unable to login to private v2 registry

[natarajanv]

I get the following error message during login:

FATA[0004] Error response from daemon: (Code: 404; Headers: map[Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19] Date:[Mon, 10 Aug 2015 15:09:28 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips]])

I am using docker v 1.6.2

Any idea why it is failing. I have all the certs in the right place.

[RichardScothern]

We need a bit more information to debug this. Please follow the steps here:

https://github.com/docker/distribution/blob/master/CONTRIBUTING.md#if-you-have-not-found-an-existing-issue-that-describes-your-problem

[natarajanv]

[root@r10a-venkat-docker my_apache]# docker info
Containers: 7
Images: 134
Storage Driver: devicemapper
 Pool Name: docker-253:3-2097155-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: extfs
 Data file:
 Metadata file:
 Data Space Used: 2.762 GB
 Data Space Total: 107.4 GB
 Data Space Available: 104.6 GB
 Metadata Space Used: 5.427 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.142 GB
 Udev Sync Supported: true
 Library Version: 1.02.95-RHEL6 (2015-06-17)
Execution Driver: native-0.2
Kernel Version: 2.6.32-504.16.2.el6.x86_64
Operating System: <unknown>
CPUs: 1
Total Memory: 1.833 GiB
Name: r10a-venkat-docker
ID: 5IDI:JENV:2TN3:QNVG:E7QG:4HR4:HT2T:Z72W:ADUV:JY6F:ST46:HLUV
Debug mode (server): true
Debug mode (client): false
Fds: 12
Goroutines: 15
System Time: Mon Aug 10 13:36:16 EDT 2015
EventsListeners: 0
Init SHA1: d483126db2b26be04fcbd90ffff55153ecd603d9
Init Path: /usr/libexec/docker/dockerinit
Docker Root Dir: /docker/lib
Http Proxy: gatekeeper.mitre.org:80
Https Proxy: gatekeeper.mitre.org:80
No Proxy: localhost,127.0.0.1,localaddress,.mitre.org,/var/run/docker.sock
Labels:
 MITRE_ENV=ece
 mitre.environment=ece
 mitre.pool=A

####
[root@r10a-venkat-docker my_apache]# docker version
Client version: 1.6.2
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): 7c8fca2/1.6.2
OS/Arch (client): linux/amd64
Server version: 1.6.2
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): 7c8fca2/1.6.2
OS/Arch (server): linux/amd64

##############
[root@r10a-venkat-docker my_apache]#  docker exec composetest_registry_1 registry -version
registry github.com/docker/distribution v2.0.1

#########
Compose yml file
apache:
  restart: always
  image: apache
  hostname: r10a-venkat-docker.mitre.org
  ports:
    - "80:80"
    - "8443:443"
  links:
    - registry:registry
  volumes:
    - /etc/pki/tls/certs/r10a-venkat-docker.crt:/etc/pki/tls/certs/localhost.crt
    - /etc/pki/tls/private/r10a-venkat-docker.key:/etc/pki/tls/private/localhost.key
    - /logs/my_apache:/var/log/httpd
    - /home/venkat/my_apache/includes/authnz_ldap.conf:/etc/httpd/conf.d/authnz_ldap.conf
    - /home/venkat/my_apache/includes/registry_header.conf:/etc/httpd/conf.d/registry_header.conf
    - /home/venkat/my_apache/includes/rev_proxy.conf:/etc/httpd/conf.d/rev_proxy.conf
registry:
  restart: always
  image: registry:2
  hostname: r10a-venkat-docker.mitre.org
  ports:
    - "127.0.0.1:5000:5000"
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - /data/registry:/data

Command to start:
docker-compose -f registry.yml up -d

Using Apache 2.4.6 to proxy registry

error when tried to login

[venkat@r10a-venkat-docker compose_test]$ docker login -u venkat -e venkat@mitre.org https://r10a-venkat-docker.mitre.org:8443
FATA[0000] Error response from daemon: (Code: 404; Headers: map[Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19] Date:[Mon, 10 Aug 2015 17:39:00 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips]])

docker logs
[root@r10a-venkat-docker my_apache]# tail -f /var/log/messages | grep docker
Aug 10 13:37:18 r10a-venkat-docker kernel: EXT4-fs (dm-12): warning: checktime reached, running e2fsck is recommended
Aug 10 13:37:18 r10a-venkat-docker kernel: EXT4-fs (dm-12): mounted filesystem with ordered data mode. Opts:
Aug 10 13:37:18 r10a-venkat-docker kernel: device veth304dfb3 entered promiscuous mode
Aug 10 13:37:18 r10a-venkat-docker kernel: docker0: port 2(veth304dfb3) entering forwarding state
Aug 10 13:37:31 r10a-venkat-docker kernel: docker0: port 1(veth1367312) entering forwarding state
Aug 10 13:37:33 r10a-venkat-docker kernel: docker0: port 2(veth304dfb3) entering forwarding state
Aug 10 13:40:51 r10a-venkat-docker winbindd[8519]: [2015/08/10 13:40:51.284285,  0] winbindd/winbindd_util.c:348(trustdom_list_done)
Aug 10 13:40:51 r10a-venkat-docker winbindd[8519]:   Got invalid trustdom response
Aug 10 13:45:51 r10a-venkat-docker winbindd[8519]: [2015/08/10 13:45:51.294748,  0] winbindd/winbindd_util.c:348(trustdom_list_done)
Aug 10 13:45:51 r10a-venkat-docker winbindd[8519]:   Got invalid trustdom response

[RichardScothern]

Thanks @natarajanv

What is your authentication setup? What do the registry logs output when you try to login?

