distribution-library-image icon indicating copy to clipboard operation
distribution-library-image copied to clipboard
verified publisher icon distribution

Docker registry with native basic auth not working

Open maxsuelmarinho opened this issue 5 years ago • 7 comments

Hi guys

I have been trying to get docker registry with native basic authentication working with the new image tag (2.7.1) without success. Doc -> https://docs.docker.com/registry/deploying/#native-basic-auth

Specifically when I execute this command:

$ docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

This is the error I get:

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: \"htpasswd\": executable file not found in $PATH": unknown. ERRO[0001] error waiting for container: context canceled

Investigating a little further, seems that the "htpasswd" was removed in the image tag 2.7.1.

$ docker run -it --rm registry:2.7.1 find / -name "htpasswd"

Although, looking in the previous version (tag 2.6.2) the file is there:

$ docker run -it --rm registry:2.6.2 find / -name "htpasswd" /usr/bin/htpasswd

And the initial command works was expected was well:

$ docker run --entrypoint htpasswd registry:2.6.2 -Bbn testuser testpassword testuser:$2y$05$KiRgtd4w8zO7ucC7LX8zguW58DBlm8E0yZ5gI64NXypIVtsosNvMu

maxsuelmarinho avatar Jun 20 '20 23:06 maxsuelmarinho

As I can see it has been removed from container in this commit due to CVE-2020-1927 and CVE-2020-1934.

avelytchko avatar Jun 22 '20 11:06 avelytchko

This is a regression, and is inconsistent with published documentation. It breaks CI processes which rely on the --entrypoint htpasswd behavior (still) documented in docs.docker.com. If that is to be deprecated, it would be courteous to (1) indicate so in the documentation, and (2) offer a grace period. Please consider both.

edsantiago avatar Jun 22 '20 16:06 edsantiago

We are affected. We'd like to see a resolution (whatever it is) and correct docs. Also a migration path if htpasswd is going to be permanent removed.

chanseokoh avatar Jun 22 '20 19:06 chanseokoh

If the decision is to not support htpasswd in the container, then there needs to be a docs change on the website: https://docs.docker.com/registry/deploying/#native-basic-auth

anonymouse64 avatar Jun 22 '20 19:06 anonymouse64

This broke lot of everyone's automation, and it is a problem fixing it without at least docs being updated since no one is 100% sure what is going to be fix.

dejo1307 avatar Jun 28 '20 15:06 dejo1307

can someone say why I can't use apache htpasswd or htdigest from apache-utils.

Is it bcrypt? Is something different? I did a small test but [email protected]+deb9u9 didn't work.

warrenc5 avatar Jan 21 '21 04:01 warrenc5

can someone say why I can't use apache htpasswd or htdigest from apache-utils. Is it bcrypt? Is something different? I did a small test but [email protected]+deb9u9 didn't work.

You can use any external htpasswd util or install it inside the registry container. But registry:2 require to use htpasswd bcrypt. So you should create htpasswd like this: htpasswd -B [FILE] [USER]

skandyla avatar Feb 27 '21 19:02 skandyla