Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull through proxy does not support basic auth #3153

Open
sudo-bmitch opened this issue Apr 28, 2020 · 1 comment · May be fixed by #4263
Open

Pull through proxy does not support basic auth #3153

sudo-bmitch opened this issue Apr 28, 2020 · 1 comment · May be fixed by #4263
Milestone
Registry/3.0.0

Comments

@sudo-bmitch
Copy link
Contributor

The pull through registry proxy appears to only support Bearer authentication requests. Attempting to proxy to a site like docker.pkg.github.com fails since they require basic auth:

$ curl -v https://docker.pkg.github.com/v2/ 2>&1 | grep -i www-auth
< Www-Authenticate: Basic realm="GitHub Package Registry"

Looking through the code, this looks like configureAuth is only returning credentials when authUrls finds a bearer scheme in the following:

https://github.com/docker/distribution/blob/749f6afb4572201e3c37325d0ffedb6f32be8950/registry/proxy/proxyauth.go#L38

I'm planning to start hacking on this shortly. I'm also looking at what it might take to provide a more complete v2 authentication similar to that found in the engine code at: https://github.com/docker/docker-ce/blob/master/components/engine/registry/auth.go

Method to reproduce:

Compose file that looks like:

version: '3.7'

networks:
  cache:
    name: cache

volumes:
  github-cache:
    name: github-cache

services:
  github-cache:
    image: registry:2
    restart: unless-stopped
    environment:
      REGISTRY_LOG_LEVEL: debug
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
      REGISTRY_PROXY_REMOTEURL: https://docker.pkg.github.com
      REGISTRY_PROXY_USERNAME: $GITHUB_USER
      REGISTRY_PROXY_PASSWORD: $GITHUB_TOKEN
      REGISTRY_HTTP_TLS_CERTIFICATE: /host/reg.pem
      REGISTRY_HTTP_TLS_KEY: /host/reg-key.pem
    networks:
    - cache
    volumes:
    - type: bind
      source: .
      target: /host
      read_only: true
    - type: volume
      source: github-cache
      target: /var/lib/registry
  builder:
    image: docker:dind
    command: ["--registry-mirror", "https://hub-cache:5000", "--debug"]
    privileged: true
    restart: unless-stopped
    networks:
    - cache
    volumes:
    - type: bind
      source: ./ca.pem
      target: /etc/docker/certs.d/github-cache:5000/ca.crt
      read_only: true

Set the credentials in .env or export them in your shell. Feel free to remove the TLS and ca.crt lines if you don't want to generate a TLS key. Then:

docker-compose up -d
docker-compose exec builder sh
docker pull busybox
docker tag busybox docker.pkg.github.com/$username/$project/busybox:latest
docker login docker.pkg.github.com
docker push docker.pkg.github.com/$username/$project/busybox:latest
docker pull github-cache:5000/$username/$project/busybox:latest

You'll need to specify your username and project above. The last line will fail with a "not found" error even though the image was just pushed, since the credentials were never sent. A similar workflow is successful with Gitlab's registry since it uses Bearer auth.

Background: I realize this doesn't work for the registry-mirror setting in the docker engine since that only goes to Hub which supports Bearer. Instead, I'm looking to adjust my CI pull's to hit the cache instance directly and want to support multiple registries in the workflow.
@sudo-bmitch
Copy link
Contributor Author

I hacked on the following changes to get basic auth working. However there's enough stuff that I deleted that I hesitate to clean it up and make a PR without a second opinion from the Docker team. Let me know if this looks like the right approach or if I removed something important.

sudo-bmitch@caf9865

@ArthurMelin ArthurMelin mentioned this issue Sep 23, 2020
Closed
@oliver-goetz oliver-goetz linked a pull request Feb 20, 2024 that will close this issue
Open
@Jamstah Jamstah added this to the Registry/3.0.0 milestone Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Registry/3.0.0
2 participants
@Jamstah @sudo-bmitch