yet-another-docker-plugin icon indicating copy to clipboard operation
yet-another-docker-plugin copied to clipboard

Published 20 hours ago verified publisher icon KostyaSha

Username auth support for DockerConnector doesn't work

Open kshcherban opened this issue 8 years ago • 8 comments

Hello,

Steps to reproduce:

  1. Place docker behind http proxy with basic auth, for example https://github.com/srault95/docker-proxy-api
  2. Configure credentials in jekins (user, password)
  3. Configure jenkins plugin to use credentials
  4. Test connection and you will receive 401 error

Seems like credentials are not applying.

kshcherban avatar Jan 29 '16 17:01 kshcherban

Yeah, proxy is always a pain :( Just for interest, even if jenkins will connect to docker host, how jenkins slaves will access your docker host?

KostyaSha avatar Jan 30 '16 18:01 KostyaSha

Jenkins slave and docker host is the same instance. After container is created by jenkins master, slave connects to it via ssh.

kshcherban avatar Jan 30 '16 19:01 kshcherban

I need understand connection flows in your setup. Instance of what? Jenkins is one env and jenkins-slave, that jenkins spins via docker daemon is other. screenshot 2016-01-30 22 48 46 If jenkins-master <-> jenkins slave has no ability to connect, then proxy auth wouldn't help.

Atm there is no any Proxy support for DockerConnector (either it was magically picked from dynamic resolvers). What target connection did you set in Docker connector? Docker daemon or your proxy? Classic proxy requires 2 addresses for connection to target instance:

  1. set target address (optionally with creds)
  2. set proxy address (optionally with creds) for proxy settings (missing in plugin)

Does https://github.com/srault95/docker-proxy-api forward requests itself with preconfigured target addresses?

KostyaSha avatar Jan 30 '16 19:01 KostyaSha

Konstantin,

Docker proxy in my setup is just nginx that listens on external interface and proxy passes requests to docker socket. Jenkins slave, proxy and docker server are in one box. You can check my puppet module.

kshcherban avatar Jan 30 '16 20:01 kshcherban

Could you provide some Dockerfile (probably should be based on https://github.com/jpetazzo/dind because i run dind for tests) that will have similiar setup? I will pick it into integration tests then. Or probably it can be just simulated with official nginx container + existing dind with rest api or shared socket via mounts.

KostyaSha avatar Jan 31 '16 12:01 KostyaSha

Ok, i've prepared Dockerfile for you here: https://gist.github.com/kshcherban/44af2e8c95d6619b9e1a Basic auth user is docker, password is also docker. Nginx proxy port is 4243

kshcherban avatar Jan 31 '16 18:01 kshcherban

com.github.kostyasha.yad.docker_java.org.apache.http.conn.HttpHostConnectException: Connect to 192.168.99.100:44445 [/192.168.99.100] failed: Connection refused com.github.kostyasha.yad.docker_java.javax.ws.rs.ProcessingException: com.github.kostyasha.yad.docker_java.org.apache.http.conn.HttpHostConnectException: Connect to 192.168.99.100:44445 [/192.168.99.100] failed: Connection refused This error?

KostyaSha avatar Feb 01 '16 12:02 KostyaSha 

<html> 
<head><title>401 Authorization Required</title></head> 
<body bgcolor="white"> 
<center><h1>401 Authorization Required</h1></center> 
<hr><center>nginx/1.9.10</center> 
</body> 
</html>

Jenkins uses docker-java and sets UsernamePassword for docker username/password, that is registry(?) creds(?)

Auth for connection should be provided by docker-java. Will try look later whether it supported by docker-java.

KostyaSha avatar Feb 01 '16 13:02 KostyaSha