docker-image-resource icon indicating copy to clipboard operation
docker-image-resource copied to clipboard

Published 20 hours ago verified publisher icon concourse

registry_mirror fails when mirror is protected by basic auth

Open shinmyung0 opened this issue 6 years ago • 3 comments

I've been trying to figure out how to get concourse to transparently use a mirror when it is resolving container images. We are currently running Concourse within a network zone that does not have internet access, but it does have access to an internal Nexus registry that mirrors public docker hub.

While it is possible to specify a private registry as part of the repository option, it is not possible to do this for pipelines withtask.yml files that are being maintained by other people (for instance, Pivotal's pcf-pipelines repo). There are a few possible ways to address this, but the cleanest way would be to override the core docker-image resource _type at the pipeline level to apply global settings to all task scripts or resource images. Upon initial testing--this works. When resolving any task's image_resource, the authentication is applied within the entire pipeline.

But I noticed that despite registry_mirror being set, the task scripts were still attempting to reach the docker hub registry. After spending a lot of time debugging, I figured out that this is related to this issue:

https://github.com/moby/moby/issues/30880

Basically, when a mirror is configured with authentication (Nexus is protected by auth by default), despite having a registry_mirror set and docker login working, the docker daemon will not properly pass the Basic Auth headers, which causes the first request to fail and then default to the docker hub registry.

This raises an important use case that I don't really see currently covered by Concourse: There currently isn't an easy way to switch all container images within a pipeline to a protected private registry.

shinmyung0 avatar Apr 17 '18 03:04 shinmyung0

You can find additional information here and here

gavioto avatar Nov 13 '19 16:11 gavioto

I had fixed by passing

proxy_set_header   Authorization $authorization;

set $authorization $http_authorization;

    if ($authorization = '') {
        set $authorization "Basic YWRtaW46SGFuMTk4NzA2MTQ="; # anonymous:anonymous
    }

    location ~ ^/(v1|v2)/ { proxy_pass http://nexus_registry;
        proxy_set_header   Authorization $authorization;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port $server_port;
    }

hope which could helped.

hanrw avatar Mar 20 '20 03:03 hanrw

Blocked by https://github.com/moby/moby/issues/30880

xtremerui avatar May 11 '20 15:05 xtremerui