Open AndreSteenveld opened 3 years ago
Several days; I figured a part of this out. Because the registry is running in separate container with its own IP number we need to white-list it in the configuration of the daemon. Just adding the name or 0.0.0.0:5000
isn't enough but fortunately it is possible to specify ranges (link to the relevant docs). I've added "172.0.0.0/8"
and the response from the registry changed (I later changed "172.0.0.0/8"
to "0.0.0.0/0"
, for the sake of this ticket please don't make me point out the fact that this allows insecure registries from ANY ip)
The DNS issue persisted so I just used nslookup
to figure out the IP of my registry (described above); The output was now:
root@d420f8b401f1:/tmp/context# docker login http://172.17.0.2:5000
Username: docker
Password:
Error response from daemon: Get http://172.17.0.2:5000/v2/: Get silly-realm?account=docker&client_id=docker&offline_token=true&service=silly-service: unsupported protocol scheme ""
root@d420f8b401f1:/tmp/context#
Continuing to dig on this issue, after taking a good long hard look at the registry documentation it seems possible to leave out the entire auth
section. Doing this, in combination with a whitelisting every IP as an insecure registry allows you to login using the IP number:
root@d7a4b1675c3f:/tmp/context# docker login http://172.17.0.2:5000
Username: docker
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
root@d7a4b1675c3f:/tmp/context#
The registry config now looks like this:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: 0.0.0.0:5000
headers:
X-Content-Type-Options: [nosniff]
# auth:
# htpasswd:
# realm: basic-realm
# path: /etc/registry
# silly:
# realm: registry
# service: registry
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
Now, about a week later I've resolved all issues I initially set out in the first post. In doing so I've figured out that the issues were not so much bugs but more "unexpected" although mostly implied in the documentation. A documented and working implementation can be found here. I've summarized the things I ran into below;
The URL for the repository is relative to the docker daemon, not the environment where you're working with the client - It took me a while to realize this but obviously it makes sense. I think this wouldn't be much of an issue if you're not trying to do an air-gapped deployment where all you have is just the machine with the docker daemon running.
Registry security - Although not recommended it is perfectly fine to run a unsecured registry, the weird thing here was that even for unsecured a username/password combination has to be provided to docker login
. I think a --no-credentials
flag would be appropriate here and signal intent to login to a unsecured registry more than just providing bogus credentials. I never got the silly
mechanism to work which would've been my first goto for a quick and simple registry. Also for, "just an experiment" I couldn't be bothered generating some certificates and configuring htpasswd
as a mechanism.
A default registry - There is no way around the fact that docker.io
is the default registry. Although I understand the lock-in it is just annoying when doing an air-gapped deployment. It is also something I didn't expect initially, my thinking here was "logging in to a registry makes it the first one you'd look for an image" which is not true by any measure. Using docker-compose
it was pretty straight forward to work around by introducing a environment variable prefixing the image; "image": "${REGISTRY:-docker.io/}dockprom/alertmanager:0.21.0"
If anything I hope this will help someone else in the future when experimenting with rolling their own registries.
-- Andre
Description
Logging in to a local running registry fails in some cases.
Steps to reproduce
To create the minimal reproduction case that looks like what I am trying to achieve I've created a small repository which can be found here: https://github.com/AndreSteenveld/docker-login-bugreport. I am running this on Hyper-V machine using Debian 10, more details on that in the "Additional environment details" section.
docker-compose run --rm registry-builder bash --login
docker login
to login to the registry which was also started to do this I rundocker login --username docker --password docker http://bootstrap-registry:5000
silly
authentication but it fails with the message:Given that this looks like the name
bootstrap-registry
can't be found I wanted to validate that withnslookup
. Which gave me the following output:docker login --username docker --password docker http://172.19.0.2:5000
. This gives me a TLS errorTo validate that the DNS lookup in
docker login
is the failing I usedcurl
to get a list of images from the registry:Also just pushing an image to the registry by tagging it with the host name or IP fails for the same reasons (failing the DNS lookup and expecting a https connection) tagging it with the IP of the registry, seems to work fine. Using the name also results in a lookup error:
What were my expectations
Logging in using
docker login
should work this as the following sequence does work (in a terminal on the host):docker version
anddocker info
The output of
docker version
anddocker info
were taken from inside the container, I did start another instance as I initially forgot to do this:The output of running
uname -a
on the host machine, which is a Hyper-V virtual machine with a samba client to access the C drive:I've tried adding the names of the containers as "Insecure registries" so my
/etc/docker/daemon.json
looks like this:Summarized
docker login
doesn't correctly lookup urlsdocker login
uses HTTPS even if the URL explicitly specifies HTTP