I am on artifactory version 4.6 and have the following requirement on the docker registry.
Allow anonymous pulls on docker repository
Force authentication on the SAME docker repository
I know this is avaliable out of the box on the later versions of artifactory. However upgrading isnt an option for us for a while.
Does the following work around work?
Create a virtual docker repository on port 8443 and don't force authentication , call it docker-virtual
Create a local docker repository and force authentication, call it docker-local on port 8444
Configure 'docker-virtual' with the default deployment directory as 'docker-local'
docker pull docker-virtual should work
docker push docker-virtual should ask for credentials
Upon failure , I should be able to docker login docker-virtual
and docker push docker-virtual/myImage
Not sure about the artifactory side, but perhaps the following Docker advice helps.
You can start run two registries, one RW with authentication, and a second RO without any authentication, in Docker:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=My Registry" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
docker run -d -p 5001:5000 --restart=always --name registry-ro \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry:ro \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
Note the volume settings for /var/lib/registry in each container. Then to pull from the anonymous registry, you'd just need to change the port. Since the filesystem is RO, any attempt to push to 5001 will fail.
The closest thing you can achieve is failing on docker push without credentials (while succeeding with pull).
No idea if this works with artifactory sorry.... you could try this handy project for docker registry auth.
Configure the registry to use this https://hub.docker.com/r/cesanta/docker_auth/
# registry config.yml
...
auth:
token:
# can be the same as your docker registry if you use nginx to proxy /auth to docker_auth
# https://docs.docker.com/registry/recipes/nginx/
realm: "example.com:5001/auth"
service: "Docker registry"
issuer: "Docker Registry auth server"
rootcertbundle: /certs/domain.crt
And allow anonymous with the corresponding ACL
# cesanta/docker_auth auth_config.yml
...
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" # badmin
"": {} # Allow anonymous (no "docker login") access.
ldap_auth:
# See: https://github.com/cesanta/docker_auth/blob/master/examples/ldap_auth.yml
acl:
# See https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml#L178
- match: {account: "/.+/"}
actions: ["*"]
comment: "Logged in users do anything."
- match: {account: ""}
actions: ["pull"]
comment: "Anonymous users can pull anything."
# Access is denied by default.
Related
Connection to created Droplet via SSH by Github Actions runner.
My steps:
ssh-keygen -t rsa -f ~/.ssh/KEY_NAME -P ""
doctl compute ssh-key create KEY --public-key "CONTENT OF KEY_NAME.pub"
doctl compute droplet create --image ubuntu-20-04-x64 --size s-1vcpu-1gb --region fra1 DROPLET_NAME --ssh-keys FINGERPRINT --wait
ssh -vvv -i ~/.ssh/KEY_NAME root#DROPLET_IP
✔️ Tested on Windows local machine using doctl.exe runned from cmd - works!
✔️ Tested on Docker (installed on Windows) based on Linux image using doctl script - works!
⚠️ Tested on Github Actions runner based on ubuntu-latest using digitalocean/action-doctl script - doesn't work!
Received message is: connect to host ADDRESS_IP port 22: Connection refused.
So the steps are correct, so why does this not work for Github Actions?
If you are using the GitHub Action digitalocean/action-doctl, check issue 14 first:
In order to SSH into a Droplet, doctl needs access to the private half of the SSH key pair whose public half is on the Droplet.
Currently the doctl Action is based on a Docker container.
If you were using the Docker container directly, you could invoke it with:
docker run --rm --interactive --tty \
--env=DIGITALOCEAN_ACCESS_TOKEN=<YOUR-DO-API-TOKEN> \
-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa \
digitalocean/doctl compute ssh <DROPLET-ID>
in order to mount the SSH key from outside the container.
You might be better off just using doctl to grep the Droplet's IP address and using this Action that is more focused on SSH related use cases and provides a lot of additional functionality: marketplace/actions/ssh-remote-commands.
I am trying to integrate multiple directory services to Keycloak hence I am following the article: Setup User Federation with Keycloak
I have pulled the docker data and running them as mentioned:
docker pull rroemhild/test-openldap
docker run --privileged -d -p 389:389 -p 636:636 --name da-01 rroemhild/test-openldap
Now I am trying to connect the same using the Apache Directory Studio and when I try to authenticate I get the message
I am not sure what I am doing wrong. I am trying with the mentioned password: GoodNewsEveryone
I basically tried running the docker in a different port and it worked:
docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap
I installed docker to my ubuntu 14.04 laptop. I pulled docker registry image from the central registry. To fix IP address of the container to a static value, I first changed my /etc/defaults/docker and added -e lxc to DOCKER_OPTS variable.
