Docker CLI client not correctly authorizing to private registry with token auth
zee-hussain opened this issue · 1 comments
Description
I am having an issue with my private docker registry, which is using a token auth server I have written.
The registry is set to use https://mydomain.io/imagetoken
for REGISTRY_AUTH_TOKEN_REALM
. This endpoint responds to basic auth with a JWT token.
I am able to manually retrieve a token by making a request against my endpoint:
curl -v -d -X POST -u "username:password" "https://authserver.io/v1/imagetoken"
Response:
{"token":"token","access_token":"token"}
I am able to use that token to hit the registry successfully:
curl -H "Authorization: Bearer TOKEN" https://private-registry.io/v2/
Response:
{}
However, when I attempt to use docker login to authenticate with my private registry I run into issues.
docker login -u foo -p bar private-registry.io
Response:
Error response from daemon: Get "https://private-registry.io/v2/": received unexpected HTTP status: 501 Not Implemented
And I see this in the logs of the private registry:
REDACTED - - [12/Apr/2024:20:46:07 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "curl/8.4.0"
REDACTED - - [12/Apr/2024:20:46:13 +0000] "GET / HTTP/1.1" 200 0 "" "curl/8.4.0"
REDACTED - - [12/Apr/2024:20:50:52 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \\(darwin\\))"
time="2024-04-12T20:50:52.094748733Z" level=debug msg="authorizing request" go.version=go1.20.8 http.request.host=private-registry.io http.request.id=REDACTED http.request.method=GET http.request.remoteaddr=REDACTED http.request.uri="/v2/" http.request.useragent="docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \(darwin\))"
time="2024-04-12T20:50:52.094832267Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.20.8 http.request.host=private-registry.io http.request.id=REDACTED http.request.method=GET http.request.remoteaddr=REDACTED http.request.uri="/v2/" http.request.useragent="docker/24.0.9 go/go1.20.13 git-commit/fca702d kernel/6.5.0-15-generic os/linux arch/arm64 UpstreamClient(Docker-Client/26.0.1 \(darwin\))"
Reproduce
- Create server that takes basic auth and returns valid JWT
- Start registry version
registry:2.8.3
- Attempt to curl the registry using JWT from auth server
- Try to docker login to the registry
Expected behavior
The registry should log in successfully if it is just passing the basic auth credentials to the token server
registry version
registry:2.8.3
Additional Info
No response
This is a question for https://github.com/moby/moby project I believe. CC: @thaJeztah
My general suspicion is: docker daemon does not seem to be able to handle calls to private registry. I am going to assume that your private registry is served over trusted TLS cert otherwise you'd need to explicitly tell docker daemon it is untrusted i.e. insecure
in docker daemon.json
settings. If you dont, the daemon will barf. The config goes something like this IIRC -- please check the official docs.
{
"insecure-registries" : ["<my-registry-ip>:5000"]
}
If the registry does serve the API using a trusted TLS cert then yeah, please ask in moby/moby
.
Finally, I'd strongly encourage you to stop using v2.8.x
version. It's missing a lot of patches, bug fixes and performance improvements.