docker-registry-frontend
docker-registry-frontend copied to clipboard
kwk
support for private repo with username and password.
I have private repository with username and password. I am not able to login to my private repo.
can you please add support for it.
Hi @jainishshah17 . Thank you for reporting this issue but please be more specifc about it though. How exactly is your private repo secured with username and password? Is it simple or digest auth? Is there one username/password for everybody? Where do credentials come from (e.g. Kerberos) and can this maybe be also used in the registry-frontend which in turn forwards credentials to your registry?
Not depending on the complexity of your setup, but this might take some time to implement.
And last but not least: what exactly is the error you're getting?
Hi @kwk . Thank you for Quick response. Following are my answer to your questions. my private repo is hosted in S3. It has only one username and password for all user. When we do login to private repo using command login. in my case using "sudo docker login docker.xyz.com". It stores credential in .dockercfg file. Hope I answered all ur question. Please let me know once u get solution.
I am not getting any error because it not even trying to login to my private repo.
@jainishshah17 -we run a secured registry, so what I do to solve this issue is start the registry-frontend on the same host as the registry container, and use a --link between them to allow the registry-frontend to have access to the http://registry:5000/* endpoints (instead of having to go through the password secured https external port. Then you could simply secure access to the registry-frontend with a password.
@jainishshah17, until I have more resources and time I think @guruvan's proposal is a good workaround for now. Please let me know if this is feasible for you.
@guruvan could you provide a gist to show how this might work? I have a local registry that I do not expose any ports, and then tried to define a link with the docker-registry-frontend container. However it still asked for the environment setting for the "ENV_DOCKER_REGISTRY_HOST".
You'll need to
-
start the registry with --name registry_container_name
-
set the following in the frontend startup --link registry_container_name:registry -e ENV_DOCKER_REGISTRY_HOST=registry
And you should be all set EDIT: perhaps to be more clear, if you'd want there to be more security on the frontend-ui, you'd need to run nginx (or w/e) as a proxy, and setup some basic authentication there.
If you'd want to do that, you'd likely want to start the frontend with a --name=registry_frontend
and start the nginx similarly to above with --link registry_frontend:frontend
and set in nginx: upstream frontend { server frontend:80; } then we use proxy_pass http://frontend; proxy_set_header Host $http_host; # required for docker client's sake proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP proxy_read_timeout 900;
@guruvan Awesome! That worked nicely with and without ssl on the registry_frontend.
Here are my commands:
private_registry
docker run -d --name="private_registry" -e SETTINGS_FLAVOUR=local -v /var/lib/docker-registry:/tmp/registry registry
USE_SSL frontend (now working)
docker run -d --name="private_registry_frontend" --link private_registry:registry -e ENV_DOCKER_REGISTRY_HOST=registry -e ENV_DOCKER_REGISTRY_PORT=5000 -e ENV_USE_SSL=yes -v /var/lib/docker-registry/docker-ssl/private-registry.crt:/etc/apache2/server.crt:ro -v /var/lib/docker-registry/docker-ssl/private-registry.key:/etc/apache2/server.key:ro -p 80:80 -p 443:443 konradkleine/docker-registry-frontend
No SSL frontend (working)
docker run -d --name="private_registry_frontend" --link private_registry:registry -e ENV_DOCKER_REGISTRY_HOST=registry -e ENV_DOCKER_REGISTRY_PORT=5000 -p 80:80 konradkleine/docker-registry-frontend
Questions:
- How would the PROXY settings work if I wanted to use the front-end as my registry?
- Answer: Turns out the proxy settings, and registry capabilities work nicely. I see the correct docker pull command, when I drill into a tag. I am able to perform a docker pull of SSL.
- With the nginx proposal, would I still be able to provide a proxy for my registry?
- Is the nginx approach the way to add BASIC authentication?
I run the frontend proxy and the registry proxy from the same nginx, that way both the proxies can use the same port 443 - not sure which PROXY setting you're referring to?
At this point we've moved our entire network to coreos, but I have some older scripts to run this on without fleet/systemd. I'll find those, and I'll post the unitfiles we're using now, along with the nginx config
I've put a wiki page here with my nginx configurations and some rough 'docker run' statements - I'll update that shortly with more scripts and put some coreos examples as well.
https://github.com/kwk/docker-registry-frontend/wiki/nginx-proxy-examples
@guruvan , Thanks very much! @jainishshah17 , and sorry if this ended up hijacking the issue thread.
I have the same requirement as @jainishshah17 . Remote private registry, authentication with basic auth, want to install docker-registry-frontend in a separate machine.
@kwk any guidance on this one? Maybe you can write here some kind of description of what needs to be done and perhaps someone can implement that (such as, myself).
I'm running a registry using the official simple way of securing it: https://github.com/docker/distribution/blob/master/docs/deploying.md#native-basic-auth
This is simply adding basic auth to the builtin web server - Having the frontend support this would be really useful.
In another project (or a previous version of this project) all the API requests were done from the clientside javascript which means authentication was handled by the browser (i.e. it just showed a login dialog)
I would love to see this implemented, most of the registries require auth and guruvan solution doesn't work for me. Linking the containers and using port 5000 also requires user and password
+1 for a built-in auth solution.
I run the https://hub.docker.com/_/registry/ behind an nginx proxy (https://hub.docker.com/r/jwilder/nginx-proxy/) secured with a basic auth + the let's encrypt companion (https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/). Everything works fine for the registry. Tried the workaround solution from guruvan but without success the first time; there were some cookies recorded at first attempt with real URL. Once purged; repositories were shown with success.
This issue seems a bit stale but I am dealing with the same issue. This is an enhancement request and I would propose the following approach be used.
Add two new environment variables: BACKEND_USER and BACKEND_PASSWORD. If these are set, create an authorization header and send that header with all calls to the backend registry API V2 server. This allows you to service registries that are created using Docker's suggested recipes for registry deployment. They have two, one where their container exposes an SSL endpoint, and another where they use Nginx (with SSL offloading) to frontend an http registry. In both cases the client is expected to send a basic authorization header if the registry is configured for basic auth.
The end result would be the ability to manage any deployed registry whether or not it requires the client to send credentials.
