[Containers] integration with existing registry and ldap authentication
Benjamin Fernandis
benjo11111 at gmail.com
Thu Jan 28 14:22:49 MST 2016
Hi Jordi,
Thanks for your reply, Yes in my before mails, I setup opensuse vm in which
i configure portus by rpm and it was working fine but I was facing same
problem with docker login cli and in logs I found proxy as we have proxy in
network and trouble shoot this problem , currently I deploy portus and
other components in container on one physical machine as mentioned above.
Can you please once again look on my above docker container configuration
and suggest me if is there any configuration problem ?
I am thinking that I am doing little mistake here which doesn't come in
notice, we define below environment variables in registry container, is it
correct ?
-e REGISTRY_AUTH_TOKEN_ISSUER=<CONTAINER_IP> \
-e REGISTRY_AUTH_TOKEN_REALM="http://<PORTUS_IP:3000?/v2/token
<http://10.17.1.22:3000/v2/token>" \
-e REGISTRY_AUTH_TOKEN_SERVICE=">CONTAINER_IP:5000 <http://10.17.1.22:5000/>>"
\
Thanks
On Thu, Jan 28, 2016 at 11:03 PM, Jordi Massaguer Pla <jmassaguerpla at suse.de
> wrote:
> Hi Benjamin,
>
> for some reason I misunderstood you and I thought you were using the RPMs.
> We'll try to reproduce your setup and tell you what is missing.
>
> regards
>
> jordi
>
>
> On 01/26/2016 10:26 PM, Benjamin Fernandis wrote:
>
> Hi,
>
> To test it out of proxy, I setup portus, registry as container on single
> physical machine which is out of proxy configuration.
>
> my docker file for registry :
>
> docker run \
> --name registry \
> -e REGISTRY_LOG_LEVEL=debug \
> --net=host \
> -e SEARCH_BACKEND=sqlalchemy \
> -e REGISTRY_AUTH_TOKEN_ISSUER="10.17.1.22" \
> -e REGISTRY_AUTH_TOKEN_REALM="http://10.17.1.22:3000/v2/token" \
> -e REGISTRY_AUTH_TOKEN_SERVICE="10.17.1.22:5000" \
> -v /etc/localtime:/etc/localtime:ro \
> -v `pwd`/data:/var/lib/registry \
> registry:2.1
>
>
> docker file portus :
>
> docker run \
> -d --restart=always --name portus \
> --net=host \
> -e PORTUS_MACHINE_FQDN="hostname" \
> -e PORTUS_KEY_PATH="key.pem" \
> -e PORTUS_LDAP_ENABLED=true \
> -e PORTUS_LDAP_HOSTNAME=ldap.example.com \
> -e PORTUS_LDAP_PORT=389 \
> -e PORTUS_LDAP_METHOD=plain \
> -e PORTUS_LDAP_BASE="xyz" \
> -e PORTUS_LDAP_UID="xyz" \
> -e PORTUS_LDAP_AUTHENTICATION_ENABLED=true \
> -e PORTUS_LDAP_AUTHENTICATION_BIND_DN="xyz" \
> -e PORTUS_LDAP_AUTHENTICATION_PASSWORD="xyz" \
> -e PORTUS_PRODUCTION_HOST=10.17.1.22 \
> -e PORTUS_PRODUCTION_DATABASE=portus \
> -e PORTUS_PRODUCTION_USERNAME=portus \
> -e PORTUS_PRODUCTION_PASSWORD=portuspassword \
> -e PORTUS_GRAVATAR_ENABLED=true \
> -e PORTUS_PASSWORD="portuspassword" \
> -e PORTUS_SECRET_KEY_BASE="xyz" \
> -e REGISTRY_USE_SSL=true \
> -e PORTUS_CHECK_SSL_USAGE_ENABLED=false \
> -e CATALOG_CRON="2.minutes" \
> sshipway/portus:2.0.0
>
>
>
> After running both reigstry and portus, I can do ldap login by web page of
> portus and add registry.
>
> # curl -ik --user $user:$password
> <http://10.17.1.22:3000/v2/token?account=$user%5C&service=10.17.1.22:5000>
> http://10.17.1.22:3000/v2/token?account=$user\&service=10.17.1.22:5000
> HTTP/1.1 200 OK
> X-Frame-Options: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Content-Type: application/json; charset=utf-8
> ETag: W/"948072053b84e6aa8ca2d7e830bba73c"
> Cache-Control: max-age=0, private, must-revalidate
> Set-Cookie:
> _portus_session=M2dxWkNmWFBzMmo1NGhzYTlpOEIzNWtLTVBPazl0RnRMVHdzMzhjWnZqVDZWZXdWMnVIWjlrYVFrQk5rZGFYMEVvRWRDR2hOMVFUaGltZHZOL05NY1E9PS0tekE4RDRZUTVPdnhZakhjbkZZS0I2UT09--8a3bd444275d60c9dd9a71ff5ef4310ad2fd2422;
> path=/; HttpOnly
> X-Request-Id: 3d602c82-5445-46f3-b8ba-6d187e060dd7
> X-Runtime: 5.052285
> Transfer-Encoding: chunked
>
>
> {"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IllGVEM6MjNSUjpCRUJBOktSTDc6SkFKUjpTSFg0OkEzNks6TU5LSzpBWTVTOlpMWlg6UVBQVzpSMk02In0.eyJpc3MiOiJvcGVuc3RhY2sucGZyLmNvLm56Iiwic3ViIjoiIiwiYXVkIjoiMTAuMTcuMS4yMjo1MDAwIiwiaWF0IjoxNDUzODQzMzMzLCJuYmYiOjE0NTM4NDMzMjgsImV4cCI6MTQ1Mzg0MzYzMywianRpIjoiNlQ4Wk1vajQzeEh5aGlQcnNhWlNmdmVmYjNZQ285NFhzU3FGVXFxNTgxIn0.iG6iKw8BFogtXF50b0Zhy7LVFv1hetvQu1UCKPSLmAIbnkH3_F_-oHjJ7l6OeHvTyIxc_aa5EQ9CPIbDfW9xFmHS436FsLYlq64c8PqC6sgTAGVmDSzsUHReLG0H9cRHv7kVtbGJkR_4Bim4tjR3DWho2QyuaEQ8GzA6XnhRGfqe25SPMT48YAijDRs6R_X0jVMiJQBecLZ620tapGdmC9gm1qKAeinQbY2SmcYCyi6MV-VFbApWuY9Nzc71HRYW4I4AH1Gle9sG3p9ua82-7Bj6T0zykqbx8iJ5KvBhMnxz9lqtdO40m_sZiSpvepuxRO-VUy5M-Yi_8qb8rCKhhA"}
>
>
> And when i tried , docker login 10.17.1.22:5000
> Username: user
> Password:
> Email: email-id
> Error response from daemon: no successful auth challenge for
> http://10.17.1.22:5000/v2/ - errors: []
>
>
> registry logs :
>
>
>
>
> time="2016-01-27T10:20:03.057481195+13:00" level=debug msg="authorizing
> request" http.request.host="10.17.1.22:5000" http.request.id=ce2dd545-d0bf-42da-a3b8-a5f143a842d0
> http.request.method=GET http.request.remoteaddr="10.17.1.22:45211"
> http.request.uri="/v2/" http.request.useragent="docker/1.8.2-el7.centos
> go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64"
> instance.id=4bce4b2e-9bb0-4a36-911e-18f7729ee1a2 service=registry
> version=v2.1.1
>
> time="2016-01-27T10:20:03.057594847+13:00" level=info msg="response
> completed" http.request.host="10.17.1.22:5000" http.request.id=ce2dd545-d0bf-42da-a3b8-a5f143a842d0
> http.request.method=GET http.request.remoteaddr="10.17.1.22:45211"
> http.request.uri="/v2/" http.request.useragent="docker/1.8.2-el7.centos
> go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64"
> http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=3.085575ms http.response.status=200
> http.response.written=2 instance.id=4bce4b2e-9bb0-4a36-911e-18f7729ee1a2
> service=registry version=v2.1.1
>
> 10.17.1.22 - - [27/Jan/2016:10:20:03 +1300] "GET /v2/ HTTP/1.1" 200 2 ""
> "docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64
> os/linux arch/amd64"
>
>
> please correct me if I am doing any configuration mistake. Suggest me pls
> to resolve this.
>
> I am not using docker registry with ssl. I configured --insecure-registry
> in docker config.
>
> 10.17.1.22 is IP of physical machine which is on centos 7 where I deployed
> portus and registry container.
>
> Regards
> Ben
>
> On Mon, Jan 25, 2016 at 10:44 PM, Jordi Massaguer Pla <
> jmassaguerpla at suse.de> wrote:
>
>> I am bit confused... the log you are sending us states
>>
>> http.response.status=200
>>
>> I don't see any error on the authentication nor in the certificates ...
>>
>> May it be a problem because of the proxy you have? Can you try without
>> the proxy? Like running docker where you have the registry or Portus
>> installed? If that were the problem, we can narrow it and try to reproduce
>> it.
>>
>> This is how it works: docker tries to login to the registry and this
>> forwards/delegates the authentication to Portus, which in its turn, uses
>> ldap for that.
>>
>> thanks
>>
>>
>>
>> On 01/24/2016 10:59 PM, Benjamin Fernandis wrote:
>>
>> Hi,
>>
>> I added -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" as
>> suggested above. And enabled debug mode with stout log massages as
>> suggested.
>>
>> Now i can see below logs,
>>
>> time="2016-01-25T09:50:15.967721182+13:00" level=debug
>> msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
>> service=registry trace.duration=125.467µs trace.file="/go/src/
>> github.com/docker/distribution/registry/storage/driver/base/base.go"
>> trace.func="
>> github.com/docker/distribution/registry/storage/driver/base.(*Base).List
>> <http://github.com/docker/distribution/registry/storage/driver/base.%28*Base%29.List>"
>> trace.id=474f03d6-233f-4a6a-97d8-307fc389b594 trace.line=123
>> version=v2.1.1
>>
>> time="2016-01-25T09:50:25.806341211+13:00" level=debug msg="authorizing
>> request" http.request.host="192.168.1.20:5000" http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
>> http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
>> http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
>> go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
>> arch/amd64" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
>> service=registry version=v2.1.1
>>
>> time="2016-01-25T09:50:25.806495043+13:00" level=info msg="response
>> completed" http.request.host="192.168.1.20:5000" http.request.id=6b96abae-ecca-4891-ab53-18f9d5babe4a
>> http.request.method=GET http.request.remoteaddr="192.168.1.30:21734"
>> http.request.uri="/v2/" http.request.useragent="docker/1.9.1-fc23
>> go/go1.5.1 git-commit/110aed2-dirty kernel/4.3.3-300.fc23.x86_64 os/linux
>> arch/amd64" http.response.contenttype="application/json; charset=utf-8"
>> http.response.duration=4.930233ms http.response.status=200
>> http.response.written=2 instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
>> service=registry version=v2.1.1
>>
>> 192.168.1.30 -- [25/Jan/2016:09:50:25 +1300] "GET /v2/ HTTP/1.1" 200 2 ""
>> "docker/1.9.1-fc23 go/go1.5.1 git-commit/110aed2-dirty
>> kernel/4.3.3-300.fc23.x86_64 os/linux arch/amd64"
>>
>> time="2016-01-25T09:50:25.967676129+13:00" level=debug
>> msg="filesystem.List(\"/\")" instance.id=92f79a6e-4330-422b-9833-03bd9201b3a6
>> service=registry trace.duration=110.255µs trace.file="/go/src/
>> github.com/docker/distribution/registry/storage/driver/base/base.go"
>> trace.func="
>> github.com/docker/distribution/registry/storage/driver/base.(*Base).List
>> <http://github.com/docker/distribution/registry/storage/driver/base.%28*Base%29.List>"
>> trace.id=9e90391a-ff1d-4122-a73e-188388ebd28b trace.line=123
>> version=v2.1.1
>>
>>
>> we have proxy in network and its IP 192.168.1.30.
>>
>> I am not using ssl certificate here and i set insecure-registry in
>> configuration.
>>
>> I enabled ldap in portus and i can do ldap authentication for portus
>> interface access.
>>
>> Here, my confusion is that, when i do docker login 192.168.1.20:5000 ,
>> is it goes to portus for ldap authentication check for entering username
>> /passwd and email id in docker login command ? or
>>
>> Here i haven't configure any nginx or any other setup.
>>
>> Please let me know if i m missing anything here.
>>
>> my docker registry command,
>>
>> docker run \
>> -d --restart=always --name registry \
>> -e REGISTRY_LOG_LEVEL=debug \
>> -p 5000:5000 \
>> -e SEARCH_BACKEND=sqlalchemy \
>> -e REGISTRY_AUTH_TOKEN_REALM=" <http://192.168.1.20:3000/v2/token>
>> http://192.168.1.20:3000/v2/token" \
>> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
>> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
>> -v /home/test/data:/var/lib/registry \
>> registry:2.1
>>
>> On Fri, Jan 22, 2016 at 10:04 PM, Jordi Massaguer Pla <
>> <jmassaguerpla at suse.de>jmassaguerpla at suse.de> wrote:
>>
>>>
>>>
>>> On 01/21/2016 09:41 PM, Benjamin Fernandis wrote:
>>>
>>> Hi,
>>>
>>> I have docker registry on another host and portus i opensuse vm.
>>>
>>> currently I can do ldap authentication to access portus web interface
>>> and i can see global name space and my own namespace, all working in that.
>>>
>>> but when i tried to do docker login <docker_registry:5000> not working.
>>> And i got Error response from daemon: no successful auth challenge for
>>> <http://192.168.1.20:5000/v2/>http://192.168.1.20:5000/v2/ - errors: []
>>>
>>> portus (opensuse vm ) - 192.168.1.10
>>> docker (registry container on different host but it is accessible from
>>> portus ) - 192.168.1.20:5000
>>>
>>> Do i require to do any other configuration for this or ?
>>>
>>>
>>> Please try the following. On 192.168.1.20, stop registry as a daemon and
>>> start it manually. If it is SUSE, you can do that with
>>>
>>> sudo registry /etc/config.yml
>>>
>>> This will show you the log in the stdout.
>>>
>>> Then try again and look for a better explanation of the error.
>>>
>>> You may want also to enable debug in config.yml file.
>>>
>>> My guess is that you may have some ssl certs issues. Communication
>>> between portus and the registry is done using ssl certificates. You can try
>>> running registry with and insecure flag (see registry --help) to test if
>>> that is the case. If so, you need to add portus certificate in your system.
>>>
>>> In order to do that, you need to add your certificate authority
>>> (*ca.crt) into /etc/pki/trust/anchors/ and then run sudo
>>> update-ca-certificates (assuming you are running suse).
>>>
>>> I hope this helps.
>>>
>>> Otherwise, send us the output of the registry command which may give us
>>> a clue.
>>>
>>>
>>>
>>>
>>> On Thu, Jan 21, 2016 at 11:32 PM, Jordi Massaguer Pla <
>>> <jmassaguerpla at suse.de>jmassaguerpla at suse.de> wrote:
>>>
>>>> I guess you have not run portusctl command.
>>>>
>>>> After installing the rpm, you need to run
>>>>
>>>> "portusctl setup --local-registry"
>>>>
>>>> I am assuming you have a docker registry running on your box (install
>>>> it with zypper install docker-distribution-registry)
>>>>
>>>> Also, make sure you have mariadb installed and running.
>>>>
>>>> cheers
>>>>
>>>> On 01/21/2016 03:12 AM, Benjamin Fernandis wrote:
>>>>
>>>> i pass below variable to docker registry container ,
>>>>
>>>> docker run \
>>>> -d --restart=always --name registry \
>>>> -e REGISTRY_LOG_LEVEL=debug \
>>>> -p 5000:5000 \
>>>> -e SEARCH_BACKEND=sqlalchemy \
>>>> -e REGISTRY_AUTH_TOKEN_REALM="http://192.168.1.20:3000/v2/token" \
>>>> -e REGISTRY_AUTH_TOKEN_SERVICE="192.168.1.20:5000" \
>>>> -v /home/test/data:/var/lib/registry \
>>>> registry:2.1
>>>>
>>>> where 192.168.1.20 is IP for docker registry.
>>>>
>>>> but still i can not do login by docker login command line. Do i require
>>>> to add anything in portus ?
>>>>
>>>> On Thu, Jan 21, 2016 at 2:04 PM, Benjamin Fernandis <
>>>> <benjo11111 at gmail.com>benjo11111 at gmail.com> wrote:
>>>>
>>>>> I deployed portus on oepnsuse. I can not find /etc/registry/cofig.yml
>>>>> file in portus machine.
>>>>>
>>>>> do i require to add above lines in docker registry container or in
>>>>> portus vm?
>>>>>
>>>>>
>>>>> On Thu, Jan 21, 2016 at 2:00 PM, Aleksa Sarai < <asarai at suse.de>
>>>>> asarai at suse.de> wrote:
>>>>>
>>>>>> On 01/21/2016 11:53 AM, Benjamin Fernandis wrote:
>>>>>>
>>>>>>> Hi Miquel,
>>>>>>>
>>>>>>> I deployed rpm version on opensuse and it is working fine.
>>>>>>>
>>>>>>> Can you please guide me what is require to enable login in docker
>>>>>>> command line.
>>>>>>>
>>>>>>> currently i tested portus integration with docker registry and ldap
>>>>>>> authentication to pourtus from web interface.
>>>>>>>
>>>>>>> trying to do command line docker login and getting below error.
>>>>>>>
>>>>>>> Error response from daemon: no successful auth challenge for
>>>>>>> <http://192.168.1.20:5000/v2/>http://192.168.1.20:5000/v2/ -
>>>>>>> errors: []
>>>>>>>
>>>>>>
>>>>>> Are you running Portus using docker-compose? If so, you need
>>>>>> docker-compose version 1.5.2 or later.
>>>>>>
>>>>>> Otherwise, please make sure that your *daemon* can access the IP
>>>>>> address of the docker registry given in in /etc/registry/config.yml
>>>>>> in the "realm" field:
>>>>>>
>>>>>> auth:
>>>>>> token:
>>>>>> realm: <http://172.17.0.1:3000/v2/token>
>>>>>> http://172.17.0.1:3000/v2/token
>>>>>> service: 172.17.0.1:5000
>>>>>>
>>>>>> And that the "service" is the same as the one you registered when you
>>>>>> first started Portus (this is more likely to be the cause).
>>>>>>
>>>>>> --
>>>>>> Aleksa Sarai
>>>>>> Docker Core Specialist
>>>>>> SUSE Australia
>>>>>> <https://www.cyphar.com/>https://www.cyphar.com/
>>>>>>
>>>>>> _______________________________________________
>>>>>> Containers mailing list
>>>>>> <Containers at lists.suse.com>Containers at lists.suse.com
>>>>>> <http://lists.suse.com/mailman/listinfo/containers>
>>>>>> http://lists.suse.com/mailman/listinfo/containers
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Containers mailing list
>>>> Containers at lists.suse.com
>>>> http://lists.suse.com/mailman/listinfo/containers
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>>
>>>
>>>
>>> _______________________________________________
>>> Containers mailing list
>>> Containers at lists.suse.com
>>> http://lists.suse.com/mailman/listinfo/containers
>>>
>>>
>>
>>
>> _______________________________________________
>> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>>
>>
>>
>> _______________________________________________
>> Containers mailing list
>> Containers at lists.suse.com
>> http://lists.suse.com/mailman/listinfo/containers
>>
>>
>
>
> _______________________________________________
> Containers mailing listContainers at lists.suse.comhttp://lists.suse.com/mailman/listinfo/containers
>
>
>
> _______________________________________________
> Containers mailing list
> Containers at lists.suse.com
> http://lists.suse.com/mailman/listinfo/containers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/containers/attachments/20160129/88fc59bd/attachment.htm>
More information about the Containers
mailing list