Authentication handling for a private registry / Improve support for private registry/index
490 views
Skip to first unread message
Marco Hennings
Aug 15, 2013, 10:37:16 AM8/15/13
to docke...@googlegroups.com
Hello,
currently some of the functionallity that docker provides is not availlably when used together with a private registry. I previously used the INDEX_SERVER_URL together with a private registry and index.
Now i would like to improve the support for a private registry to allow to use all docker functionality, if it is present in the registry.
I think the following functions are affected:
- Login
- Authentication restriction to the individual repositories
- Search
- Endpoint delegation with X-Docker-Endpoint seems to be not available
Maybe i overlook the one or other, but for now authentication would be most important for my use case.
Currently the login command does not allow to differenciate between different realms.
I would like to extend this in the following way:
docker login [targethost]
If targethost is not given the command behaves as it does now.
If target host is given it expects the target host to implement the index routes for login and account creation.
To store the authentication the ~.dockercfg needs to be extended. For compatibility the auth for the official indec needs to stay in the already existing fields.
I think that sections for each host could be a good solution. To preserve future extension a prefix like "host " could be used.
Now:
auth = abcdfefabcdefabcdef=
email = us...@example.org
Suggested format:
auth = abcdfefabcdefabcdef=
email = us...@example.org
[host docker.example.org]
auth = abcdfefabcdefabcdef=
email = us...@example.org
If a user has authentication data for the host it would be automatically be sent to the server as basic authentication.
Another variant would be to support multiple realms. But i think that realm support would increase complexity for the authentication.
Please tell me what you think.
Kind regards,
Marco
Marco Hennings
Aug 15, 2013, 11:06:34 AM8/15/13
to docke...@googlegroups.com
Hello,
Victor Viex showed me where to look for realm support in the dockercfg.
So that part is already there.
It is just not used for a private registry as always the authentication of the hardcoded index is used.
So the missing part for authentication seems to the login function and the service calls that happen when a private registry is used.
docker login [targethost]
Kind regards,
Marco
Sam Alba
Aug 15, 2013, 11:52:47 AM8/15/13
to Marco Hennings, docke...@googlegroups.com
Hi Marco,
it's a good analysis. Replying inline.
On Thu, Aug 15, 2013 at 7:37 AM, Marco Hennings
<marco.h...@freiheit.com> wrote:
> - Login
True, right now the private Registry does not come with
authentication. And the fact that we fixed the login command to be
mapped to the index.docker.io realm (to allow different credentials on
different location in the future), prevents docker to send the
credentials to the private Registry.
> - Authentication restriction to the individual repositories
Yes, we wanted to let people use their namespace as they want. Would
it make sense to restrict users to their "username" namespace like the
central one?
> - Search
This one will make the Registry code a bit heavier since we need to
Index those data somewhere (db, elasticsearch, etc...). So we need a
daemon to consolidate the Index, etc... But I agree it a must have
(less important than login though).
> - Endpoint delegation with X-Docker-Endpoint seems to be not available
That's right, we added this in the protocol as you notice but we don't
actually use it at the moment. We're going to use it on the central
Index to allow different endpoint for push and pull and enable us to
use a CDN for image download.
> Maybe i overlook the one or other, but for now authentication would be most
> important for my use case.
>
>
>
> Currently the login command does not allow to differenciate between
> different realms.
> I would like to extend this in the following way:
>
> docker login [targethost]
Sounds like a good syntax. I'd like also to have a different syntax
for creating accounts and login. It's annoying right now to have to
specify username / password / email just for login... And if you make
a typo, it creates a new account... Not ideal.
> To store the authentication the ~.dockercfg needs to be extended. For
> compatibility the auth for the official indec needs to stay in the already
> existing fields.
> I think that sections for each host could be a good solution. To preserve
> future extension a prefix like "host " could be used.
We already support the realm in the .dockercfg. Try to "rm -f
~/.dockercfg" and login again. You will see this file is now json and
contains the login endpoint.
Right now, it's more a matter of making what we have stable and find a
good balance between stabilize and add features (at least on the
Registry). To be completely transparent, we're currently working to
improve download and upload speed. Clean auth (+ improve login) and
Search are definitely on the roadmap.
I hop this clarifies what's going on behind :-)
--
@sam_alba
it's a good analysis. Replying inline.
On Thu, Aug 15, 2013 at 7:37 AM, Marco Hennings
<marco.h...@freiheit.com> wrote:
> - Login
True, right now the private Registry does not come with
authentication. And the fact that we fixed the login command to be
mapped to the index.docker.io realm (to allow different credentials on
different location in the future), prevents docker to send the
credentials to the private Registry.
> - Authentication restriction to the individual repositories
it make sense to restrict users to their "username" namespace like the
central one?
> - Search
This one will make the Registry code a bit heavier since we need to
Index those data somewhere (db, elasticsearch, etc...). So we need a
daemon to consolidate the Index, etc... But I agree it a must have
(less important than login though).
> - Endpoint delegation with X-Docker-Endpoint seems to be not available
actually use it at the moment. We're going to use it on the central
Index to allow different endpoint for push and pull and enable us to
use a CDN for image download.
> Maybe i overlook the one or other, but for now authentication would be most
> important for my use case.
>
>
>
> Currently the login command does not allow to differenciate between
> different realms.
> I would like to extend this in the following way:
>
> docker login [targethost]
for creating accounts and login. It's annoying right now to have to
specify username / password / email just for login... And if you make
a typo, it creates a new account... Not ideal.
> To store the authentication the ~.dockercfg needs to be extended. For
> compatibility the auth for the official indec needs to stay in the already
> existing fields.
> I think that sections for each host could be a good solution. To preserve
> future extension a prefix like "host " could be used.
~/.dockercfg" and login again. You will see this file is now json and
contains the login endpoint.
Right now, it's more a matter of making what we have stable and find a
good balance between stabilize and add features (at least on the
Registry). To be completely transparent, we're currently working to
improve download and upload speed. Clean auth (+ improve login) and
Search are definitely on the roadmap.
I hop this clarifies what's going on behind :-)
--
@sam_alba
Reply all
Reply to author
Forward
0 new messages