Then to run my local registry I used the following command;
docker run \
-i -t -h myreg \
--net="none" \
--lxc-conf="lxc.network.hwaddr=91:21:de:b0:6b:61" \
--lxc-conf="lxc.network.type = veth" \
--lxc-conf="lxc.network.ipv4 = 172.17.0.20/16" \
--lxc-conf="lxc.network.ipv4.gateway = 172.17.42.1" \
--lxc-conf="lxc.network.link = docker0" \
--lxc-conf="lxc.network.name = eth0" \
--lxc-conf="lxc.network.flags = up" \
--name myreg \
-p 5000:5000 \
-d registry \
/bin/bash
Then used docker attach myreg to access to the shell of the container. After installing net-tools package, I checked the IP address of it and see that it is 172.17.0.20 as expected. I tried to ping it from my host and it was replying.
The problem is that, when I checked the configuration of this container with docker inspect myreg, the NetworkSettings part of output was as the following
"NetworkSettings": {
"Bridge": "docker0",
"Gateway": "172.17.42.1",
"IPAddress": "172.17.0.8",
"IPPrefixLen": 16,
"PortMapping": null,
"Ports": {
"5000/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "5000"
}
]
}
It was showing 172.17.0.8 as the IP address of it.It is the value that should be assigned if I was not usign lxc driver. This is becoming a problem when I use docker push command to push a tagged image to this local registry. Because,docker is using this wrong IP to push image, and throws an error log as the following
de7e1cfc] +job push(127.0.0.1:5000/mongo)
2014/07/18 17:10:19 Can't forward traffic to backend tcp/172.17.0.8:5000: dial tcp 172.17.0.8:5000: no route to host
2014/07/18 17:10:22 Can't forward traffic to backend tcp/172.17.0.8:5000: dial tcp 172.17.0.8:5000: no route to host
What is the problem here? Or am I doing smt. wrong?
What version of Docker are you running? Docker 1.0 no longer uses LXC, they have replaced it with their own libcontainer. The LXC commands didn't work for me when following this blog - http://goldmann.pl/blog/2014/01/21/connecting-docker-containers-on-multiple-hosts/#_set_up
If you downgrade to 0.7 and follow the lxc process, it will work.
I built a docker container with docker 1.0, and tried to push it to a private docker registry mapped to s3, but it gives me "invalid registry endpoint".
docker push loca.lhost:5000/company/appname
2014/06/20 12:50:07 Error: Invalid Registry endpoint: Get http://loca.lhost:5000/v1/_ping: read tcp 127.0.0.1:5000: connection reset by peer
The registry was started following settings similar to the example (adding aws region), and does respond if I do a telnet localhost 5000.
docker run \
-e SETTINGS_FLAVOR=s3 \
-e AWS_BUCKET=my-docker-images \
-e STORAGE_PATH=/registry \
-e AWS_KEY=AAAA \
-e AWS_SECRET=BBBBBBB \
-e AWS_REGION=eu-west-1 \
-e SEARCH_BACKEND=sqlalchemy \
-p 5000:5000 \
registry &
s3 logging for the bucket:
8029384029384092830498 my-docker-images [16/Jun/2014:19:25:56 +0000] 123.123.123.127 arn:aws:iam::1234567890:user/docker-image-manager C9976333A1EFBB7A REST.GET.BUCKET - "GET /?prefix=registry/repositories/&delimiter=/ HTTP/1.1" 200 - 291 - 39 39 "-" "Boto/2.27.0 Python/2.7.6 Linux/3.8.0-42-generic" -
Ok, it was due to me specifying AWS_REGION (eu-west-1) and the registry service failing part way through startup.
Taking that out, the registry server finishes initializing and starts listening on the port, and a curl request to the /_ping url returned a response.
https://github.com/dotcloud/docker-registry/issues/400
I was able to retrieve enough console information to debug this by putting the settings in a config.yml file, setting loglevel to debug, then have docker running the registry image passing the config file rather than calling directly as I did above.
I have currently installed OID (Oracle Internet Directory) and created some roles and users in them. I intend to access them using LDAP commands.
$ldapbind -p <port_number> -h <ip> -D "cn=orcladmin"
bind sucessful
$ ldapsearch -h <port_number> -p <ip> "dc=<name>"
ldap_search: Inappropriate authentication
ldap_search: additional info: Server is Configured to Deny Anonymous Binds
Is there something I am missing ?
On your ldapsearch command, add the -D "cn=orcladmin" for who you are binding as, -w "Password" or -W to prompt at run time. Probably you want a -b "ou=Base,dc=DNtoSearch" and then your filter as you have it.
You need to bind each time.