Aim is to have a default workspace created for each new user.
User will visit the link https://che-eclipse-che.192.168.0.1.nip.io/#https://github.com/test/eclipse-che
It has the devfile to create the workspace.
First user registration will happen via keycloak and then the workspace will be created. This means a new kubernetes namespace will also be created for the user.
The problem is that I need to use an image from a private docker registry but I'm unable to specify the authentication credentials in the devfile. Is there any way to achieve this?
Can not use kubernetes secret because secrets are confined to a namespace.
Withing Che, you can't configure your credentials to be used for every user.
Each is supposed to configure their credentials, if they need access private docker repos. Check https://www.eclipse.org/che/docs/che-7/end-user-guide/using-private-container-registries/
What I can propose to look into:
configure nodes to pull private image https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry;
push your images to cluster internal docker registry;
I am trying to push an image into nexsus repo (myrepo):
docker push myreposerver/myrepo/httpd:2.4.28-alpine
And I see that it lands in another repo as:
myreposerver/otherrepo/myrepo/httpd:2.4.28-alpine
This is wrong, but I can't find where are config settings which are responsible for this behavior in Nexus UI.
https://help.sonatype.com/display/NXRM3/Private+Registry+for+Docker
The docker client does not allow a context as part of the path to a
registry, as the namespace and image name are embedded in the URLs it
uses. This is why requests to repositories on the repository manager
are served on a specific and separate port from the rest of the
application instead of how most other repositories serve content via a
path i.e. //
So, in a nutshell if one wants to setup separate Docker repositories in Nexus they have to be on separate ports, exactly as described here: http://www.sonatype.org/nexus/2017/02/16/using-nexus-3-as-your-repository-part-3-docker-images/
I am currently setting up a local cluster at my work using docker. Basically everything works fine, the only thing I worry about is, that other devs that use my setup may eventually push the local builds to a remote repository.
Since this would be a catastrophe because we are not allowed to upload the companies artefacts anywhere else than internal servers - is there a way to prevent other users from pushign to a remote docker repo?
docker repo == docker registry?
Not sure I get the full picture about your desired workflow, but here are two options:
Use registry authentication and make sure that only authorised people push
Configure networking / dns / hosts to resolve to the correct registry - e.g. docker-registry.mycompany.com resolves to the local registry for devs and to the remote registry for others.
I am not new to lxc or docker. But I do not have much knowledge on the image registry.
So I decided to get started and followed up tutorials and installation instructions.
And things are working fine in terms of pushing and pulling from my custom registry.
My questions:
The registry does not seem to come with a login/access management system.
1st - What are the overall steps to follow to implement a login (and possibly access) management to a custom registry?
2nd - If this mechanism is implemented, is there a way to use docker login to use that mechanism instead of https://hub.docker.com 's?
To 2nd: By using docker login /yourregistry, you can use the login mechanism of docker to login to a specific registry. The credentials are saved as well,
dockerhub is just the default. Unfortunately I don't know how to set up an own registry, personal I'm just using it in my company to pull from our artifactory.
Good day!
I have looked a ton of info about docker registry and still have some questions about it... Please, help me to understand some things about index and registry.
I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i
index.docker.io?
If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
UPD:
I worked a lot with docker-registry this night, so I have a bit confused:
If standalone mode is true, then disable_token_auth is not used in
any variant. So we can:
1.1 Use this repo without auth (pull and push rights to anyone).
1.2 Use basic auth with nginx and docker login my.registry.com, so every user that have basic auth info can push and pull. So, we don't have authorization at this mode.
If standalone mode is false, then docker-registry need to communicate with index.docker.io, but it doesn't. Two variants:
2.1. If disable_auth_token is true - I get 405 error (method not allowed), but it means that I allow anyone to push or to pull images, or not?
2.2. If disable_auth_token is false - I get 405 error...
And for 2.1 and 2.2 docker login my.registry.com not working - it shows me 404 error... Maybe it is my misconfiguration?
1.I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i index.docker.io?
The private docker registry you setup has no authentication because you did not set it up. You have to use nginx as a reverse proxy to setup the authentication, and since docker client does not support basic authentication without SSL, you have to setup SSL on the reverse proxy as well.
When you push or pull, you are using the docker client. It can connect to any registry, private registry you setup, as well as docker hub. Here are several points to consider:
When you fire off a docker search from your docker client, it will by default search the docker hub, and let you pull any image from there as long as it's public.
Login is needed to push the image in Docker Hub.
Now if you want to search your private docker registry you have to tell the docker client to search that registry in the following format:
docker search private.repo.domain:5000/vozerov
Now, depending on which registry you actually want to search, your private registry will require it's own authentication if you setup it up with reverse proxy, docker hub will require you to login as well if you want to use it to push images.
The reason you can push/pull/search is because you are probably telling docker client to do those actions in your private registry only by specifying the domain_name:port/image_name, even if you don't specify and use Docker Hub by default, you will not run into authentication issues unless you try to push the image.
2.If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Authorization parameters are stored on your docker client machine in the following file (it's a hidden file, so use ls -la). File is called: ".dockercfg"
Inside that file you find the login credential details of registries you tried logging into with successfully:
{
"your_domain.com": {
"auth": "dXNlcjE6cGFzc3dvcmQxMjM="
"email": ""
}
The "auth" is your base 64 encoded (username:password) credentials
Docker private registry provides login (with help of reverse proxy) only. If you want a full blown user based authentication/authorization or access control system, you could look at solutions like Artifactory or core OS enterprise registry
3.Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
Docker Client search through the index.io if you don't specify you want it to search you private registry. That is default behavior of docker. Your private docker registry is totally separate from the official docker index, simply nothing to do with it. If you want to search your private registry in your Docker client, here are some commands you could use, native or curl:
Using curl (apt-get install jq):
curl -s -X GET http://private.repo.domain:5000/v1/search | jq '.results[].name'
Using docker search:
docker search private.repo.domain:5000/<search_keyword>
4.I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
Looks like that project is coming to a stop as Docker is rolling out with a new registry. Never really tried it, so I would not know which registry it searches. I would assume it is something you integrate with a private registry since Docker Hub already has it's own index, so if I were to make a guess, it would search your private registry.
Docker registry manages docker-images. Docker index manages authentication.
Docker registry is open source, while Docker index is not open source.
If you deploy docker-registry, you have to implement authentication over it.
Docker index can provide you private docker-registry, check this.
If you want authentication (and encryption) to your private registry then you will need to put nginx or apache in front of docker as a proxy and use http authentication and SSL termination there.
As far as I can tell, there isn't a way to have the docker search command search your private registry. That command only searches Docker Hub.