well I now have docker2aci supporting the v2 api, and even better it's able to gracefully drop back to the v1 api if the v2 api isn't supported. Still doesn't support auth though, so after I spend some time making the v2 code less messy I'll take another shot at figuring that out.

from docker2aci.

nice! Do you want to put up a preliminary PR for v2-sans-auth?

from docker2aci.

I'm working on adding authentication support for v2 registries (if anybody is doing it right now)

from docker2aci.

Oh hey, this issue probably should've been closed when #99 was merged. I would've expected that PR to support authentication, but I can't remember if I tested it or not.

If you're interested in adding authentication support, please check that it's not already supported, and if it's not then thanks for the help!

from docker2aci.

from my tests:

auth against private registries with basic autentication isn't supported
auth against Public docker registry with private repository isn't supported
insecure registries wrongly try endpoints w/o disabling tls in the client
layers aren't fixed before download

I'm making a PR to address the points above

from docker2aci.

opened #121 for authentication - I'm about to make other PRs to fix up Registry v2 support

from docker2aci.

After #99 and #121 this can be closed.

from docker2aci.