search

docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 876 forks source link

Pass through authentication not working (/v1/users = 404?) #624

Closed danzy closed 9 years ago

danzy commented 9 years ago

Hi,

I've set up a docker registry (in AWS). The intention was to have authentication be verified by index.docker.io (my interpretation of the documentation means that I should set, STANDALONE = False, and INDEX_ENDPOINT = https://index.docker.io to achieve this).

However, when trying to login to my docker registry with my index.docker.io credentials, I receive an error response from daemon, but the actual error is blank:

$ docker login <url>
Username: danzy
Password: 
Email: <email address>
2014/10/10 13:28:28 Error response from daemon:

Looking at the logs on the instance, the only error I can find is the fact that /v1/users doesn't exist (as it returns a 404).

10.0.47.86 - - [09/Oct/2014:02:28:28 +0000] "GET /v1/_ping HTTP/1.1" 200 4 "-" "Go 1.1 package http"
10.0.47.86 - - [09/Oct/2014:02:28:28 +0000] "POST /v1/users/ HTTP/1.1" 404 233 "-" "Go 1.1 package http"

I've looked at other issues, and it appears that /v1/users doesn't get mounted unless STANDALONE = true. But, setting that to true means it's acting as a standalone registry, and login details aren't verified against index.docker.io, as you can see here (after I changed STANDALONE to true and restarted):

$ docker login <url>
Username: danzy
Password: <intentionally incorrect password>
Email: <email address>  
Account created. Please see the documentation of the registry http://docker.blinkm.co/v1/ for instructions how to activate it.

I'm using Elastic Beanstalk, which is designed to grab the latest registry image and run it, using a combination of environment variables and values in config.yml to set it all up correctly.

If it helps, here's the common snippet from my config.yml :

common: &common
    issue: '"docker-registry server"'
    # Default log level is info
    loglevel: _env:LOGLEVEL:debug
    # Enable debugging (additional informations in the output of the _ping endpoint)
    debug: _env:DEBUG:true
    # By default, the registry acts standalone (eg: doesn't query the index)
    standalone: _env:STANDALONE:false
    # The default endpoint to use (if NOT standalone) is index.docker.io
    index_endpoint: _env:INDEX_ENDPOINT:https://index.docker.io
    # Storage redirect is disabled
    storage_redirect: _env:STORAGE_REDIRECT
    # Token auth is enabled (if NOT standalone)
    disable_token_auth: _env:DISABLE_TOKEN_AUTH:false
    # No priv key
    privileged_key: _env:PRIVILEGED_KEY
    # No search backend
    search_backend: _env:SEARCH_BACKEND
    # SQLite search backend
    sqlalchemy_index_database: _env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/docker-registry.db

    # Mirroring is enabled
    mirroring:
        source: https://registry-1.docker.io
        source_index: https://index.docker.io
        tags_cache_ttl: 172800  # seconds

So, am I doing something wrong, or have I misinterpreted the documentation (and it's not possible to have logins verified by index.docker.io)? Any help would be greatly appreciated!

Thanks!

danzy commented 9 years ago

@jokeyrhyme @coaic @benbarclay @ashishtilara

ncdc commented 9 years ago

AFAIK this isn't possible the way things are currently coded in Docker and the Registry.

danzy commented 9 years ago

Thanks for the response!

I just had a clarifying question though, what's the purpose of that index_endpoint setting?

ncdc commented 9 years ago

That's so you can have the registry communicate with a custom index, if you have one. When you issue push/pull commands, they would be against your index, and your index would be responsible for informing the Docker CLI/daemon about your registry, but that is all behind the scenes.

jokeyrhyme commented 9 years ago

Thanks, @ncdc . In addition to needing to store private images on machines under our control (data sovereignty), it is also our desire to limit Docker transactions to a local mirror for performance reasons. We're experiencing poor docker pull performance from Sydney, Australia, poor enough that the 3rd party build / host service we are using is timing out.

How should we go about configuring our local Docker clients to use the public registry for authentication, but download images only from our mirror (running docker-registry)? Is there a way to host private images on our own mirror only (protected by authentication), without paying for an otherwise unused subscription on the public registry?

dmp42 commented 9 years ago

@jokeyrhyme @danzy That kind of scenario is not supported (at all, or correctly, or in a simple way) by the current protocol.

This is one of the reason we are going with a V2.

Your voice and use cases are welcome since we are in the design phase.

All currently open discussions are there: https://github.com/docker/docker-registry/issues?q=is%3Aopen+is%3Aissue+label%3ANext-generation

bfleming-ciena commented 9 years ago

If I run it as: docker run -p 5000:5000 -e GUNICORN_OPTS=[--preload] registry

How do I login? I"m being prompted for a password. I'm obviously not understanding something. I was not expecting to be asked for a password. I thought I needed to do my own authentication if I wanted to.

Thanks for your help.