How does this work with Artifactory?

[jimklo]

Looking through, and see that the config references Artifactory as a docker repository.

I'm assuming in the YAML config, I use the hostname of my registry under registries, but not really sure what the other properties are and how auth works since I have to login using api key into to Artifactory. Also tool seems to just keep trying to reach out to the public docker hub...

Any information is appreciated.

[yebinama]

Hello,

Let me explain how paclair works. When you want to push or analyse a Docker image, we first try to find which registry stores this particular image: Docker Hub or a personal one. For a personal registry, you can provide additional configuration like authentication, certificate, ...

Here is an example:

General:
  clair_url: 'https://localhost:6060'
  verify: "/etc/ssl/certs/my_custom_ca.crt"
Plugins:
  Docker:
    class: paclair.plugins.docker_plugin.DockerPlugin
    registries:
      registry.gitlab.domain.com:
        auth:
          - login
          - password
        verify: "/etc/ssl/certs/ca-certificates.crt"

If I try to analyse an image stored on that registry (ex: registry.gitlab.domain.com/yebinama/ubuntu:latest), paclair will use the login and password provided in the configuration file.

The other parameters are for specific cases (like multiple registries on the same Artifactory), but let's try with this basic configuration for now. Moreover, the app shouldn't try to reach the public Docker Hub, could you give me an example and the logs?

[jimklo]

@yebinama,

Okay that makes some sense, altered my config accordingly, however I am seemingly still having an error.

Here's the command I'm using:

paclair --debug --conf paclair_conf.yml Docker ipoet-docker-all.cse.sri.com/rhel-sfweb:0.3.9 push

Here's my config with credentials removed:

General:
  clair_url: 'https://localhost:6060'
Plugins:
  Docker:
    class: paclair.plugins.docker_plugin.DockerPlugin
    registries:
      ipoet-docker.cse.sri.com:
        auth:
          - "<ARTIFACTORY_USERNAME>"
          - "<ARTIFACTORY_APIKEY or ENCRYPTED_PASSWORD>"
      ipoet-docker-all.cse.sri.com:
        auth:
          - "<ARTIFACTORY_USERNAME>"
          - "<ARTIFACTORY_APIKEY or ENCRYPTED_PASSWORD>"

This is the error I get from paclair:

Reading section Plugins in file paclair_conf.yml
Reading section General in file paclair_conf.yml
Reading plugin Docker
Configuration {'class': 'paclair.plugins.docker_plugin.DockerPlugin', 'registries': {'ipoet-docker.cse.sri.com': {'auth': ['******', '**************************************']}, 'ipoet-docker-all.cse.sri.com': {'auth': [******', '**************************************']}}}
INITCLASS:DOMAIN:ipoet-docker.cse.sri.com
INITCLASS:API_PREFIX:
INITCLASS:API_PROTOCOL:https
INITCLASS:API_VERIFY:True
INITCLASS:TOKEN_URL:None
INITCLASS:DOMAIN:ipoet-docker-all.cse.sri.com
INITCLASS:API_PREFIX:
INITCLASS:API_PROTOCOL:https
INITCLASS:API_VERIFY:True
INITCLASS:TOKEN_URL:None
INITCLASS:DOMAIN:registry.hub.docker.com
INITCLASS:API_PREFIX:
INITCLASS:API_PROTOCOL:https
INITCLASS:API_VERIFY:True
INITCLASS:TOKEN_URL:None
Push ipoet-docker-all.cse.sri.com/rhel-sfweb:0.3.9 with plugin Docker
INITCLASS:NAMEIMAGE:rhel-sfweb
INITCLASS:TAG:0.3.9
INITCLASS:REPOSITORY:
Creating  ancestry
REQUEST_BASE_API_URL_FOR_TOKEN_ENDPOINT:URL:https://ipoet-docker-all.cse.sri.com/v2/
Starting new HTTPS connection (1): ipoet-docker-all.cse.sri.com
https://ipoet-docker-all.cse.sri.com:443 "GET /v2/ HTTP/1.1" 200 None
REQUEST_TOKEN:HTTPCODEERROR:200
Error treating ipoet-docker-all.cse.sri.com/rhel-sfweb:0.3.9
Error access to : https://ipoet-docker-all.cse.sri.com/v2/
Code Error : 200

[jimklo]

I figured out the problem. I believe there's actually a minor bug in paclair here. However it could also be a bug in Artifactory's docker registry.

            response = requests.get(url, verify=self.verify, auth=self.auth)

In here you pass self.auth. To the best of my knowledge the WWW-Authenticate won't be returned if you pass valid authentication.

I got this to work by using curl to determine the token_url and then subsequently setting in the config.yml.

$ curl -X GET "https://ipoet-docker-all.cse.sri.com/v2/" -i
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jun 2018 00:50:57 GMT
Server: Artifactory/5.2.1
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Artifactory-Id: 3cacb2388c703e61:393cc7ec:163dabcabdb:-8000
Docker-Distribution-Api-Version: registry/2.0
WWW-Authenticate: Bearer realm="https://artifactory.sri.com/artifactory/api/docker/ipoet-docker-all/v2/token",service="artifactory.sri.com"
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 87

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}

[yebinama]

To the best of my knowledge the WWW-Authenticate won't be returned if you pass valid authentication.

I think you're right and that's why paclair can't figure the Token Url.

Does it work if you remove the auth on the line where you spotted the bug and don't specify a Token url on the configuration file?

I'll do some tests on my own with different registries.