[Containers] integration with existing registry and ldap authentication

Benjamin Fernandis benjo11111 at gmail.com
Sun Jan 24 14:59:53 MST 2016 

Hi,

I added  -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000"  as suggested
above. And enabled debug mode with stout log massages as suggested.

Now i can see below logs,

time="2016-01-25T09:50:15.967721182+13:00" level=debug
msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
service=registry trace.duration=125.467µs trace.file="/go/src/
github.com/docker/distribution/registry/storage/driver/base/base.go"
trace.func="
github.com/docker/distribution/registry/storage/driver/base.(*Base).List"
trace.id=474f03d6-233f-4a6a-97d8-307fc389b594 trace.line=123 version=v2.1.1

time="2016-01-25T09:50:25.806341211+13:00" level=debug msg="authorizing
request" http.request.host="192.168.1.20:5000"
http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
arch/amd64" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
service=registry version=v2.1.1

time="2016-01-25T09:50:25.806495043+13:00" level=info msg="response
completed" http.request.host="192.168.1.20:5000"
http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
arch/amd64" http.response.contenttype="application/json; charset=utf-8"
http.response.duration=4.930233ms http.response.status=200
http.response.written=2 instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
service=registry version=v2.1.1

192.168.1.30 -- [25/Jan/2016:09:50:25 +1300] "GET /v2/ HTTP/1.1" 200 2 ""
"docker/1.9.1-fc23 go/go1.5.1 git-commit/110aed2-dirty
kernel/4.3.3-300.fc23.x86_64 os/linux arch/amd64"

time="2016-01-25T09:50:25.967676129+13:00" level=debug
msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
service=registry trace.duration=110.255µs trace.file="/go/src/
github.com/docker/distribution/registry/storage/driver/base/base.go"
trace.func="
github.com/docker/distribution/registry/storage/driver/base.(*Base).List"
trace.id=9e90391a-ff1d-4122-a73e-188388ebd28b trace.line=123 version=v2.1.1


we have proxy in network and its IP 192.168.1.30.

I am not using ssl certificate here and i set insecure-registry in
configuration.

I enabled ldap in portus and i can do ldap authentication for portus
interface access.

Here, my confusion is that, when i do docker login 192.168.1.20:5000 , is
it goes to portus for ldap authentication check for entering username
/passwd and email id in docker login command ? or

Here i haven't configure any nginx or any other setup.

Please let me know if i m missing anything here.

my docker registry command,

docker run \
-d --restart=always --name registry \
-e REGISTRY_LOG_LEVEL=debug \
-p 5000:5000 \
-e SEARCH_BACKEND=sqlalchemy \
-e REGISTRY_AUTH_TOKEN_REALM="http://192.168.1.20:3000/v2/token" \
-e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
-e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
-v /home/test/data:/var/lib/registry \
registry:2.1

On Fri, Jan 22, 2016 at 10:04 PM, Jordi Massaguer Pla <jmassaguerpla at suse.de
> wrote:

>
>
> On 01/21/2016 09:41 PM, Benjamin Fernandis wrote:
>
> Hi,
>
> I have docker registry on another host and portus i opensuse vm.
>
> currently I can do ldap authentication to access portus web interface and
> i can see global name space and my own namespace, all working in that.
>
> but when i tried to do docker login <docker_registry:5000> not working.
> And i got Error response from daemon: no successful auth challenge for
> <http://192.168.1.20:5000/v2/>http://192.168.1.20:5000/v2/ - errors: []
>
> portus (opensuse vm ) - 192.168.1.10
> docker (registry container on different host but it is accessible from
> portus ) - 192.168.1.20:5000
>
> Do i require to do any other configuration for this or ?
>
>
> Please try the following. On 192.168.1.20, stop registry as a daemon and
> start it manually. If it is SUSE, you can do that with
>
> sudo registry /etc/config.yml
>
> This will show you the log in the stdout.
>
> Then try again and look for a better explanation of the error.
>
> You may want also to enable debug in config.yml file.
>
> My guess is that you may have some ssl certs issues. Communication between
> portus and the registry is done using ssl certificates. You can try running
> registry with and insecure flag (see registry --help) to test if that is
> the case. If so, you need to add portus certificate in your system.
>
> In order to do that, you need to add your certificate authority (*ca.crt)
> into /etc/pki/trust/anchors/ and then run sudo update-ca-certificates
> (assuming you are running suse).
>
> I hope this helps.
>
> Otherwise, send us the output of the registry command which may give us a
> clue.
>
>
>
>
> On Thu, Jan 21, 2016 at 11:32 PM, Jordi Massaguer Pla <
> jmassaguerpla at suse.de> wrote:
>
>> I guess you have not run portusctl command.
>>
>> After installing the rpm, you need to run
>>
>> "portusctl setup --local-registry"
>>
>> I am assuming you have a docker registry running on your box (install it
>> with zypper install docker-distribution-registry)
>>
>> Also, make sure you have mariadb installed and running.
>>
>> cheers
>>
>> On 01/21/2016 03:12 AM, Benjamin Fernandis wrote:
>>
>> i pass below variable to docker registry container ,
>>
>> docker run \
>> -d --restart=always --name registry \
>> -e REGISTRY_LOG_LEVEL=debug \
>> -p 5000:5000 \
>> -e SEARCH_BACKEND=sqlalchemy \
>> -e REGISTRY_AUTH_TOKEN_REALM=" <http://192.168.1.20:3000/v2/token>
>> http://192.168.1.20:3000/v2/token" \
>> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
>> -v /home/test/data:/var/lib/registry \
>> registry:2.1
>>
>> where 192.168.1.20 is IP for docker registry.
>>
>> but still i can not do login by docker login command line. Do i require
>> to add anything in portus ?
>>
>> On Thu, Jan 21, 2016 at 2:04 PM, Benjamin Fernandis <
>> <benjo11111 at gmail.com>benjo11111 at gmail.com> wrote:
>>
>>> I deployed portus on oepnsuse. I can not find /etc/registry/cofig.yml
>>> file in portus machine.
>>>
>>> do i require to add above lines in docker registry container or in
>>> portus vm?
>>>
>>>
>>> On Thu, Jan 21, 2016 at 2:00 PM, Aleksa Sarai < <asarai at suse.de>
>>> asarai at suse.de> wrote:
>>>
>>>> On 01/21/2016 11:53 AM, Benjamin Fernandis wrote:
>>>>
>>>>> Hi Miquel,
>>>>>
>>>>> I deployed rpm version on opensuse and it is working fine.
>>>>>
>>>>> Can you please guide me what is require to enable login in docker
>>>>> command line.
>>>>>
>>>>> currently i tested portus integration with docker registry and ldap
>>>>> authentication to pourtus from web interface.
>>>>>
>>>>> trying to do command line docker login and getting below error.
>>>>>
>>>>> Error response from daemon: no successful auth challenge for
>>>>> http://192.168.1.20:5000/v2/ - errors: []
>>>>>
>>>>
>>>> Are you running Portus using docker-compose? If so, you need
>>>> docker-compose version 1.5.2 or later.
>>>>
>>>> Otherwise, please make sure that your *daemon* can access the IP
>>>> address of the docker registry given in in /etc/registry/config.yml
>>>> in the "realm" field:
>>>>
>>>> auth:
>>>>   token:
>>>>     realm: <http://172.17.0.1:3000/v2/token>
>>>> http://172.17.0.1:3000/v2/token
>>>>     service: 172.17.0.1:5000
>>>>
>>>> And that the "service" is the same as the one you registered when you
>>>> first started Portus (this is more likely to be the cause).
>>>>
>>>> --
>>>> Aleksa Sarai
>>>> Docker Core Specialist
>>>> SUSE Australia
>>>> https://www.cyphar.com/
>>>>
>>>> _______________________________________________
>>>> Containers mailing list
>>>> Containers at lists.suse.com
>>>> http://lists.suse.com/mailman/listinfo/containers
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>
>>
>>
>> _______________________________________________
>> Containers mailing list
>> Containers at lists.suse.com
>> http://lists.suse.com/mailman/listinfo/containers
>>
>>
>
>
> _______________________________________________
> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>
>
>
> _______________________________________________
> Containers mailing list
> Containers at lists.suse.com
> http://lists.suse.com/mailman/listinfo/containers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/containers/attachments/20160125/b01cb40d/attachment.htm>

More information about the Containers mailing list