I am using nexus as a Docker container, with tag sonatype/nexus3:3.14.0. Also, I connect nexus with LDAP for user better user management it is helpful for group and role management.
For my case, I create a blog-store and create two docker registry repository, one hosted and one group. I try to log in, on hosted and it works fine. But when I tried to connect into the grouped repository I get
401 Unauthorized. I also tried to connect with admin credentials but I get the same error too,
Error response from daemon: login attempt to https:///v2/ failed with status: 401 Unauthorized.
Suggestions are welcome
PParthenis
Enable the Docker Bearer Token Realm in Nexus Security->Realms Tab.
As stated in here
In my case Docker Bearer Token Realm security realm was already enabled. But prioritizing this realm did the trick.
If Docker Bearer Token Realm is already enabled in Nexus Security->Realms Tab, Increase its priority.
For more info https://help.sonatype.com/repomanager3/system-configuration/access-control/realms
Related
I am using GitHub Actions & Packages from Beta. Yesterday, the PAT expired. That's why my GitHub Actions failed. There is a Regenerate button on Profile > Developer Settings > Personal Access Token. I clicked it and created a new PAT.
At this step, I am able to login docker.pkg.github.com and push the image to GitHub Registry.
But, I am getting an error message when I pull that image.
This is the error message:
Error response from daemon: unauthorized: Your request could not be authenticated
by the GitHub Packages service. Please ensure your access token is valid and has
the appropriate scopes configured.
How can I solve this expired PAT issue?
This was a bug and reported on the GitHub community https://github.community/t/bug-report-personal-access-tokens/147968/2
The shell stores your old token and doesn't update it. That's why you have to logout first for one time.
The solution:
Regenerate or Create a new Personal Access Token
Update your repo's Secret
in a shell, docker logout https://docker.pkg.github.com
in a shell, docker login https://docker.pkg.github.com -u GITHUBUSERNAME
use the new token as the password
Then you will able to pull an image from the GitHub registry as always.
I got the answer from zsoobhan-tc's post.
Trying to login from docker to gitlab using the command:
sudo docker login registry.gitlab.com?private_token=XXX
But I still have the following error message:
Error response from daemon: Get https://registry.gitlab.com/v2/: unauthorized: HTTP Basic: Access denied\nYou must use a personal access token with 'api' scope for Git over HTTP.\nYou can generate one at https://gitlab.com/-/profile/personal_access_tokens
The token has the right access I doubled checked... I am rather new to docker, any hint/help? thanks!
The correct command line (that works in my case at least) was:
docker login registry.example.com -u <your_username> -p <your_personal_access_token>
If you are using 2 factor authentication, then personal access tokens are required.
More information on the following webpage,
https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
According to https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html, your username actually gets ignored:
Though required, GitLab usernames are ignored when authenticating with a personal access token. There is an issue for tracking to make GitLab use the username.
So, if you're not able to connect, it might not be because of the username.
Q1:
I'm running a Hawkbit server on localhost in a docker container and activated the option "Allow a gateway to authenticate and manage multiple targets through a gateway security token" in the settings of the web UI that I access via http://localhost:8080/.
Now I'm using Postman to send a GET request to http://localhost:8080/default/controller/v1/25 with the header
key: GatewayToken, value: <The gateway token shown in the Hawkbit web UI>
Using this header, I'm supposed to be able to authenticate my Postman client against the Hawkbit server (compare e.g. https://www.eclipse.org/hawkbit/concepts/authentication/), however I'm always getting a "401 Unauthorized" response.
Even if I enable "Allow targets to download artifacts without security credentials" which should enable any client to get a ressource even without authentification, I get a 401.
What am I doing wrong?
Q2:
The Hawkbit server is running in Docker started via "docker-compse up -d" as described here: https://www.eclipse.org/hawkbit/gettingstarted/
In order to solve the problem of Q1, I wanted to check the output of Hawkbit inside the container, but I'm not too familiar with docker and couldn't find out how. I was able to get inside the conainer using
docker exec -it docker_hawkbit_1 /bin/sh
which bring me into the container's file system at /opt/hawkbit. But that's not what I was looking for. How can I see the log/output of the Hawkbit/Spring Boot application running inside the container?
Q1:
The key of the request should not be GatewayToken, but Authorization. The header of the request will then look as follows:
key: Authorization, value: GatewayToken <token>
Q2:
Try the following command to see the logs:
docker logs -f docker_hawkbit_1
Using okd/openshift-origin 3.11 (and previous versions) we've been unable to get anonymous image pulls working.
We've tried adding various groups to the registry-viewer role as indicated by the instructions from the merge request where the feature was added.
We've tried:
oc policy add-role-to-user registry-viewer system:anonymous -n <project>
oc policy add-role-to-user registry-viewer system:unauthenticated -n <project>
When viewing the registry in the GUI the access policy shows Anonymous: Allow all unauthenticated users to pull images
Yet this is the result when trying to pull:
docker pull docker-registry-default.$cluster/$project/$image:latest
Error response from daemon: Get https://docker-registry-default.$cluster/v2/$project/$image/manifests/latest: unauthorized: authentication required
What are we missing?
If there is a $HOME/.docker/config.json credential file on the client machine, could you try whether you can pull the image after removing the credential file (or backup) ?
Because docker pull is using $HOME/.docker/config.json by default, it can cause unexpected authorization trouble like this by authenticating as the credential file. As removing docker credential file(config.json) you can verify whether docker pull is conducted by unauthenticated.
I'm using Sonatype Nexus as a Private Docker Registry.
While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.
Using the Nexus UI (not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.
The following is a capture stream of communication between the Docker Client and the Nexus repository:
Wireshark packet capture
This is strange, as the anonymous access is enabled, and according to the docs, I may have a Docker Hosted Registry (with RW access through HTTPs port) and a Docker Group Registry, pointing to a Docker Hosted Registry, with RO/Anonymous access.
This feature was added in Nexus 3.6. According to the documentation:
Under Security > Realms, enable the “Docker Bearer Token Realm”
Uncheck “Force basic authentication” in the repository configuration
Nexus caused me quite some headache until i found a rather obscure sonatype post
that states not to change the anonymous realm.
So the steps I followed to get this working: (tested in Nexus 3.19.1 to 3.38.1)
Same as the Answer by #andrewdotn (Enable the Docker Bearer Token
Realm in the Security > Realms section)
Enable the anonymous access FOR the Local Authorizing Realm (as stated in the above mentioned link)
Create the docker(proxy) Repository (in this example to proxy hub.docker.com)
3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)
3.2. enable "Allow anonymous docker pull (Docker Bearer Token Realm required)"
3.3. enter "https://registry-1.docker.io" as "Location of the remote repository" (for the docker-hub)
3.4. set the "Docker Index" to use the docker hub index (aka.: "Use Docker Hub")
3.5. save
make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)
4.1. (OPTIONAL) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role "nx-docker_read" (or similar) and give it the "nx-repository-view-docker--read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)
4.2. (if u did 4.1) now all that's left is to change the group of the anon user to ur new role (in my example "nx-docker_read") and remove it from "nx-anonymous" => anon-users can no longer brows nexus on the web-ui but can still pull images
Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3.
Dockerhub always requires an access token, even for pulls.
But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users.
This mecanism is not available for the moment with Nexus 3.0.1.
Perhaps it will be implemented (https://issues.sonatype.org/browse/NEXUS-10813).
So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).