I want to validate that docker login against a specific registry worked successfully. How can I do this by using docker cli or docker-py API, without trying to perform another authentication.
Please keep in mind that registries can allow anonymous pulls, so doing a random pull is not a valid way to validate that authenticated access works.
Related
The Model.deploy python function for AzureML deploys a model as an endpoint. But first it builds a docker image for deployment. If I run this in an AzureML notebook it all works fine.
However, if I try and run this in a local Jupyter notebook then I get authentication required when it tries to login to the container registry. If I use the AZ ACR LOGIN cli command then it works as expected.
However, I am trying to write an unattended service that uses service principal credentials. I have tried using both the ACR SDK and the Docker SDK to programatically login to my registry but these are both ignored by Model.deploy. It seems like it only respects (or docker does) the cached credentials in the docker config
So, how can I get around this, is it possible to programatically login to the registry for the benefit of Model.deploy or do I have to rely on cached credentials, and if so, then is it possible then to programatically add to the cached credentials on the machine?
We have a Docker Registry running that uses native basic authentication with nginx, so images can only be pushed to the Registry after authentication. Is it possible to get the user who pushed the image to the Registry?
It's not part of the registry API. You would need to check the logs of that registry and auth server. It's possible the user may self report who they are by setting a label on the image (or the legacy maintainer field), but I wouldn't depend on that for any security critical tasks.
For more on the registry API, see: https://github.com/opencontainers/distribution-spec
Docker also has their API (which predates OCI) documented at: https://docs.docker.com/registry/spec/api/
I'm having trouble pushing to GitLab Container Registry.
I can login successfully using my username and a personal access token but when I try to push the image to the registry, I get the following error:
$ docker push registry.gitlab.com/[groupname]/dockerfiles/nodemon
The push refers to a repository
[registry.gitlab.com/[groupname]/dockerfiles/nodemon]
15d2ea6e1aeb: Preparing
2260f979a949: Preparing
f8e848bb8c20: Preparing
740a5345706a: Preparing
5bef08742407: Preparing
denied: requested access to the resource is denied
I assume the issue is not with authentication because when I run a docker login registry.gitlab.com, I get a Login Succeeded message.
Where is the problem?
How should I push my images to GitLab Container Registry?
I got it working by including api scope to my personal access token.
The docs states The minimal scope needed is read_registry. But that probably applies for read only access.
Reference: https://gitlab.com/gitlab-com/support-forum/issues/2370#note_44796408
In my case it was really dumb, maybe even a gitlab bug :
I renamed the gitlab project after the creation of the container registry, so the container registry url was still with the old name ...
The project name under gitlab had the typo error corrected but not the registry link and it led to this error
Had a similar issue, it was because of the url that was used for tagging and pushing the repo.
It should be
docker push registry.gitlab.com/[account or group-name]/[reponame]/imagename
It was previously a correct answer to say that the personal access token needs to include the api permission, and several answers on this page say exactly that.
Recently, GitLab appear to have improved the granularity of their permission system. So if you want to push container images to the GitLab Docker registry, you can create a token merely with the read_registry and write_registry permissions. This is likely to be a lot safer than giving full permissions.
I have tested this successfully today.
Enable the personal access token by adding api scope as per this guidelines. After creating the token and username, use these credentials for logging into the Docker environment or pushing.
Deploy tokens created under CI/CD setup is not sufficient for pushing the image to a Docker registry.
I had the same issue.
In my case, the issue was I had AutoDevOps enabled before, which seem to generate a deploy token automatically.
Now deploy tokens are just API keys basically for deployment.
But GitLab has a special handling for gitlab-deploy-token which you can then access via $CI_DEPLOY_USER and $CI_DEPLOY_PASSWORD as a predefined variable.
However, I did not double-check the default token.
In my case, it only had read_registry, of course though, it also needs write_registry permissions.
If you do this, then you can follow the official documentation.
Alternatively, you can apparently also switch to $CI_REGISTRY_USER and $CI_REGISTRY_PASSWORD, which are ephemeral, however.
I am not new to lxc or docker. But I do not have much knowledge on the image registry.
So I decided to get started and followed up tutorials and installation instructions.
And things are working fine in terms of pushing and pulling from my custom registry.
My questions:
The registry does not seem to come with a login/access management system.
1st - What are the overall steps to follow to implement a login (and possibly access) management to a custom registry?
2nd - If this mechanism is implemented, is there a way to use docker login to use that mechanism instead of https://hub.docker.com 's?
To 2nd: By using docker login /yourregistry, you can use the login mechanism of docker to login to a specific registry. The credentials are saved as well,
dockerhub is just the default. Unfortunately I don't know how to set up an own registry, personal I'm just using it in my company to pull from our artifactory.
Good day!
I have looked a ton of info about docker registry and still have some questions about it... Please, help me to understand some things about index and registry.
I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i
index.docker.io?
If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
UPD:
I worked a lot with docker-registry this night, so I have a bit confused:
If standalone mode is true, then disable_token_auth is not used in
any variant. So we can:
1.1 Use this repo without auth (pull and push rights to anyone).
1.2 Use basic auth with nginx and docker login my.registry.com, so every user that have basic auth info can push and pull. So, we don't have authorization at this mode.
If standalone mode is false, then docker-registry need to communicate with index.docker.io, but it doesn't. Two variants:
2.1. If disable_auth_token is true - I get 405 error (method not allowed), but it means that I allow anyone to push or to pull images, or not?
2.2. If disable_auth_token is false - I get 405 error...
And for 2.1 and 2.2 docker login my.registry.com not working - it shows me 404 error... Maybe it is my misconfiguration?
1.I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i index.docker.io?
The private docker registry you setup has no authentication because you did not set it up. You have to use nginx as a reverse proxy to setup the authentication, and since docker client does not support basic authentication without SSL, you have to setup SSL on the reverse proxy as well.
When you push or pull, you are using the docker client. It can connect to any registry, private registry you setup, as well as docker hub. Here are several points to consider:
When you fire off a docker search from your docker client, it will by default search the docker hub, and let you pull any image from there as long as it's public.
Login is needed to push the image in Docker Hub.
Now if you want to search your private docker registry you have to tell the docker client to search that registry in the following format:
docker search private.repo.domain:5000/vozerov
Now, depending on which registry you actually want to search, your private registry will require it's own authentication if you setup it up with reverse proxy, docker hub will require you to login as well if you want to use it to push images.
The reason you can push/pull/search is because you are probably telling docker client to do those actions in your private registry only by specifying the domain_name:port/image_name, even if you don't specify and use Docker Hub by default, you will not run into authentication issues unless you try to push the image.
2.If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Authorization parameters are stored on your docker client machine in the following file (it's a hidden file, so use ls -la). File is called: ".dockercfg"
Inside that file you find the login credential details of registries you tried logging into with successfully:
{
"your_domain.com": {
"auth": "dXNlcjE6cGFzc3dvcmQxMjM="
"email": ""
}
The "auth" is your base 64 encoded (username:password) credentials
Docker private registry provides login (with help of reverse proxy) only. If you want a full blown user based authentication/authorization or access control system, you could look at solutions like Artifactory or core OS enterprise registry
3.Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
Docker Client search through the index.io if you don't specify you want it to search you private registry. That is default behavior of docker. Your private docker registry is totally separate from the official docker index, simply nothing to do with it. If you want to search your private registry in your Docker client, here are some commands you could use, native or curl:
Using curl (apt-get install jq):
curl -s -X GET http://private.repo.domain:5000/v1/search | jq '.results[].name'
Using docker search:
docker search private.repo.domain:5000/<search_keyword>
4.I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
Looks like that project is coming to a stop as Docker is rolling out with a new registry. Never really tried it, so I would not know which registry it searches. I would assume it is something you integrate with a private registry since Docker Hub already has it's own index, so if I were to make a guess, it would search your private registry.
Docker registry manages docker-images. Docker index manages authentication.
Docker registry is open source, while Docker index is not open source.
If you deploy docker-registry, you have to implement authentication over it.
Docker index can provide you private docker-registry, check this.
If you want authentication (and encryption) to your private registry then you will need to put nginx or apache in front of docker as a proxy and use http authentication and SSL termination there.
As far as I can tell, there isn't a way to have the docker search command search your private registry. That command only searches Docker Hub.