[natarajanv]

LDAP authentication

[root@r10a-venkat-docker my_apache]# docker ps
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS              PORTS                                       NAMES
89352429e0bf        apache:latest       "/bin/sh -c /usr/sbi   18 minutes ago      Up 18 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:8443->443/tcp   composetest_apache_1
778330ad3365        registry:2          "registry cmd/regist   18 minutes ago      Up 18 minutes       127.0.0.1:5000->5000/tcp                    composetest_registry_1

[root@r10a-venkat-docker my_apache]# docker logs 778330ad3365
time="2015-08-10T17:37:18.192623772Z" level=info msg="endpoint local-8082 disabled, skipping" environment=development instance.id=05f2b60b-cdad-4809-a9b3-e64902680a88 service=registry version=v2.0.1
time="2015-08-10T17:37:18.216958384Z" level=info msg="endpoint local-8083 disabled, skipping" environment=development instance.id=05f2b60b-cdad-4809-a9b3-e64902680a88 service=registry version=v2.0.1
time="2015-08-10T17:37:18.217293525Z" level=info msg="using inmemory layerinfo cache" environment=development instance.id=05f2b60b-cdad-4809-a9b3-e64902680a88 service=registry version=v2.0.1
time="2015-08-10T17:37:18.217384087Z" level=info msg="listening on :5000" environment=development instance.id=05f2b60b-cdad-4809-a9b3-e64902680a88 service=registry version=v2.0.1
time="2015-08-10T17:37:18.217902418Z" level=info msg="debug server listening localhost:5001"
time="2015-08-10T17:39:00.525741131Z" level=info msg="response completed" environment=development http.request.host="r10a-venkat-docker.mitre.org:8443" http.request.id=35292a67-352a-4518-9115-2c5422b32853 http.request.method=GET http.request.remoteaddr=10.84.255.19 http.request.uri="/v1/users/" http.request.useragent="docker/1.6.2 go/go1.4.2 kernel/2.6.32-504.16.2.el6.x86_64 os/linux arch/amd64" http.response.contenttype="text/plain; charset=utf-8" http.response.duration="411.249µs" http.response.status=404 http.response.written=19 instance.id=05f2b60b-cdad-4809-a9b3-e64902680a88 service=registry version=v2.0.1
172.17.0.2 - - [10/Aug/2015:17:39:00 +0000] "GET /v1/users/ HTTP/1.1" 404 19 "" "docker/1.6.2 go/go1.4.2 kernel/2.6.32-504.16.2.el6.x86_64 os/linux arch/amd64"

[root@r10a-venkat-docker my_apache]#

[RichardScothern]

GET /v1/users/ HTTP/1.1

Is a call to a v1 registry. Something is amiss with your setup. Rerun the daemon in debug mode and trace the calls after you issue the login command.

[natarajanv]

[venkat@r10a-venkat-docker compose_test]$ docker --debug=true login -u venkat -e venkat@mitre.org https://r10a-venkat-docker.mitre.org:8443
FATA[0000] Error response from daemon: (Code: 404; Headers: map[Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19] Date:[Mon, 10 Aug 2015 18:11:35 GMT]])

###########

[venkat@r10a-venkat-docker compose_test]$ docker --debug=true info
Containers: 9
Images: 134
Storage Driver: devicemapper
Pool Name: docker-253:3-2097155-pool
Pool Blocksize: 65.54 kB
Backing Filesystem: extfs
Data file:
Metadata file:
Data Space Used: 2.766 GB
Data Space Total: 107.4 GB
Data Space Available: 104.6 GB
Metadata Space Used: 5.509 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.142 GB
Udev Sync Supported: true
Library Version: 1.02.95-RHEL6 (2015-06-17)
Execution Driver: native-0.2
Kernel Version: 2.6.32-504.16.2.el6.x86_64
Operating System:
CPUs: 1
Total Memory: 1.833 GiB
Name: r10a-venkat-docker
ID: 5IDI:JENV:2TN3:QNVG:E7QG:4HR4:HT2T:Z72W:ADUV:JY6F:ST46:HLUV
Debug mode (server): true
Debug mode (client): true
Fds: 22
Goroutines: 31
System Time: Mon Aug 10 14:11:14 EDT 2015
EventsListeners: 0
Init SHA1: d483126db2b26be04fcbd90ffff55153ecd603d9
Init Path: /usr/libexec/docker/dockerinit
Docker Root Dir: /docker/lib
Http Proxy: gatekeeper.mitre.org:80
Https Proxy: gatekeeper.mitre.org:80
No Proxy: localhost,127.0.0.1,localaddress,.mitre.org,/var/run/docker.sock
Labels:
MITRE_ENV=ece
mitre.environment=ece

[RichardScothern]

Those are not the daemon logs. Run the daemon in debug mode and trace the calls after you issue the login command.

