search

distribution / distribution-library-image

279 stars 176 forks source link

Docker registry with native basic auth not working #106

Open maxsuelmarinho opened 4 years ago

maxsuelmarinho commented 4 years ago

Hi guys

I have been trying to get docker registry with native basic authentication working with the new image tag (2.7.1) without success. Doc -> https://docs.docker.com/registry/deploying/#native-basic-auth

Specifically when I execute this command:

$ docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

This is the error I get:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"htpasswd\": executable file not found in $PATH": unknown. ERRO[0001] error waiting for container: context canceled

Investigating a little further, seems that the "htpasswd" was removed in the image tag 2.7.1.

$ docker run -it --rm registry:2.7.1 find / -name "htpasswd"

Although, looking in the previous version (tag 2.6.2) the file is there:

$ docker run -it --rm registry:2.6.2 find / -name "htpasswd" /usr/bin/htpasswd

And the initial command works was expected was well:

$ docker run --entrypoint htpasswd registry:2.6.2 -Bbn testuser testpassword testuser:$2y$05$KiRgtd4w8zO7ucC7LX8zguW58DBlm8E0yZ5gI64NXypIVtsosNvMu

avelytchko commented 4 years ago

As I can see it has been removed from container in this commit due to CVE-2020-1927 and CVE-2020-1934.

edsantiago commented 4 years ago

This is a regression, and is inconsistent with published documentation. It breaks CI processes which rely on the --entrypoint htpasswd behavior (still) documented in docs.docker.com. If that is to be deprecated, it would be courteous to (1) indicate so in the documentation, and (2) offer a grace period. Please consider both.

chanseokoh commented 4 years ago

We are affected. We'd like to see a resolution (whatever it is) and correct docs. Also a migration path if htpasswd is going to be permanent removed.

anonymouse64 commented 4 years ago

If the decision is to not support htpasswd in the container, then there needs to be a docs change on the website: https://docs.docker.com/registry/deploying/#native-basic-auth

dejo1307 commented 4 years ago

This broke lot of everyone's automation, and it is a problem fixing it without at least docs being updated since no one is 100% sure what is going to be fix.

warrenc5 commented 3 years ago

can someone say why I can't use apache htpasswd or htdigest from apache-utils.

Is it bcrypt? Is something different? I did a small test but apache2-utils@2.4.25-3+deb9u9 didn't work.

skandyla commented 3 years ago

can someone say why I can't use apache htpasswd or htdigest from apache-utils. Is it bcrypt? Is something different? I did a small test but apache2-utils@2.4.25-3+deb9u9 didn't work.

You can use any external htpasswd util or install it inside the registry container. But registry:2 require to use htpasswd bcrypt. So you should create htpasswd like this: htpasswd -B [FILE] [USER]