[Containers] integration with existing registry and ldap authentication

Benjamin Fernandis benjo11111 at gmail.com
Tue Jan 26 14:26:59 MST 2016 

Hi,

To test it out of proxy, I setup portus, registry as container on single
physical machine which is out of proxy configuration.

my docker file for registry :

docker run \
--name registry \
-e REGISTRY_LOG_LEVEL=debug \
--net=host \
-e SEARCH_BACKEND=sqlalchemy \
-e REGISTRY_AUTH_TOKEN_ISSUER="10.17.1.22" \
-e REGISTRY_AUTH_TOKEN_REALM="http://10.17.1.22:3000/v2/token" \
-e REGISTRY_AUTH_TOKEN_SERVICE="10.17.1.22:5000" \
-v /etc/localtime:/etc/localtime:ro \
-v `pwd`/data:/var/lib/registry \
registry:2.1


docker file portus :

docker run \
  -d --restart=always --name portus \
  --net=host \
  -e PORTUS_MACHINE_FQDN="hostname" \
  -e PORTUS_KEY_PATH="key.pem" \
  -e PORTUS_LDAP_ENABLED=true \
  -e PORTUS_LDAP_HOSTNAME=ldap.example.com \
  -e PORTUS_LDAP_PORT=389 \
  -e PORTUS_LDAP_METHOD=plain \
  -e PORTUS_LDAP_BASE="xyz" \
  -e PORTUS_LDAP_UID="xyz" \
  -e PORTUS_LDAP_AUTHENTICATION_ENABLED=true \
  -e PORTUS_LDAP_AUTHENTICATION_BIND_DN="xyz" \
  -e PORTUS_LDAP_AUTHENTICATION_PASSWORD="xyz" \
  -e PORTUS_PRODUCTION_HOST=10.17.1.22 \
  -e PORTUS_PRODUCTION_DATABASE=portus \
  -e PORTUS_PRODUCTION_USERNAME=portus \
  -e PORTUS_PRODUCTION_PASSWORD=portuspassword \
  -e PORTUS_GRAVATAR_ENABLED=true \
  -e PORTUS_PASSWORD="portuspassword" \
  -e PORTUS_SECRET_KEY_BASE="xyz" \
  -e REGISTRY_USE_SSL=true \
  -e PORTUS_CHECK_SSL_USAGE_ENABLED=false \
  -e CATALOG_CRON="2.minutes" \
  sshipway/portus:2.0.0



After running both reigstry and portus, I can do ldap login by web page of
portus and add registry.

# curl -ik --user $user:$password
http://10.17.1.22:3000/v2/token?account=$user\&service=10.17.1.22:5000
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
ETag: W/"948072053b84e6aa8ca2d7e830bba73c"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie:
_portus_session=M2dxWkNmWFBzMmo1NGhzYTlpOEIzNWtLTVBPazl0RnRMVHdzMzhjWnZqVDZWZXdWMnVIWjlrYVFrQk5rZGFYMEVvRWRDR2hOMVFUaGltZHZOL05NY1E9PS0tekE4RDRZUTVPdnhZakhjbkZZS0I2UT09--8a3bd444275d60c9dd9a71ff5ef4310ad2fd2422;
path=/; HttpOnly
X-Request-Id: 3d602c82-5445-46f3-b8ba-6d187e060dd7
X-Runtime: 5.052285
Transfer-Encoding: chunked

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IllGVEM6MjNSUjpCRUJBOktSTDc6SkFKUjpTSFg0OkEzNks6TU5LSzpBWTVTOlpMWlg6UVBQVzpSMk02In0.eyJpc3MiOiJvcGVuc3RhY2sucGZyLmNvLm56Iiwic3ViIjoiIiwiYXVkIjoiMTAuMTcuMS4yMjo1MDAwIiwiaWF0IjoxNDUzODQzMzMzLCJuYmYiOjE0NTM4NDMzMjgsImV4cCI6MTQ1Mzg0MzYzMywianRpIjoiNlQ4Wk1vajQzeEh5aGlQcnNhWlNmdmVmYjNZQ285NFhzU3FGVXFxNTgxIn0.iG6iKw8BFogtXF50b0Zhy7LVFv1hetvQu1UCKPSLmAIbnkH3_F_-oHjJ7l6OeHvTyIxc_aa5EQ9CPIbDfW9xFmHS436FsLYlq64c8PqC6sgTAGVmDSzsUHReLG0H9cRHv7kVtbGJkR_4Bim4tjR3DWho2QyuaEQ8GzA6XnhRGfqe25SPMT48YAijDRs6R_X0jVMiJQBecLZ620tapGdmC9gm1qKAeinQbY2SmcYCyi6MV-VFbApWuY9Nzc71HRYW4I4AH1Gle9sG3p9ua82-7Bj6T0zykqbx8iJ5KvBhMnxz9lqtdO40m_sZiSpvepuxRO-VUy5M-Yi_8qb8rCKhhA"}


