Closed raz3k closed 5 years ago
@raz3k thanks for the issue report, and this may be due to a lack of tea this morning, but I'm a little unclear on when you're hitting the issue. If I follow your three reproducers, will I hit the issue? I'm having a hard time parsing "GET requests are let through and POST and others are behind username/password".
If by chance you have time, could you install podman, try podman login
, enter in your creds and then retry your commands but dropping the --creds option. If you don't have time for that, no worries.
Hello,
I am using this nginx location /v2/ configuration for proxying, sorry about not giving full details:
limit_except GET {
auth_basic $auth_type;
auth_basic_user_file /etc/nginx/.htpasswd;
}
podman login http://registry.local
Username: user
Password:
Login Succeeded!
buildah push test docker://registry.local/test:0.1
Getting image source signatures
Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
8 B / 1.00 KiB [>----------------------------------------------------------] 0s
unauthorized: authentication required
Here is my full nginx config.
I wanted to be able to pull without a password and push with a password.
events {
worker_connections 1024;
}
http {
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
upstream registry.local-docker {
server 127.0.0.1:5001;
}
server {
listen 80;
server_name registry.local;
client_max_body_size 0;
chunked_transfer_encoding on;
location = /v2/ {
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
limit_except GET HEAD {
auth_basic "some_org Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://registry.local-docker;
proxy_set_header Host $http_host;
proxy_read_timeout 900;
}
location ~ "/v2/.+?" {
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
limit_except GET HEAD {
auth_basic "some_org Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://registry.local-docker;
proxy_set_header Host $http_host;
proxy_read_timeout 900;
}
}
}
@raz3k Thanks for sending along that information. I've been trying to replicate you setup but without luck so far. More questions for you:
1) Can you try running this test with the absolute latest/greatest Buildah? I know there's been some tweaks in the auth code recently there that might have helped this, but I'm doubtful to be honest. But if you've the time to upgrade to 1.6-dev, that would be a good data point.
2) I suspect the issue is the registry doesn't know about your nginx proxy setup and/or podman login
and the underlying Buildah authentication code doesn't know about it. Can you tell me the commands you've used to setup and run your registry? FWIW, I've been using https://github.com/containers/buildah/blob/master/tests/test_buildah_authentication.sh to setup a registry server but without nginx layered in.
3) Part of the reason I'm asking about how the registry was setup is seeing podman login
working with http:// in the address. Regardless you can just stick with the --creds command going forward until we can figure out what's what.
Thanks!
Closing because of lack of response. Please open if you want us to continue to work on this issue.
Description
Steps to reproduce the issue:
This is happening when only GET requests are let through and POST and others are behind user/password.
Describe the results you received: Getting image source signatures Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef 8 B / 1.00 KiB [>----------------------------------------------------------] 0s unauthorized: authentication required
Describe the results you expected: Getting image source signatures Copying blob sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef 1.00 KiB / 1.00 KiB [======================================================] 0s Copying config sha256:5eb895f64387e15e25dd7f199dd7782747ceba3f26fcb72bcff817d9603313a4 263 B / 263 B [============================================================] 0s Writing manifest to image destination Copying config sha256:5eb895f64387e15e25dd7f199dd7782747ceba3f26fcb72bcff817d9603313a4 0 B / 263 B [--------------------------------------------------------------] 0s Writing manifest to image destination Storing signatures Successfully pushed //registry.local/test:0.1@sha256:b0d5c067f7b5ee463c3687ee6d5d47a28b6c227402cd067e8a57f01675d241e2
Output of
rpm -q buildah
orapt list buildah
:Output of
buildah version
:*Output of `cat /etc/release`:**
Output of
uname -a
:Output of
cat /etc/containers/storage.conf
: