问题
I have deployed a private docker registry (registry version 2.7) using Ansible (code given below). Followed official link https://docs.docker.com/registry/deploying/.
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /path/data:/var/lib/registry
- /path/certs:/certs
- /path/auth:/auth
Below is the ansible task. Docker daemon and docker registry are running on the same machine. Registry and docker both are running on self signed certificates. I also added instructions in /etc/docker/daemon.json to allow insecure registry. Here is my ansible task
- name: "Creating basic auth password file for registry"
htpasswd:
path: "role_dir/htpasswd"
name: "username"
password: "pass"
owner: root
group: www-data
mode: 0640
- name: "Create registry container"
docker_compose:
project_name: "registry"
build: yes
nocache: yes
recreate: always
definition:
version: "3.2"
services:
registry:
image: registry:2.7
container_name: "private_registry"
ports:
- 5000:5000
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/pathToCerts/certs/docker-registry:/certs"
- "dir_volume_for_reg:/var/lib/registry"
- "role_dir/htpasswd:/auth/htpasswd"
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/tls_cert_file"
REGISTRY_HTTP_TLS_KEY: "/certs/tls_cert_key"
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry
register: output
become: yes
Here is the docker configs file /etc/docker/daemon.json in which I instructed docker to allow private registry from my public machine in which docker daemon and docker registry are running.
{
"hosts": [
"fd://",
"unix:///var/run/docker.sock",
"tcp://127.0.0.1:2375",
"tcp://0.0.0.0:2376"
],
"debug": true,
"tls": true,
"tlsverify": true,
"tlscacert": "path_to_my_ca.pem",
"tlscert": "path_to_server-cert.pem",
"tlskey": "path_to_server-key.pem",
"insecure-registries" : ["x.x.x.x:5000", "a_domain_name:5000", "127.0.0.1:5000"]
}
With the above configurations when I access my server address https://x.x.x.x:5000/v2/_catalog, it asks for username and password for realm registry. Even providing the valid username and password, it never allows to acces the page, that is -- it's not accepting the authentication even though the username and password are valid.
Below are docker registry container logs
time="2019-12-01T23:07:47.54040353Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry": authentication failure" go.version=go1.11.2 http.request.host="x.x.x.x:5000" http.request.id=f01cd18f-1623-4f3d-863d-b2b72f93628a http.request.method=GET http.request.remoteaddr="x.x.x.x:11581" http.request.uri="/v2/_catalog" http.request.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
I also investigated by disabling TLS and found that even without TLS registry is not accepting TLS credentials.
I have tried many diferent possiblities but all went not working. I tried creating htpasswd file manually and then giving the path to htpasswd file in ansible configs but it still does not work. Can someone point out what problem is? Thanks for any comments in advance.
来源:https://stackoverflow.com/questions/59130976/private-docker-registry-with-self-signed-tls-certificates-not-accepting-valid-ba