docker-image-resource
docker-image-resource copied to clipboard
registry_mirror fails when mirror is protected by basic auth
I've been trying to figure out how to get concourse to transparently use a mirror when it is resolving container images. We are currently running Concourse within a network zone that does not have internet access, but it does have access to an internal Nexus registry that mirrors public docker hub.
While it is possible to specify a private registry as part of the repository
option, it is not possible to do this for pipelines withtask.yml
files that are being maintained by other people (for instance, Pivotal's pcf-pipelines repo). There are a few possible ways to address this, but the cleanest way would be to override the core docker-image
resource _type
at the pipeline level to apply global settings to all task scripts or resource images. Upon initial testing--this works. When resolving any task's image_resource
, the authentication is applied within the entire pipeline.
But I noticed that despite registry_mirror
being set, the task scripts were still attempting to reach the docker hub registry. After spending a lot of time debugging, I figured out that this is related to this issue:
https://github.com/moby/moby/issues/30880
Basically, when a mirror is configured with authentication (Nexus is protected by auth by default), despite having a registry_mirror
set and docker login working, the docker daemon will not properly pass the Basic Auth headers, which causes the first request to fail and then default to the docker hub registry.
This raises an important use case that I don't really see currently covered by Concourse: There currently isn't an easy way to switch all container images within a pipeline to a protected private registry.
I had fixed by passing
proxy_set_header Authorization $authorization;
set $authorization $http_authorization;
if ($authorization = '') {
set $authorization "Basic YWRtaW46SGFuMTk4NzA2MTQ="; # anonymous:anonymous
}
location ~ ^/(v1|v2)/ { proxy_pass http://nexus_registry;
proxy_set_header Authorization $authorization;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
hope which could helped.
Blocked by https://github.com/moby/moby/issues/30880