I have the registry v2 container and docker_auth up and running. The registry uses self sign certificate which was created with my CA. I can pull and push images without any problem so the configuration is working properly.
I would like to have a UI for this registry to browse images. I have tried many of them:
https://github.com/kwk/docker-registry-frontend not support token based auth
https://shipyard-project.com only supports v1 registries
https://github.com/SUSE/Portus looks quite heavy weight for me
https://github.com/mkuchin/docker-registry-web i configure it with my keyfile and set the issuer. But i couldn't add my repo, it always returns 401. In the docker registry i found "token intended for another audience: \"mydockerrepo:5000\"". I tried with different names but none of them worked. I check the crt and key files and i use the correct crt-key pair.
Is there any other UI i should try?
Can somebody help me with the "audience" error message?
Related
I'm trying to proxy a private Google Container Registry with Nexus 3 Repository OSS.
Not sure how to do the authentication bit.
I found a suggestion for Artifactory:
Create a new Docker remote registry repository
Uncheck the Enable Token Authentication flag
Set the URL as https://gcr.io
Under the advanced tab, set the username as _json_key
Under the advanced tab, set the password to the contents of the JSON Key File
Did not work with Nexus.
Any advice maybe pls ?
You need to use a service account with an API Key in order to authenticate,
take a look into this blog that shows how to create the private registry with Google container registry and Nexus OSS.
I'm trying to use registry.centos.org with docker.
I've tried the add the below to /etc/docker/daemon.json as, intuitively this would seem like the obvious place to add it, and the logical variable name.
{
"insecure-registries": ["172.30.0.0/16"],
"secure-registries": ["registry.centos.org"]
}
I then tried to restart the docker service, but it failed to restart.
Google provides lots of links on how to setup a secure registry, but I couldnt find any info on how to add new secure registries to docker configuration.
Likewise the website for registry.centos.org also doesnt provide any info on how to do this.
If you are able to pull the image, then there's nothing further to do. All external registries by default are secure, which means docker will require a TLS connection and valid certificate for the registry server. The insecure registry section is to allow exceptions to this rule.
There is also the option to override the CA certificate for a registry server, which is useful if you have a self hosted registry server, with TLS, but an unknown CA. For this, you would place the CA certificate, and any intermediate certificates, in /etc/docker/certs.d/${hostname}:${port}/ca.crt e.g. /etc/docker/certs.d/registry.example.com:5000/ca.crt.
I am using docker notary to establish a trust in the images I download from my private docker registry. While I am able to work out all(push, pull) quite well while I am running on one single host. However in a multi-node(server/client) situation I am just wondering how to get the publishers public key. This publisher key will be than run alongside docker engine pull from a client host. Here the server host has the registry as well as docker-notary server/signer.
Regards
Ashish
Docker Content Trust (powered by Notary) by default will perform TOFUs when downloading trust data for an image - the "s" for indicating this is over HTTPS.
If you're using standalone Notary, you can provide trust-pinning configuration to pin to a specific public key or CA against a publisher's TUF root key (though importing certs to Notary repos is WIP, and scheduled for next point release).
I encourage you to check out the relevant Notary client config information and this PR for more information about how to set this up in Notary -- Docker Content Trust integration is WIP.
I am also new to Notary and coming up to speed. My understanding of Notary (which is built on TUF) is TOFU (trust on first use). So what you need is to be able to connect over SSL to the Notary server, which will then download the publisher certs automatically. You trust what you get the first time (hence, TOFU) and then after that the publisher certs are used to validate all future verification / key updates / etc.
I'm using Sonatype Nexus as a Private Docker Registry.
While it works with authenticated users, trying to use anonymous user to pull images doesn't work. This happens only on a docker client.
Using the Nexus UI (not logged in) I'm able to browse images on my repo. But trying to pull the images I get an 'Unauthorized' error.