[natarajanv]

time="2015-08-10T14:54:40-04:00" level=debug msg="Calling POST /auth"
time="2015-08-10T14:54:40-04:00" level=info msg="POST /v1.18/auth"
time="2015-08-10T14:54:40-04:00" level=info msg="+job auth()"
time="2015-08-10T14:54:40-04:00" level=info msg="+job resolve_index(https://r10a-venkat-docker.mitre.org:8443)"
time="2015-08-10T14:54:40-04:00" level=info msg="-job resolve_index(https://r10a-venkat-docker.mitre.org:8443) = OK (0)"
time="2015-08-10T14:54:40-04:00" level=debug msg="pinging registry endpoint https://r10a-venkat-docker.mitre.org:8443/v0/"
time="2015-08-10T14:54:40-04:00" level=debug msg="attempting v2 ping for registry endpoint https://r10a-venkat-docker.mitre.org:8443/v2/"
time="2015-08-10T14:54:40-04:00" level=debug msg="https://r10a-venkat-docker.mitre.org:8443/v2/ -- HEADERS: map[User-Agent:[docker/1.6.2 go/go1.4.2 kernel/2.6.32-504.16.2.el6.x86_64 os/linux arch/amd64]]"
time="2015-08-10T14:54:40-04:00" level=debug msg="hostDir: /etc/docker/certs.d/r10a-venkat-docker.mitre.org:8443"
time="2015-08-10T14:54:40-04:00" level=debug msg="attempting v1 ping for registry endpoint https://r10a-venkat-docker.mitre.org:8443/v1/"
time="2015-08-10T14:54:40-04:00" level=debug msg="https://r10a-venkat-docker.mitre.org:8443/v1/_ping -- HEADERS: map[User-Agent:[docker/1.6.2 go/go1.4.2 kernel/2.6.32-504.16.2.el6.x86_64 os/linux arch/amd64]]"
time="2015-08-10T14:54:40-04:00" level=debug msg="hostDir: /etc/docker/certs.d/r10a-venkat-docker.mitre.org:8443"
time="2015-08-10T14:54:40-04:00" level=debug msg="Error unmarshalling the _ping RegistryInfo: invalid character '<' looking for beginning of value"
time="2015-08-10T14:54:40-04:00" level=debug msg="RegistryInfo.Version: """
time="2015-08-10T14:54:40-04:00" level=debug msg="Registry standalone header: ''"
time="2015-08-10T14:54:40-04:00" level=debug msg="RegistryInfo.Standalone: true"
time="2015-08-10T14:54:40-04:00" level=debug msg="attempting v1 login to registry endpoint https://r10a-venkat-docker.mitre.org:8443/v1/"
time="2015-08-10T14:54:40-04:00" level=debug msg="https://r10a-venkat-docker.mitre.org:8443/v1/users/ -- HEADERS: map[User-Agent:[docker/1.6.2 go/go1.4.2 kernel/2.6.32-504.16.2.el6.x86_64 os/linux arch/amd64]]"
time="2015-08-10T14:54:40-04:00" level=error msg="unable to login against registry endpoint https://r10a-venkat-docker.mitre.org:8443/v1/: Login: 404 page not found\n (Code: 404; Headers: map[Date:[Mon, 10 Aug 2015 18:54:40 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19]])"
Login: 404 page not found
(Code: 404; Headers: map[Date:[Mon, 10 Aug 2015 18:54:40 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19]])
time="2015-08-10T14:54:40-04:00" level=info msg="-job auth() = ERR (1)"
time="2015-08-10T14:54:40-04:00" level=error msg="Handler for POST /auth returned error: (Code: 404; Headers: map[Date:[Mon, 10 Aug 2015 18:54:40 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19]])"
time="2015-08-10T14:54:40-04:00" level=error msg="HTTP Error: statusCode=500 (Code: 404; Headers: map[Date:[Mon, 10 Aug 2015 18:54:40 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19]])"

[natarajanv]

these are the apache configurations:

<IfModule mod_authnz_ldap.c>
   <Location />
      AuthBasicProvider ldap
      AuthLDAPUrl "valid url here"
      AuthLDAPBindDN "valid value here"
      AuthLDAPBindPassword "pwd"
      AuthType Basic
      AuthName "APACHE Login"

      <If "%{REQUEST_METHOD} != 'GET'" >
       Require user oracle_svn svc_anth_ad
      </If>
      <Else>
        Require valid-user
      </Else>
   </Location>
</IfModule>

#######
[venkat@r10a-venkat-docker includes]$ cat rev_proxy.conf
<IfModule mod_proxy.c>
  ProxyPreserveHost  On
  ProxyRequests      Off
  ProxyPass / http://registry:5000/
  ProxyPassReverse / http://registry:5000/
</IfModule>

[venkat@r10a-venkat-docker includes]$ cat registry_header.conf
#
# mod_authnz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#


<ifModule mod_headers.c>
     Header set Docker-Distribution-Api-Version "registry/2.0"
</ifModule>

[dmp42]

@natarajanv your apache is returning a 500 error.

time="2015-08-10T14:54:40-04:00" level=error msg="HTTP Error: statusCode=500 (Code: 404; Headers: map[Date:[Mon, 10 Aug 2015 18:54:40 GMT] Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19]])"

Can you provide your apache error log?