And when i tried , docker login 10.17.1.22:5000
Username: user
Password:
Email: email-id
Error response from daemon: no successful auth challenge for
http://10.17.1.22:5000/v2/ - errors: []


registry logs :




time="2016-01-27T10:20:03.057481195+13:00" level=debug msg="authorizing
request" http.request.host="10.17.1.22:5000"
http.request.id=ce2dd545-d0bf-42da-a3b8-a5f143a842d0
http.request.method=GET http.request.remoteaddr="10.17.1.22:45211"
http.request.uri="/v2/" http.request.useragent="docker/1.8.2-el7.centos
go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64"
instance.id=4bce4b2e-9bb0-4a36-911e-18f7729ee1a2 service=registry
version=v2.1.1

time="2016-01-27T10:20:03.057594847+13:00" level=info msg="response
completed" http.request.host="10.17.1.22:5000"
http.request.id=ce2dd545-d0bf-42da-a3b8-a5f143a842d0
http.request.method=GET http.request.remoteaddr="10.17.1.22:45211"
http.request.uri="/v2/" http.request.useragent="docker/1.8.2-el7.centos
go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64"
http.response.contenttype="application/json; charset=utf-8"
http.response.duration=3.085575ms http.response.status=200
http.response.written=2 instance.id=4bce4b2e-9bb0-4a36-911e-18f7729ee1a2
service=registry version=v2.1.1

10.17.1.22 - - [27/Jan/2016:10:20:03 +1300] "GET /v2/ HTTP/1.1" 200 2 ""
"docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64
os/linux arch/amd64"


please correct me if I am doing any configuration mistake. Suggest me pls
to resolve this.

I am not using docker registry with ssl. I configured --insecure-registry
in docker config.

10.17.1.22 is IP of physical machine which is on centos 7 where I deployed
portus and registry container.

Regards
Ben

On Mon, Jan 25, 2016 at 10:44 PM, Jordi Massaguer Pla <jmassaguerpla at suse.de
> wrote:

> I am bit confused... the log you are sending us states
>
> http.response.status=200
>
> I don't see any error on the authentication nor in the certificates ...
>
> May it be a problem because of the proxy you have? Can you try without the
> proxy? Like running docker where you have the registry or Portus installed?
> If that were the problem, we can narrow it and try to reproduce it.
>
> This is how it works: docker tries to login to the registry and this
> forwards/delegates the authentication to Portus, which in its turn, uses
> ldap for that.
>
> thanks
>
>
>
> On 01/24/2016 10:59 PM, Benjamin Fernandis wrote:
>
> Hi,
>
> I added  -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000"  as suggested
> above. And enabled debug mode with stout log massages as suggested.
>
> Now i can see below logs,
>
> time="2016-01-25T09:50:15.967721182+13:00" level=debug
> msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
> service=registry trace.duration=125.467µs trace.file="/go/src/
> github.com/docker/distribution/registry/storage/driver/base/base.go"
> trace.func="
> github.com/docker/distribution/registry/storage/driver/base.(*Base).List
> <http://github.com/docker/distribution/registry/storage/driver/base.%28*Base%29.List>"
> trace.id=474f03d6-233f-4a6a-97d8-307fc389b594 trace.line=123
> version=v2.1.1
>
> time="2016-01-25T09:50:25.806341211+13:00" level=debug msg="authorizing
> request" http.request.host="192.168.1.20:5000" http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
> http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
> http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
> go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
> arch/amd64" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
> service=registry version=v2.1.1
>
> time="2016-01-25T09:50:25.806495043+13:00" level=info msg="response
> completed" http.request.host="192.168.1.20:5000" http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
> http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
> http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
> go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
> arch/amd64" http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=4.930233ms http.response.status=200
> http.response.written=2 instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
> service=registry version=v2.1.1
>
> 192.168.1.30 -- [25/Jan/2016:09:50:25 +1300] "GET /v2/ HTTP/1.1" 200 2 ""
> "docker/1.9.1-fc23 go/go1.5.1 git-commit/110aed2-dirty
> kernel/4.3.3-300.fc23.x86_64 os/linux arch/amd64"
>
> time="2016-01-25T09:50:25.967676129+13:00" level=debug
> msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
> service=registry trace.duration=110.255µs trace.file="/go/src/
> github.com/docker/distribution/registry/storage/driver/base/base.go"
> trace.func="
> github.com/docker/distribution/registry/storage/driver/base.(*Base).List
> <http://github.com/docker/distribution/registry/storage/driver/base.%28*Base%29.List>"
> trace.id=9e90391a-ff1d-4122-a73e-188388ebd28b trace.line=123
> version=v2.1.1
>
>
> we have proxy in network and its IP 192.168.1.30.
>
> I am not using ssl certificate here and i set insecure-registry in
> configuration.
>
> I enabled ldap in portus and i can do ldap authentication for portus
> interface access.
>
> Here, my confusion is that, when i do docker login 192.168.1.20:5000 , is
> it goes to portus for ldap authentication check for entering username
> /passwd and email id in docker login command ? or
>
> Here i haven't configure any nginx or any other setup.
>
> Please let me know if i m missing anything here.
>
> my docker registry command,
>
> docker run \
> -d --restart=always --name registry \
> -e REGISTRY_LOG_LEVEL=debug \
> -p 5000:5000 \
> -e SEARCH_BACKEND=sqlalchemy \
> -e REGISTRY_AUTH_TOKEN_REALM="http://192.168.1.20:3000/v2/token" \
> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
> -v /home/test/data:/var/lib/registry \
> registry:2.1
>
> On Fri, Jan 22, 2016 at 10:04 PM, Jordi Massaguer Pla <
> jmassaguerpla at suse.de> wrote:
>
>>
>>
>> On 01/21/2016 09:41 PM, Benjamin Fernandis wrote:
>>
>> Hi,
>>
>> I have docker registry on another host and portus i opensuse vm.
>>
>> currently I can do ldap authentication to access portus web interface and
>> i can see global name space and my own namespace, all working in that.
>>
>> but when i tried to do docker login <docker_registry:5000> not working.
>> And i got Error response from daemon: no successful auth challenge for
>> <http://192.168.1.20:5000/v2/>http://192.168.1.20:5000/v2/ - errors: []
>>
>> portus (opensuse vm ) - 192.168.1.10
>> docker (registry container on different host but it is accessible from
>> portus ) - 192.168.1.20:5000
>>
>> Do i require to do any other configuration for this or ?
>>
>>
>> Please try the following. On 192.168.1.20, stop registry as a daemon and
>> start it manually. If it is SUSE, you can do that with
>>
>> sudo registry /etc/config.yml
>>