The following is a capture stream of communication between the Docker Client and the Nexus repository:
Wireshark packet capture
This is strange, as the anonymous access is enabled, and according to the docs, I may have a Docker Hosted Registry (with RW access through HTTPs port) and a Docker Group Registry, pointing to a Docker Hosted Registry, with RO/Anonymous access.
This feature was added in Nexus 3.6. According to the documentation:
Under Security > Realms, enable the “Docker Bearer Token Realm”
Uncheck “Force basic authentication” in the repository configuration
Nexus caused me quite some headache until i found a rather obscure sonatype post
that states not to change the anonymous realm.
So the steps I followed to get this working: (tested in Nexus 3.19.1 to 3.38.1)
Same as the Answer by #andrewdotn (Enable the Docker Bearer Token
Realm in the Security > Realms section)
Enable the anonymous access FOR the Local Authorizing Realm (as stated in the above mentioned link)
Create the docker(proxy) Repository (in this example to proxy hub.docker.com)
3.1. enable the HTTP / HTTPS endpoint (depending if you ssl to nexus or use a reverse proxy)
3.2. enable "Allow anonymous docker pull (Docker Bearer Token Realm required)"
3.3. enter "https://registry-1.docker.io" as "Location of the remote repository" (for the docker-hub)
3.4. set the "Docker Index" to use the docker hub index (aka.: "Use Docker Hub")
3.5. save
make sure your anonymous user has the right to read the new repository (the default anon-role will allow read access to quite a bit more, but should already allow anon pull)
4.1. (OPTIONAL) If you want to restrict the anonymous user as much as possible (i.e.: to only allow docker pull) crate a role "nx-docker_read" (or similar) and give it the "nx-repository-view-docker--read"*. (this will allow the any user in the group to pull images from any docker repository, that allows anon pull, but not see anything on the web-ui)
4.2. (if u did 4.1) now all that's left is to change the group of the anon user to ur new role (in my example "nx-docker_read") and remove it from "nx-anonymous" => anon-users can no longer brows nexus on the web-ui but can still pull images
Docker Registry API requires authentication for registry access, even for the pull operations so does Nexus 3.
Dockerhub always requires an access token, even for pulls.
But the reason why you can pull anonymously from dockerhub is that it uses a token server which automatically gives out access tokens to anonymous users.
This mecanism is not available for the moment with Nexus 3.0.1.
Perhaps it will be implemented (https://issues.sonatype.org/browse/NEXUS-10813).
So for the moment with Nexus 3, it will always require to be logged in before to pull an image (eventually with the anonymous user is your rights are setted this way).
I'm trying to create private registry for docker and I'm relying on instructions given on the docker site. I have a seperate linux box where this registry is installed, then I'm trying to push my images from local(osx box with docker toolbox). I keep on getting 405 from registry server. I'm quite new to docker. I was hoping the default basic configuration to work without much trouble.
configuration
Latest docker toolbox.
Latest registry installation.
I only changes the TLS configuration to post the request over http.
Error
The push refers to a repository [192.168.1.98:5000/complete] (len: 1)
Sending image list
Error: Status 405 trying to push repository complete: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>405 Method Not Allowed</title>\n</head><body>\n<h1>Method Not Allowed</h1>\n<p>The requested method PUT is not allowed for the URL /v1/repositories/complete/.</p>\n</body></html>\n"
The doc mentions
405 Method Not Allowed
Manifest put is not allowed because the registry is configured as a pull-through cache or for some other reason
(like a read-only mode)
UNSUPPORTED: The operation was unsupported due to a missing implementation or invalid set of parameters.
The same doc uses urls which include /v2, not like the one used in the question (/v1/repositories/complete)
The instructions include:
Getting the headers correct is very important. For all responses to any request under the “/v2/” url space, the Docker-Distribution-API-Version header should be set to the value “registry/2.0”, even for a 4xx response
Make sure you are running a v2 registry image (which is now docker distribution)
The OP Charith actually found in the comments:
mistake in port forwarding on the registry host: The 5000 port was servicing from another server.
I've switched to an available port and everything started working.