[natarajanv]

I recreated the error after cleaning out the log files.

here are the logs from apache

[root@r10a-venkat-docker my_apache]# cat error_log
[Mon Aug 10 22:19:36.980085 2015] [suexec:notice] [pid 7] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Aug 10 22:19:37.025741 2015] [auth_digest:notice] [pid 7] AH01757: generating secret for digest authentication ...
[Mon Aug 10 22:19:37.026711 2015] [lbmethod_heartbeat:notice] [pid 7] AH02282: No slotmem from mod_heartmonitor
[Mon Aug 10 22:19:37.035583 2015] [mpm_prefork:notice] [pid 7] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Mon Aug 10 22:19:37.035675 2015] [core:notice] [pid 7] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

[root@r10a-venkat-docker my_apache]# cat ssl_request_log
[10/Aug/2015:22:19:44 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v2/ HTTP/1.1" 381
[10/Aug/2015:22:19:44 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v1/_ping HTTP/1.1" 381
[10/Aug/2015:22:19:44 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /v1/users/ HTTP/1.1" 381
[10/Aug/2015:22:19:44 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v1/users/ HTTP/1.1" 19

[root@r10a-venkat-docker my_apache]# cat ssl_access_log
10.84.255.19 - - [10/Aug/2015:22:19:44 +0000] "GET /v2/ HTTP/1.1" 401 381
10.84.255.19 - - [10/Aug/2015:22:19:44 +0000] "GET /v1/_ping HTTP/1.1" 401 381
10.84.255.19 - - [10/Aug/2015:22:19:44 +0000] "POST /v1/users/ HTTP/1.1" 401 381
10.84.255.19 - venkat [10/Aug/2015:22:19:44 +0000] "GET /v1/users/ HTTP/1.1" 404 19

[Bockit]

Hi, I'm having the same error after just trying to set up a private registry with htpasswd auth. The version of docker I'm trying to sign in with is Docker version 1.6.0, build 4749651.

I was following the instructions here: https://docs.docker.com/registry/deploying/

There's a big wall of output coming (I hope it is helpful) so firstly, thanks for your time.

From the server:

root@docker:~# docker version
Client:
 Version:      1.8.0
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0d03096
 Built:        Tue Aug 11 16:48:39 UTC 2015
 OS/Arch:      linux/amd64

Server:
 Version:      1.8.0
 API version:  1.20
 Go version:   go1.4.2
 Git commit:   0d03096
 Built:        Tue Aug 11 16:48:39 UTC 2015
 OS/Arch:      linux/amd64

root@docker:~# docker info
Containers: 1
Images: 22
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 24
 Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-57-generic
Operating System: Ubuntu 14.04.3 LTS
CPUs: 1
Total Memory: 490 MiB
Name: docker.small.mu
ID: MDRX:JMYG:EREZ:PL72:P6PF:DHP4:TM5I:UJ5S:MK5H:PEFM:CM6R:5COS
WARNING: No swap limit support

I ran docker daemon -D and this was my total output:

DEBU[0000] Registering HEAD, /containers/{name:.*}/archive 
DEBU[0000] Registering GET, /containers/{name:.*}/archive 
DEBU[0000] Registering GET, /images/json                
DEBU[0000] Registering GET, /containers/json            
DEBU[0000] Registering GET, /containers/{name:.*}/export 
DEBU[0000] Registering GET, /containers/{name:.*}/changes 
DEBU[0000] Registering GET, /containers/{name:.*}/json  
DEBU[0000] Registering GET, /exec/{id:.*}/json          
DEBU[0000] Registering GET, /_ping                      
DEBU[0000] Registering GET, /images/get                 
DEBU[0000] Registering GET, /images/{name:.*}/history   
DEBU[0000] Registering GET, /events                     
DEBU[0000] Registering GET, /version                    
DEBU[0000] Registering GET, /images/search              
DEBU[0000] Registering GET, /containers/{name:.*}/logs  
DEBU[0000] Registering GET, /containers/{name:.*}/stats 
DEBU[0000] Registering GET, /containers/{name:.*}/attach/ws 
DEBU[0000] Registering GET, /info                       
DEBU[0000] Registering GET, /images/{name:.*}/get       
DEBU[0000] Registering GET, /images/{name:.*}/json      
DEBU[0000] Registering GET, /containers/ps              
DEBU[0000] Registering GET, /containers/{name:.*}/top   
DEBU[0000] Registering POST, /build                     
DEBU[0000] Registering POST, /images/{name:.*}/tag      
DEBU[0000] Registering POST, /containers/{name:.*}/start 
DEBU[0000] Registering POST, /containers/{name:.*}/attach 
DEBU[0000] Registering POST, /exec/{name:.*}/start      
DEBU[0000] Registering POST, /containers/{name:.*}/rename 
DEBU[0000] Registering POST, /images/load               
DEBU[0000] Registering POST, /images/{name:.*}/push     
DEBU[0000] Registering POST, /containers/create         
DEBU[0000] Registering POST, /containers/{name:.*}/exec 
DEBU[0000] Registering POST, /containers/{name:.*}/copy 
DEBU[0000] Registering POST, /exec/{name:.*}/resize     
DEBU[0000] Registering POST, /auth                      
DEBU[0000] Registering POST, /commit                    
DEBU[0000] Registering POST, /containers/{name:.*}/kill 
DEBU[0000] Registering POST, /containers/{name:.*}/unpause 
DEBU[0000] Registering POST, /containers/{name:.*}/wait 
DEBU[0000] Registering POST, /containers/{name:.*}/resize 
DEBU[0000] Registering POST, /images/create             
DEBU[0000] Registering POST, /containers/{name:.*}/pause 
DEBU[0000] Registering POST, /containers/{name:.*}/restart 
DEBU[0000] Registering POST, /containers/{name:.*}/stop 
DEBU[0000] Registering PUT, /containers/{name:.*}/archive 
DEBU[0000] Registering DELETE, /containers/{name:.*}    
DEBU[0000] Registering DELETE, /images/{name:.*}        
DEBU[0000] Registering OPTIONS,                         
DEBU[0000] docker group found. gid: 999                 
INFO[0000] Listening for HTTP on unix (/var/run/docker.sock) 
INFO[0000] [graphdriver] using prior storage driver "aufs" 
DEBU[0000] Using graph driver aufs                      
DEBU[0000] Using default logging driver json-file       
DEBU[0000] Migrating existing containers                
DEBU[0000] Creating images graph                        
DEBU[0000] Restored 22 elements                         
DEBU[0000] Reloaded graph with 3 grants expiring at 2017-03-22 19:04:46.713978458 +0000 UTC 
DEBU[0000] Creating repository list                     
INFO[0000] Option DefaultDriver: bridge                 
INFO[0000] Option DefaultNetwork: bridge                
WARN[0000] Running modprobe bridge nf_nat br_netfilter failed with message: modprobe: WARNING: Module br_netfilter not found.
, error: exit status 1 
INFO[0000] Firewalld running: false                     
DEBU[0000] /sbin/iptables, [--wait -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -D PREROUTING] 
DEBU[0000] /sbin/iptables, [--wait -t nat -D OUTPUT]    
DEBU[0000] /sbin/iptables, [--wait -t nat -F DOCKER]    
DEBU[0000] /sbin/iptables, [--wait -t nat -X DOCKER]    
DEBU[0000] Failed to Initialize Datastore due to datastore initialization requires a valid configuration. Operating in non-clustered mode 
DEBU[0000] /sbin/iptables, [--wait -t nat -C POSTROUTING -s 172.17.42.1/16 ! -o docker0 -j MASQUERADE] 
DEBU[0000] /sbin/iptables, [--wait -D FORWARD -i docker0 -o docker0 -j DROP] 
DEBU[0000] /sbin/iptables, [--wait -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT] 
DEBU[0000] /sbin/iptables, [--wait -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT] 
DEBU[0000] /sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT] 
DEBU[0000] /sbin/iptables, [--wait -t nat -n -L DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -N DOCKER]    
DEBU[0000] /sbin/iptables, [--wait -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8] 
DEBU[0000] /sbin/iptables, [--wait -t nat -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8] 
DEBU[0000] /sbin/iptables, [--wait -t filter -n -L DOCKER] 
DEBU[0000] /sbin/iptables, [--wait -t filter -C FORWARD -o docker0 -j DOCKER] 
WARN[0000] Your kernel does not support swap memory limit. 
INFO[0000] Daemon has completed initialization          
INFO[0000] Docker daemon                                 commit=0d03096 execdriver=native-0.2 graphdriver=aufs version=1.8.0
DEBU[0077] Calling GET /containers/json                 
INFO[0077] GET /v1.19/containers/json?all=1&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5B%22com.docker.compose.project%3Droot%22%2C+%22com.docker.compose.service%3Dregistry%22%2C+%22com.docker.compose.oneoff%3DFalse%22%5D%7D&size=0 
DEBU[0077] Calling GET /containers/json                 
INFO[0077] GET /v1.19/containers/json?all=1&limit=-1&trunc_cmd=0&size=0 
DEBU[0077] Calling GET /containers/json                 
INFO[0077] GET /v1.19/containers/json?all=1&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5B%22com.docker.compose.project%3Droot%22%2C+%22com.docker.compose.service%3Dregistry%22%2C+%22com.docker.compose.oneoff%3DFalse%22%5D%7D&size=0 
DEBU[0077] Calling GET /containers/json                 
INFO[0077] GET /v1.19/containers/json?all=1&limit=-1&trunc_cmd=0&size=0 
DEBU[0077] Calling GET /images/{name:.*}/json           
INFO[0077] GET /v1.19/images/registry:2/json            
DEBU[0077] Calling GET /containers/json                 
INFO[0077] GET /v1.19/containers/json?all=1&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5B%22com.docker.compose.project%3Droot%22%2C+%22com.docker.compose.service%3Dregistry%22%2C+%22com.docker.compose.oneoff%3DFalse%22%5D%7D&size=0 
DEBU[0077] Calling GET /images/{name:.*}/json           
INFO[0077] GET /v1.19/images/registry:2/json            
DEBU[0077] Calling POST /containers/create              
INFO[0077] POST /v1.19/containers/create?name=root_registry_1 
DEBU[0077] Calling GET /containers/{name:.*}/json       
INFO[0077] GET /v1.19/containers/0d4a3b924dfd1f5857a0e8ec80a2cdefdcb0cc0563764ae4fcc7749080184839/json 
DEBU[0077] Calling POST /containers/{name:.*}/start     
INFO[0077] POST /v1.19/containers/0d4a3b924dfd1f5857a0e8ec80a2cdefdcb0cc0563764ae4fcc7749080184839/start 
DEBU[0077] /sbin/iptables, [--wait -t nat -A DOCKER -p tcp -d 0/0 --dport 5000 -j DNAT --to-destination 172.17.0.1:5000 ! -i docker0] 
DEBU[0077] /sbin/iptables, [--wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.1 --dport 5000 -j ACCEPT] 
DEBU[0077] /sbin/iptables, [--wait -t nat -A POSTROUTING -p tcp -s 172.17.0.1 -d 172.17.0.1 --dport 5000 -j MASQUERADE] 
DEBU[0080] Calling GET /containers/json                 
INFO[0080] GET /v1.20/containers/json                   
DEBU[0085] Calling GET /containers/json                 
INFO[0085] GET /v1.20/containers/json                   
DEBU[0145] Calling GET /containers/{name:.*}/json       
INFO[0145] GET /v1.20/containers/root_registry_1/json   
DEBU[0145] Calling GET /containers/{name:.*}/logs       
INFO[0145] GET /v1.20/containers/root_registry_1/logs?stderr=1&stdout=1&tail=all 
DEBU[0145] logs: begin stream                           
DEBU[0145] logs: end stream   

I start the container with docker-compose up -d, with this docker-compose.yml:

registry:
  restart: always
  image: registry:2
  ports:
    - 5000:5000
  environment:
    REGISTRY_HTTP_TLS_CERTIFICATE: /certs/star.small.mu.crt
    REGISTRY_HTTP_TLS_KEY: /certs/star.small.mu.key
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
    REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
    REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
  volumes:
    - /var/lib/registry/data:/var/lib/registry
    - /etc/registry/certs:/certs
    - /etc/registry/auth:/auth

Container log output:

root@docker:~# docker logs root_registry_1
time="2015-08-12T02:16:37.581712046Z" level=info msg="endpoint local-8082 disabled, skipping" environment=development instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
time="2015-08-12T02:16:37.581948797Z" level=info msg="endpoint local-8083 disabled, skipping" environment=development instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
time="2015-08-12T02:16:37.586183716Z" level=info msg="using inmemory layerinfo cache" environment=development instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
time="2015-08-12T02:16:37.586230361Z" level=info msg="listening on :5000, tls" environment=development instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
time="2015-08-12T02:16:37.599244893Z" level=info msg="debug server listening localhost:5001" 
time="2015-08-12T02:17:23.762369843Z" level=debug msg="authorizing request" environment=development http.request.host="docker.small.mu:5000" http.request.id=59833839-eebf-4185-8e32-ac2b143e34e4 http.request.method=GET http.request.remoteaddr="203.219.111.198:50926" http.request.uri="/v2/" http.request.useragent="docker/1.6.0 go/go1.4.2 git-commit/4749651 kernel/3.16.0-37-generic os/linux arch/amd64" instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
time="2015-08-12T02:17:23.763132537Z" level=info msg="response completed" environment=development http.request.host="docker.small.mu:5000" http.request.id=59833839-eebf-4185-8e32-ac2b143e34e4 http.request.method=GET http.request.remoteaddr="203.219.111.198:50926" http.request.uri="/v2/" http.request.useragent="docker/1.6.0 go/go1.4.2 git-commit/4749651 kernel/3.16.0-37-generic os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=8.245921ms http.response.status=200 http.response.written=2 instance.id=cf6503e0-cab5-4395-913b-b67289ec60e2 service=registry version=v2.0.1 
203.219.111.198 - - [12/Aug/2015:02:17:23 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/1.6.0 go/go1.4.2 git-commit/4749651 kernel/3.16.0-37-generic os/linux arch/amd64"

[Bockit]

I mentioned I was following https://docs.docker.com/registry/deploying/ for the process. There was one deviation, I was unable to get:

docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

working correctly. It would claim htpasswd wasn't available. I endedup installing apache2-utils and creating the htpasswd file from the server.

[jasonf20]

My issue, #860 might be a duplicate of this (though I used native and not apache server).

Also I like Bockit had to install apache utils since it was not in the image. Perhaps this is related to issue (perhaps the cause)

[otmb]

environment NG?
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd

Tentatively...

$ htpasswd -Bbn hoge hoge > auth/htpasswd

$ mkdir -p certs && openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
    -x509 -days 365 -out certs/domain.crt

config.yml

version: 0.1
log:
  fields:
    service: registry
storage:
    cache:
        layerinfo: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
http:
    addr: :5000
auth:
  htpasswd:
    realm: basic-realm
    path: /auth/htpasswd

docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/auth:/auth \
  -v `pwd`/config.yml:/etc/docker/registry/config.yml \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

[dmp42]

Everybody: if you cannot run docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword then you are NOT running registry 2.1 and your image is outdated.

Please make sure you docker pull registry:2 to update your image and try again.

Confirm you have the latest version by issuing a:

docker run registry:2 --version

Should output:

/bin/registry github.com/docker/distribution v2.1.0

[dmp42]

@Bockit you are likely missing an entry in your compose file:

REGISTRY_AUTH: htpasswd

Sorry for the documentation was inaccurate on this, and this is fixed by #865

Finally: everybody, people here are reporting various different issues. One of you is trying to use Apache.

In the name of maintainers sanity, I would ask you if you can to create separate tickets for separate issues: if your setup is different from the original poster, please create a separate ticket.

Thanks.

[Bockit]

@dmp42 apologies for the noise, and thanks for the help. If I'm still having problems I'll create a new issue.

[natarajanv]

[venkat@r10a-venkat-docker compose_test]$ docker run registry:2 --version
/bin/registry github.com/docker/distribution v2.1.1

[dmp42]

@natarajanv your apache config is the problem here.
From what I can see, it's incomplete for now - I see no X-Forwarded-For headers for example.

Also, can you confirm you successfully followed the steps described in deploying.md, and you can successfully pull and push from your registry directly (without Apache in front).

Then you should review https://github.com/docker/distribution/blob/master/docs/nginx.md and figure out what's missing in Apache, without trying to add authentication.

Thanks.

[natarajanv]

We are under the impression that Apache ProxyPassReverse does it automatically, based on this http://wiki.nginx.org/LikeApache

Thanks
Venkat

From: Olivier Gambier [mailto:notifications@github.com]
Sent: Thursday, August 13, 2015 1:07 PM
To: docker/distribution distribution@noreply.github.com
Cc: Natarajan, Venkat venkat@mitre.org
Subject: Re: [distribution] unable to login to private v2 registry (#842)

@natarajanvhttps://github.com/natarajanv your apache config is the problem here.
From what I can see, it's incomplete for now - I see no X-Forwarded-For headers for example.

Also, can you confirm you successfully followed the steps described in deploying.md, and you can successfully pull and push from your registry directly (without Apache in front).

Then you should review https://github.com/docker/distribution/blob/master/docs/nginx.md and figure out what's missing in Apache, without trying to add authentication.

Thanks.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/842#issuecomment-130762626.

[natarajanv]

Yes, I can pull/push successfully without Apache.

Thanks

From: Olivier Gambier [mailto:notifications@github.com]
Sent: Thursday, August 13, 2015 1:07 PM
To: docker/distribution distribution@noreply.github.com
Cc: Natarajan, Venkat venkat@mitre.org
Subject: Re: [distribution] unable to login to private v2 registry (#842)

@natarajanvhttps://github.com/natarajanv your apache config is the problem here.
From what I can see, it's incomplete for now - I see no X-Forwarded-For headers for example.

Also, can you confirm you successfully followed the steps described in deploying.md, and you can successfully pull and push from your registry directly (without Apache in front).

Then you should review https://github.com/docker/distribution/blob/master/docs/nginx.md and figure out what's missing in Apache, without trying to add authentication.

Thanks.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/842#issuecomment-130762626.

[dmp42]

@natarajanv

Can you mail me your complete Apache configuration? (just tar /etc/apache or whatever contains the config) - (olivier /at/ docker /dot/ com)

[natarajanv]

These are the custom configuration which gets loaded via the include into the main configuration:

authnz_ldap.conf file:

AuthBasicProvider ldap AuthLDAPUrl "ldap://validname.org:3268/DC=mitre,DC=org?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "DC=MITRE,DC=ORG" AuthLDAPBindPassword "validpassword" AuthType Basic AuthName "APACHE Login"

  Require valid-user

registry_header.conf file:

Header set Docker-Distribution-Api-Version "registry/2.0"

rev_proxy.conf file

ProxyPreserveHost On ProxyRequests Off ProxyPass /v2/ http://registry:5000/v2/ ProxyPassReverse /v2/ http://registry:5000/v2/

This is the output I get when I login using the above config:

[venkat@r10a-venkat-docker compose_test]$ docker login -u venkat -e venkat@mitre.org r10a-venkat-docker.mitre.org:8443
Password:
FATA[0004] Error response from daemon:
[venkat@r10a-venkat-docker compose_test]$

These are the corresponding entries in the apache logs for this login:

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:28:59 +0000] "GET /v2/ HTTP/1.1" 401 381

==> ssl_request_log <==
[14/Aug/2015:11:28:59 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v2/ HTTP/1.1" 381

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:28:59 +0000] "GET /v1/_ping HTTP/1.1" 404 206

==> ssl_request_log <==
[14/Aug/2015:11:28:59 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v1/_ping HTTP/1.1" 206

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:28:59 +0000] "POST /v1/users/ HTTP/1.1" 404 207

==> ssl_request_log <==
[14/Aug/2015:11:28:59 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /v1/users/ HTTP/1.1" 207

BTW, I have tried with ‘<Location / >’ and ‘ProxyPass / / http://registry:5000/’ as well….

With <Location / > in the configuration, this is what I get for login:

[venkat@r10a-venkat-docker compose_test]$ docker login -u venkat -e venkat@mitre.org r10a-venkat-docker.mitre.org:8443
Password:
FATA[0003] Error response from daemon: (Code: 404; Headers: map[Server:[Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips] Content-Type:[text/plain; charset=utf-8] Docker-Distribution-Api-Version:[registry/2.0] Content-Length:[19] Date:[Fri, 14 Aug 2015 11:32:09 GMT]])
[venkat@r10a-venkat-docker compose_test]$

Log entries:

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:32:09 +0000] "GET /v2/ HTTP/1.1" 401 381

==> ssl_request_log <==
[14/Aug/2015:11:32:09 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v2/ HTTP/1.1" 381

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:32:09 +0000] "GET /v1/_ping HTTP/1.1" 401 381

==> ssl_request_log <==
[14/Aug/2015:11:32:09 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v1/_ping HTTP/1.1" 381

==> ssl_access_log <==
10.84.255.19 - - [14/Aug/2015:11:32:09 +0000] "POST /v1/users/ HTTP/1.1" 401 381

==> ssl_request_log <==
[14/Aug/2015:11:32:09 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /v1/users/ HTTP/1.1" 381

==> ssl_access_log <==
10.84.255.19 - venkat [14/Aug/2015:11:32:09 +0000] "GET /v1/users/ HTTP/1.1" 404 19

==> ssl_request_log <==
[14/Aug/2015:11:32:09 +0000] 10.84.255.19 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /v1/users/ HTTP/1.1" 19

This is the registry version:

[venkat@r10a-venkat-docker compose_test]$ docker run registry:2 --version
/bin/registry github.com/docker/distribution v2.1.1
[venkat@r10a-venkat-docker compose_test]$

This is my compose file:

[venkat@r10a-venkat-docker compose_test]$ cat apache_and_registry2.yml
apache:
restart: always
image: apache
hostname: r10a-venkat-docker.mitre.org
ports:
- "80:80"
- "8443:443"
links:
- registry:registry
volumes:
- /etc/pki/tls/certs/r10a-venkat-docker.crt:/etc/pki/tls/certs/localhost.crt
- /etc/pki/tls/private/r10a-venkat-docker.key:/etc/pki/tls/private/localhost.key
- /logs/my_apache:/var/log/httpd
- /home/venkat/my_apache/includes/authnz_ldap.conf:/etc/httpd/conf.d/authnz_ldap.conf
- /home/venkat/my_apache/includes/registry_header.conf:/etc/httpd/conf.d/registry_header.conf
- /home/venkat/my_apache/includes/rev_proxy.conf:/etc/httpd/conf.d/rev_proxy.conf
registry:
restart: always
image: registry:2
hostname: r10a-venkat-docker.mitre.org
ports:
- "127.0.0.1:5000:5000"
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- /data/registry:/data

Thanks
Venkat

From: Olivier Gambier [mailto:notifications@github.com]
Sent: Thursday, August 13, 2015 6:20 PM
To: docker/distribution distribution@noreply.github.com
Cc: Natarajan, Venkat venkat@mitre.org
Subject: Re: [distribution] unable to login to private v2 registry (#842)

@natarajanvhttps://github.com/natarajanv

Can you mail me your complete Apache configuration? (just tar /etc/apache or whatever contains the config).

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/842#issuecomment-130864938.

[dmp42]

@natarajanv we just put together an Apache recipe.

Can you give this a spin: https://github.com/dmp42/distribution/blob/5.all-ur-proxy-are-belong-to-us/docs/apache.md

Then let us know if this is working?

From there you should be able to just hook in LDAP auth.

[natarajanv]

Oliver,
It works fine with the password file auth.

Thanks

From: Olivier Gambier [mailto:notifications@github.com]
Sent: Thursday, August 20, 2015 2:01 AM
To: docker/distribution distribution@noreply.github.com
Cc: Natarajan, Venkat venkat@mitre.org
Subject: Re: [distribution] unable to login to private v2 registry (#842)

@natarajanvhttps://github.com/natarajanv we just put together an Apache recipe.

Can you give this a spin: https://github.com/dmp42/distribution/blob/5.all-ur-proxy-are-belong-to-us/docs/apache.md

Then let us know if this is working?

From there you should be able to just hook in LDAP auth.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/842#issuecomment-132902261.

[dmp42]

@natarajanv then all that is remaining is plugging in the ldap auth.

Someone achieved it using nginx here: docker-archive/docker-registry#1026

[RichardScothern]

@natarajanv : is this still an issue for you?

[dmp42]

Closing for bookkeeping. Please state so if this is still an issue.

[Jean-Baptiste-Lasselle]

I mentioned I was following https://docs.docker.com/registry/deploying/ for the process. There was one deviation, I was unable to get:

docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > auth/htpasswd

working correctly. It would claim htpasswd wasn't available. I endedup installing apache2-utils and creating the htpasswd file from the server.

So thank you for your feed back, doing the exact same thing 4 years later, got the exact same problem, only difference is that I managed to have htpasswd generating encrypted password. I 'll give feedback myself after I solve the issue 4 years later, for future users' sake in 2023 ...

Feedback 1

• I had not opened port 443, though I had setup HTTPS with certbot / letsEncrypt (ports section in docker-compose.yml), so I did and re-spawned it all docker-compose up -d --build --force-recreate
• Then I tried docker login using the username and the password I encrypted with htpasswd (I think they do think of PAM auth with this basic auth config, nevertheless not the issue here), and I get an answer from my registry, telling me either username or password were wrong, or the use unauthorized.