>> This will show you the log in the stdout.
>>
>> Then try again and look for a better explanation of the error.
>>
>> You may want also to enable debug in config.yml file.
>>
>> My guess is that you may have some ssl certs issues. Communication
>> between portus and the registry is done using ssl certificates. You can try
>> running registry with and insecure flag (see registry --help) to test if
>> that is the case. If so, you need to add portus certificate in your system.
>>
>> In order to do that, you need to add your certificate authority (*ca.crt)
>> into /etc/pki/trust/anchors/ and then run sudo update-ca-certificates
>> (assuming you are running suse).
>>
>> I hope this helps.
>>
>> Otherwise, send us the output of the registry command which may give us a
>> clue.
>>
>>
>>
>>
>> On Thu, Jan 21, 2016 at 11:32 PM, Jordi Massaguer Pla <
>> <jmassaguerpla at suse.de>jmassaguerpla at suse.de> wrote:
>>
>>> I guess you have not run portusctl command.
>>>
>>> After installing the rpm, you need to run
>>>
>>> "portusctl setup --local-registry"
>>>
>>> I am assuming you have a docker registry running on your box (install it
>>> with zypper install docker-distribution-registry)
>>>
>>> Also, make sure you have mariadb installed and running.
>>>
>>> cheers
>>>
>>> On 01/21/2016 03:12 AM, Benjamin Fernandis wrote:
>>>
>>> i pass below variable to docker registry container ,
>>>
>>> docker run \
>>> -d --restart=always --name registry \
>>> -e REGISTRY_LOG_LEVEL=debug \
>>> -p 5000:5000 \
>>> -e SEARCH_BACKEND=sqlalchemy \
>>> -e REGISTRY_AUTH_TOKEN_REALM=" <http://192.168.1.20:3000/v2/token>
>>> http://192.168.1.20:3000/v2/token" \
>>> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
>>> -v /home/test/data:/var/lib/registry \
>>> registry:2.1
>>>
>>> where 192.168.1.20 is IP for docker registry.
>>>
>>> but still i can not do login by docker login command line. Do i require
>>> to add anything in portus ?
>>>
>>> On Thu, Jan 21, 2016 at 2:04 PM, Benjamin Fernandis <
>>> <benjo11111 at gmail.com>benjo11111 at gmail.com> wrote:
>>>
>>>> I deployed portus on oepnsuse. I can not find /etc/registry/cofig.yml
>>>> file in portus machine.
>>>>
>>>> do i require to add above lines in docker registry container or in
>>>> portus vm?
>>>>
>>>>
>>>> On Thu, Jan 21, 2016 at 2:00 PM, Aleksa Sarai < <asarai at suse.de>
>>>> asarai at suse.de> wrote:
>>>>
>>>>> On 01/21/2016 11:53 AM, Benjamin Fernandis wrote:
>>>>>
>>>>>> Hi Miquel,
>>>>>>
>>>>>> I deployed rpm version on opensuse and it is working fine.
>>>>>>
>>>>>> Can you please guide me what is require to enable login in docker
>>>>>> command line.
>>>>>>
>>>>>> currently i tested portus integration with docker registry and ldap
>>>>>> authentication to pourtus from web interface.
>>>>>>
>>>>>> trying to do command line docker login and getting below error.
>>>>>>
>>>>>> Error response from daemon: no successful auth challenge for
>>>>>> <http://192.168.1.20:5000/v2/>http://192.168.1.20:5000/v2/ - errors:
>>>>>> []
>>>>>>
>>>>>
>>>>> Are you running Portus using docker-compose? If so, you need
>>>>> docker-compose version 1.5.2 or later.
>>>>>
>>>>> Otherwise, please make sure that your *daemon* can access the IP
>>>>> address of the docker registry given in in /etc/registry/config.yml
>>>>> in the "realm" field:
>>>>>
>>>>> auth:
>>>>>   token:
>>>>>     realm: <http://172.17.0.1:3000/v2/token>
>>>>> http://172.17.0.1:3000/v2/token
>>>>>     service: 172.17.0.1:5000
>>>>>
>>>>> And that the "service" is the same as the one you registered when you
>>>>> first started Portus (this is more likely to be the cause).
>>>>>
>>>>> --
>>>>> Aleksa Sarai
>>>>> Docker Core Specialist
>>>>> SUSE Australia
>>>>> <https://www.cyphar.com/>https://www.cyphar.com/
>>>>>
>>>>> _______________________________________________
>>>>> Containers mailing list
>>>>> <Containers at lists.suse.com>Containers at lists.suse.com
>>>>> <http://lists.suse.com/mailman/listinfo/containers>
>>>>> http://lists.suse.com/mailman/listinfo/containers
>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>>
>>>
>>>
>>> _______________________________________________
>>> Containers mailing list
>>> Containers at lists.suse.com
>>> http://lists.suse.com/mailman/listinfo/containers
>>>
>>>
>>
>>
>> _______________________________________________
>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>
>>
>>
>> _______________________________________________
>> Containers mailing list
>> Containers at lists.suse.com
>> http://lists.suse.com/mailman/listinfo/containers
>>
>>
>
>
> _______________________________________________
> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>
>
>
> _______________________________________________
> Containers mailing list
> Containers at lists.suse.com
> http://lists.suse.com/mailman/listinfo/containers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/containers/attachments/20160127/682b2029/attachment.htm>

More information about the Containers mailing list