harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

How to pull an image from my repository

Open olistu opened this issue 11 months ago • 11 comments

Hi,

I have create and build an image on the Harbor server. Then this image is push to the Harbor repository with success.

But now if I want to search my image, the search command does not display it.

with Docker :

docker search flutter

no images from my repository

with Podman : $ podman search --tls-verify=false flutter ERRO[0000] error getting search results from v2 endpoint "svx-lab-03m.unifr.ch": unauthorized: unauthorized to list catalog: unauthorized to list catalog NAME DESCRIPTION

I need help to resolve this problem.

Regards Olivier

olistu avatar Mar 26 '24 13:03 olistu

it seems that the podman search will call the catalog api, which needs the system admin permission, please try with the admin account.

wy65701436 avatar Apr 01 '24 05:04 wy65701436

it seems that the podman search will call the catalog api, which needs the system admin permission, please try with the admin account.

The problem was the same with login admin user

olistu avatar Apr 02 '24 08:04 olistu

https://github.com/goharbor/harbor/issues/13573

seems podman search would use a bearer token to call v2/_catalog API

podman search --log-level=debug  --tls-verify=false xxx.xxx.xxx/library/hello-world:latest

DEBU[0000] GET https://xxx.xxx.xxx/service/token?account=admin&service=harbor-registry
DEBU[0000] GET https://xxx.xxx.xxx/v2/_catalog
ERRO[0000] error getting search results from v2 endpoint "xxx.xxx.xxx": unable to retrieve auth token: invalid username/password: unauthorized: unauthorized to list catalog: unauthorized to list catalog
Error: 1 error occurred:
	* couldn't search registry "xxx.xxx.xxx": unable to retrieve auth token: invalid username/password: unauthorized: unauthorized to list catalog: unauthorized to list catalog

However , it is worth mentioned podman seems send partially request of service token to list catalog

GET https://xxx.xxx.xxx/service/token?service=harbor-registry&scope=registry:catalog:*

MinerYang avatar Apr 03 '24 09:04 MinerYang

Hi @olistu ,

We don't support catalog listing with bearer token same as docker hub. Instead we prefer client tools use basic auth to call v2/catalog API if possible since it is only available for system admin to list all the repositories. However, we would like to collect and discuss the necessity within the community whether to adopt clients functions like podman search or crane catalog etc . .

Related issues:

  • https://github.com/goharbor/harbor/issues/13573

MinerYang avatar Apr 19 '24 10:04 MinerYang

Hi,

Neuvector is a security tool used in Rancher Kubernetes distribution, to scan containers vulnerability. In order to increase its knowledge, it requires to plug to an image registry. It uses the v2/_catalog endpoint, and by doing so, it receives a 401 Unauthorized when targeting Harbor. We could use an admin account, but I don't think that's a reliable solution.

It could be interesting to have a permission on robots accout, to let them access the v2/_catalog endpoint I've set the registry type to "Docker Registry", I didn't test with other types of registries.

The connectivity tests logs:

[
	{
		"step_content": "Test registry connection",
		"step_type": "stage"
	},
	{
		"step_content": "GET https://<HARBOR_URL>/v2/",
		"step_type": "url"
	},
	{
		"step_content": "{}",
		"step_type": "response"
	},
	{
		"step_content": "Get all images",
		"step_type": "stage"
	},
	{
		"step_content": "Get registry repository list",
		"step_type": "stage"
	},
	{
		"step_content": "GET https://<HARBOR_URL>/v2/_catalog",
		"step_type": "url"
	},
	{
		"step_content": "Get \"https://<HARBOR_URL>/v2/_catalog\": http: non-successful response (status=401 body=\"{\\\"errors\\\":[{\\\"code\\\":\\\"UNAUTHORIZED\\\",\\\"message\\\":\\\"unauthorized to list catalog: unauthorized to list catalog\\\"}]}\\n\")",
		"step_type": "error"
	},
	{
		"step_content": "",
		"step_type": "images"
	},
	{
		"step_content": "Discovered 0 images",
		"step_type": "stage"
	}
]

mi-fabien-cayre avatar May 21 '24 08:05 mi-fabien-cayre

Hi,

Neuvector is a security tool used in Rancher Kubernetes distribution, to scan containers vulnerability. In order to increase its knowledge, it requires to plug to an image registry. It uses the v2/_catalog endpoint, and by doing so, it receives a 401 Unauthorized when targeting Harbor. We could use an admin account, but I don't think that's a reliable solution.```

Hi @mi-fabien-cayre , When you were using admin account to call v2/_catalog, is it using basic auth (username:password) instead of service token ?

MinerYang avatar May 21 '24 08:05 MinerYang

Hi @MinerYang ,

Did some tcpdump on our harbor server, it uses Authorisation: Basic

mi-fabien-cayre avatar May 21 '24 08:05 mi-fabien-cayre

Hi @mi-fabien-cayre ,

  • v2/_catalog API is only available for system admin role and calling by using Basic auth, so system admin robot account should work as normal.
  • Could you check the robot account with right permissions and if they are using bearer token to do auth?

MinerYang avatar May 21 '24 09:05 MinerYang

Neuvector is using basic auth username:password to access the v2/_catalog endpoint. The robot account has all permissions (19) on Harbor Version v2.7.4-8693b25a. Might upgrade harbor to the latest version and comeback to discuss here about the issue, because I don't see any option to make an "admin" robot account. Might aswell open an issue to include harbor registry in Neuvector's repo. Thanks for your help and have a great day !

mi-fabien-cayre avatar May 21 '24 09:05 mi-fabien-cayre

Screenshot 2024-05-21 at 17 41 58

MinerYang avatar May 21 '24 09:05 MinerYang

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Aug 24 '24 09:08 github-actions[bot]