search

mkuchin / docker-registry-web

Web UI for private docker registry v2
https://hub.docker.com/r/hyper/docker-registry-web/
GNU General Public License v2.0
534 stars 135 forks source link

Cannot connect to repository #61

Closed Kemyke closed 8 years ago

Kemyke commented 8 years ago

I use docker_auth and token based authentication. I configure the registry-web to use the same key file and name and issuer as the registry. But it keeps getting 401 from the registry.

In the registry log i found this:

time="2016-09-09T14:58:29Z" level=error msg="token intended for another audience: \"myrepo.example.com:5000\""

time="2016-09-09T14:58:29Z" level=warning msg="error authorizing context: invalid token" go.version=go1.6.3 http.request.host="myrepo.example.com:5000" http.request.id=0eef0fea-0c43-4975-b9a5-3f8a020c857c http.request.method=GET http.request.remoteaddr="52.169.93.153:43014" http.request.uri="/v2/_catalog?n=100" http.request.useragent="Java/1.7.0_101" instance.id=b96e1fa4-9d50-49d3-ba1a-dda5b4a4d235 version=v2.5.0

52.169.93.153 - - [09/Sep/2016:14:58:29 +0000] "GET /v2/_catalog?n=100 HTTP/1.1" 401 134 "" "Java/1.7.0_101"

Do you have any idea which config should i check? My repo is up and running, i can login and pull packages from it. I check the repo name, key file and the issuer. Everything seems ok for me.

My registry-web.yml:

registry:
  # Docker registry url
  url: https://myrepo.example.com:5000/v2
  # Docker registry fqdn
  name: myrepo.example.com:5000
  # To allow image delete, should be false
  readonly: true
  auth:
    # Enable authentication
    enabled: true
    # Token issuer
    # should equals to auth.token.issuer of docker registry
    issuer: 'Auth Service'
    # Private key for token signing
    # certificate used on auth.token.rootcertbundle should signed by this key
    key: /certs/myrepoexamplecom.key

My docker_auth_config.yml:

server:
  addr: ":5001"
  certificate: "/config/myrepoexamplecom.crt"
  key: "/config/myrepoexamplecom.key"

token:
  issuer: "Auth Service"  # Must match issuer in the Registry config.
  expiration: 900

And i start the registry like this:

 docker run -d -p 5000:5000  \
      --restart=always \
      -v `pwd`/certs:/certs \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepoexamplecom.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/myrepoexamplecom.key \
      -e REGISTRY_AUTH=token \
      -e REGISTRY_AUTH_TOKEN_REALM=https://myrepo.example.com:5001/auth \
      -e REGISTRY_AUTH_TOKEN_SERVICE="Docker registry" \
      -e REGISTRY_AUTH_TOKEN_ISSUER="Auth Service" \
      -e REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/myrepoexamplecom.crt \
      --name=registry \
      registry:2
Kemyke commented 8 years ago

Ok, i got it. It should match with auth.token.service value. I think you should update the comment.