API v2 does not work as expected with HTTP_ALLOW_PUBLIC_READ=true

[hjacobs]

I could not find a way of getting the Docker client to use auth for push, but no-auth for pull :disappointed:

[hjacobs]

Apparently the 401 return code is only relevant to the Docker client for the first "GET /v2/" call --- we cannot know yet whether the client wants to perform a push or a only a pull.

[hjacobs]

Background information: we need to support the HTTP_ALLOW_PUBLIC_READ mode for our Open Source Docker Registry (https://registry.opensource.zalan.do/).

[hjacobs]

I reported this as a bug (issue already reported by somebody else) in the Docker client: https://github.com/docker/docker/issues/17317

[sarnowski]

Current suggestion:

To work around this issue, we want to support multiple domains. One domain would be read-only and the other r/w but with forced authentication. In order to configure that, every request should be forced authenticated. If the used host matches HTTP_ALLOW_PUBLIC_READ_DOMAIN, then have it read-only.

[hjacobs]

I think we should check the latest Docker client (1.9.1), I think they changed the behavior (hopefully to the better). We should return WWW-Authenticate header here https://github.com/zalando-stups/friboo/blob/master/src/org/zalando/stups/friboo/system/oauth2.clj#L52

[hjacobs]

Current workaround plan:

Use two different domains, one for pulling (registry.opensource.zalan.do) and one for pushing (registry-write.opensource.zalan.do).

This is a dirty hack until the Docker client gets fixed.. :disappointed: :hourglass_flowing_sand:

[hjacobs]

BTW I created a new issue in Docker for this: https://github.com/docker/docker/issues/18569

[hjacobs]

Workaround was now deployed, I will keep this issue open as long as we need to use the workaround solution.