-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication for Docker Hub private registry without credential helpers #820
Comments
Also from ffissore in #836:
|
|
@nefilim thanks for the draft PR - it's been a good basis for trying to figure this out while on a long plane journey :) I have some additions worked out. This is still WIP, but tackles the two underlying issues that you and others have encountered:
In the long term, this requires a fair amount of modification to docker-java to do it cleanly, but for now we can basically layer this on top and refactor later. |
FWIW, I can confirm that I'm experiencing the same problem as @nefilim. |
I think I've done the work necessary in #845! However, given that understanding/reproducing the registry setup is potentially the harder thing here, it'd be extremely helpful if people affected by this could give this a try before we call the PR done. Would that be OK? There is a jitpack build available with the following details: Repository: Thanks! |
Oh, I can now appreciate the problem. Nice solution. I've been trying it out on my workstation (macOS) as on a CI server with my work-around removed. Both are working correctly...
Centos:
Also, also thanks for avoiding the repository credentials in the logs. I was going to ask about that. This project is really looking great. |
Thanks @reardonm, it's useful to get feedback that this is working for you. |
The fix works for me, too |
Thanks so much @rnorth - looking good here too. Sorry for the delay, was travelling and had some technical issues. Don't know gradle at all (use SBT) - not very trivial/clear to try and get it to publish to a local ivy repo, took some time to find a workaround :) |
Following up here on a question about authentication for a private repo hosted at docker hub that I posted on Slack.
For some context, credentials are stored in
~/.docker/config.json
in the auth field (this is actuallybase64(username:password)
) eg:We supply image names such
acme/microservice:0.1
to testcontainers. There are also public images from Docker Hub (redis, postgres etc) and implicitly from quay.io (ryuk). Now, looking at the following code:https://github.com/testcontainers/testcontainers-java/blob/master/core/src/main/java/org/testcontainers/utility/RegistryAuthLocator.java#L80
reposName
ends up being "" (empty) and it falls back todefaultAuthConfig
which I believe is controlled by~/.docker-java.properties
(ala docker-java project), which does not exist and hence it fails trying to download the image:In contrast, the default behaviour of
docker pull
in the absence of a registry host, is to pull from docker hub and as such matches the URLhttps://index.docker.io/v1/
in~/.docker/config.json
- this does not appear to be the default behaviour of testcontainers.I would like to see testcontainers choosing the
auth
from~/.docker/config.json
in thehttps://index.docker.io/v1/
stanza withinfindExistingAuthConfig(config, "")
. To pursue this behaviour I put together this PR: #819 - I ran into a number of dead ends:reposName
withindex.docker.io
in case it's empty does not work, docker-java explicitly checks for that hostname and errors out (why???? it's completely valid using the docker command linedocker pull index.docker.io/acme/microservice:0.1
)index.docker.io
inconfig.json
(as in this PR: WIP: Add support for docker hub private registry credentials #819) does not work either, from what I can tell, docker-java does not decompose the auth field (into username/password) before creating the JSON authentication header as per https://docs.docker.com/engine/api/v1.37/#section/Authentication so credentials are not being sent properly:The problems with using
docker-java.properties
are:ryuk:0.2.2
from quay.io - I have not confirmed but I wonder if it's trying to the use the credentials configured indocker-java.properties
(for index.docker.io) for quay.io - a bug?The most confusing thing - why has nobody else reported this? Am I just doing something horribly wrong? :)
The text was updated successfully, but these errors were encountered: