Good day!
I have looked a ton of info about docker registry and still have some questions about it... Please, help me to understand some things about index and registry.
I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i
index.docker.io?
If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
UPD:
I worked a lot with docker-registry this night, so I have a bit confused:
If standalone mode is true, then disable_token_auth is not used in
any variant. So we can:
1.1 Use this repo without auth (pull and push rights to anyone).
1.2 Use basic auth with nginx and docker login my.registry.com, so every user that have basic auth info can push and pull. So, we don't have authorization at this mode.
If standalone mode is false, then docker-registry need to communicate with index.docker.io, but it doesn't. Two variants:
2.1. If disable_auth_token is true - I get 405 error (method not allowed), but it means that I allow anyone to push or to pull images, or not?
2.2. If disable_auth_token is false - I get 405 error...
And for 2.1 and 2.2 docker login my.registry.com not working - it shows me 404 error... Maybe it is my misconfiguration?
1.I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i index.docker.io?
The private docker registry you setup has no authentication because you did not set it up. You have to use nginx as a reverse proxy to setup the authentication, and since docker client does not support basic authentication without SSL, you have to setup SSL on the reverse proxy as well.
When you push or pull, you are using the docker client. It can connect to any registry, private registry you setup, as well as docker hub. Here are several points to consider:
When you fire off a docker search from your docker client, it will by default search the docker hub, and let you pull any image from there as long as it's public.
Login is needed to push the image in Docker Hub.
Now if you want to search your private docker registry you have to tell the docker client to search that registry in the following format:
docker search private.repo.domain:5000/vozerov
Now, depending on which registry you actually want to search, your private registry will require it's own authentication if you setup it up with reverse proxy, docker hub will require you to login as well if you want to use it to push images.
The reason you can push/pull/search is because you are probably telling docker client to do those actions in your private registry only by specifying the domain_name:port/image_name, even if you don't specify and use Docker Hub by default, you will not run into authentication issues unless you try to push the image.
2.If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.
Authorization parameters are stored on your docker client machine in the following file (it's a hidden file, so use ls -la). File is called: ".dockercfg"
Inside that file you find the login credential details of registries you tried logging into with successfully:
{
"your_domain.com": {
"auth": "dXNlcjE6cGFzc3dvcmQxMjM="
"email": ""
}
The "auth" is your base 64 encoded (username:password) credentials
Docker private registry provides login (with help of reverse proxy) only. If you want a full blown user based authentication/authorization or access control system, you could look at solutions like Artifactory or core OS enterprise registry
3.Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?
Docker Client search through the index.io if you don't specify you want it to search you private registry. That is default behavior of docker. Your private docker registry is totally separate from the official docker index, simply nothing to do with it. If you want to search your private registry in your Docker client, here are some commands you could use, native or curl:
Using curl (apt-get install jq):
curl -s -X GET http://private.repo.domain:5000/v1/search | jq '.results[].name'
Using docker search:
docker search private.repo.domain:5000/<search_keyword>
4.I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?
Looks like that project is coming to a stop as Docker is rolling out with a new registry. Never really tried it, so I would not know which registry it searches. I would assume it is something you integrate with a private registry since Docker Hub already has it's own index, so if I were to make a guess, it would search your private registry.
Docker registry manages docker-images. Docker index manages authentication.
Docker registry is open source, while Docker index is not open source.
If you deploy docker-registry, you have to implement authentication over it.
Docker index can provide you private docker-registry, check this.
If you want authentication (and encryption) to your private registry then you will need to put nginx or apache in front of docker as a proxy and use http authentication and SSL termination there.
As far as I can tell, there isn't a way to have the docker search command search your private registry. That command only searches Docker Hub.
Related
We have a Docker Registry running that uses native basic authentication with nginx, so images can only be pushed to the Registry after authentication. Is it possible to get the user who pushed the image to the Registry?
It's not part of the registry API. You would need to check the logs of that registry and auth server. It's possible the user may self report who they are by setting a label on the image (or the legacy maintainer field), but I wouldn't depend on that for any security critical tasks.
For more on the registry API, see: https://github.com/opencontainers/distribution-spec
Docker also has their API (which predates OCI) documented at: https://docs.docker.com/registry/spec/api/
I want to validate that docker login against a specific registry worked successfully. How can I do this by using docker cli or docker-py API, without trying to perform another authentication.
Please keep in mind that registries can allow anonymous pulls, so doing a random pull is not a valid way to validate that authenticated access works.
docker login - how to log in only once for any docker repositories
I set up the on premise Artifactory to host some Docker repositories, using the subdomain approach, i.e. repo1.mycompany.com, repo2.mycompany.com, etc. Everything is working fine. My question is, look like I need to do the 'docker login repo1.mycompany.com' for each repository. Is there a way to log in only once, for all the repositories, and then when pulling/pushing images from/to any repository, there's no need to log in again?
No code to shown here. This is all about setup.
No need to login for each repo.
With subdomain method each docker repository is considered as a docker registry for the client this is why you need to login to each one you want to use.
For the pull from any without login you can use a virtual repository and aggregate all your locals in it. So you'll need to login the the virtual only to be able to pull from any (through the virtual). But push will be limited to the default deployment target repo defined in the virtual one.
Another alternative is to use repo path instead of subdomains. With this approach you'll be able to login on Artifactory and use all repo :
docker login mycompany.com
docker pull/push mycompany.com/repo1/imageName
docker pull/push mycompany.com/repo2/imageName
Currently I'm pushing images from one machine to another. The success of it I can determine base on HTTP status from pushing machine or base on logs from the registry server. At this point I want to search through what really is in my registry on my server. What I found till now is the API calls from outside and that if even when you call it you have to know exact name of the image and how it is tagged. In my case, I want just to enlist what images currently are in my registry when I have direct access to it. I did not find any related command.
The docker CLI doesn't have functionality to search a registry, but you can use the registry's REST API. Assuming you're using the registry:2 image, then you can list all the repositories using the catalog endpoint:
curl https://my-registry:5000/v2/_catalog
{"repositories":["busybox","redis","ubuntu"]}
And then you can query the tags for a repository:
curl https://my-registry:5000/v2/busybox/tags/list
{"name":"busybox","tags":["2","latest"]}
Here's the full Registry API spec.
I am not new to lxc or docker. But I do not have much knowledge on the image registry.
So I decided to get started and followed up tutorials and installation instructions.
And things are working fine in terms of pushing and pulling from my custom registry.
My questions:
The registry does not seem to come with a login/access management system.
1st - What are the overall steps to follow to implement a login (and possibly access) management to a custom registry?
2nd - If this mechanism is implemented, is there a way to use docker login to use that mechanism instead of https://hub.docker.com 's?
To 2nd: By using docker login /yourregistry, you can use the login mechanism of docker to login to a specific registry. The credentials are saved as well,
dockerhub is just the default. Unfortunately I don't know how to set up an own registry, personal I'm just using it in my company to pull from our artifactory.