Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate or Interface Docker Registry #2316

Open
mikehaertl opened this issue Aug 17, 2017 · 21 comments

Comments

6 participants
@mikehaertl
Copy link

commented Aug 17, 2017

I know, this may be completely out of scope for this project. But I still try:

It would be cool if gitea could provide support for a docker registry.

Full integration is probably very unlikely to ever being added. But it would already help if we could interface with a standalone registry running in some container. The core features should be:

  • Authentication against shared user base
  • Authorization with shared repository permissions
  • Simple instructions for how to set up the above
@lunny

This comment has been minimized.

Copy link
Member

commented Aug 17, 2017

Don't know how to implement a docker registry. It seems some similar with git with lfs.

@lunny lunny added the kind/proposal label Aug 17, 2017

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Aug 17, 2017

Well, it's not about implementing the registry itself. That's already done and there's even a docker image for it. Details here: https://docs.docker.com/registry/

But the registry by default doesn't do any authentication/authorization. So the task would be to somehow make it use giteas userbase.

It can't be too difficult, because even the Gitlab guys managed to do this 😛 . There's some documentation here:

https://docs.docker.com/registry/deploying/#more-advanced-authentication

A viable option would probably what they call "delegated authentication".

@lunny

This comment has been minimized.

Copy link
Member

commented Aug 17, 2017

OK. I see. Maybe you can change the title, it's some confusing! 😄

@lunny lunny added this to the 1.x.x milestone Aug 17, 2017

@mikehaertl mikehaertl changed the title Docker Registry Integrate or Interface Docker Registry Aug 17, 2017

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Aug 17, 2017

This could probably be very helpful: https://github.com/cesanta/docker_auth

@bkcsoft

This comment has been minimized.

Copy link
Member

commented Aug 24, 2017

GitLab manages Authentication and Authorization by tightly coupling it to the main GitLab application itself https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/container_registry. Which isn't something that Gitea would wanna do.

However, we do have an API that could be used for checking if a user has access to a certain repo. So writing a standalone daemon (or nginx mod) would be fairly straight forward.

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Aug 24, 2017

However, we do have an API that could be used for checking if a user has access to a certain repo. So writing a standalone daemon (or nginx mod) would be fairly straight forward.

Sounds good. I'm just not (yet) an expert on nginx modules, so if anyone can provide a simple example or even better a full tutorial on how to set this up this would be very helpful. Maybe it could even be added to the documentation? Could be a nice use case example for what you can do with the API ...

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Sep 2, 2017

@mikehaertl / @bkcsoft I've used the cesanta registry software mentioned above, and it has the ability to call an external binary to see if a specific user has access to push/pull/etc.. a specific image to/from the docker registry. That software would then need a way to authenticate with Gitea which could be added via PR to that software, it already can authn against GitHub, Google, and others.

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Sep 3, 2017

Sounds perfect and should not be too hard to implement. We should also open an issue at cesenta then. Maybe leave this open in case we need to add extra permissions to allow/disallow registry access fora
user from gitea?

@bkcsoft / @lunny Is the API documented somewhere? Couldn't find any docs.

@lunny

This comment has been minimized.

Copy link
Member

commented Sep 3, 2017

visit https://docs.gitea.io and see the top sub menu API

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Sep 4, 2017

Nice, thanks. So the /repos/{username}/{reponame} API request should do what we want, right? Just want to make sure, that we don't miss anything.

{
  "admin": true,
  "pull": true,
  "push": true
}
@bkcsoft

This comment has been minimized.

Copy link
Member

commented Sep 4, 2017

@mikehaertl yeah pretty much. Have the binary login as a user, then check if pull: true for authorization 🙂

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Sep 4, 2017

Hmm, after having a closer look I'm not quite sure, how this would work. I'm not really good at reading Go code, but from looking at the source of cesenta's Authenticator interface, there's also a password involved:

https://github.com/cesanta/docker_auth/blob/master/auth_server/authn/authn.go

This sounds reasonable as usually you have to enter a password when you want to push/pull to/from a private docker registry. OTOH they also provide authentication via Github. Not sure how this works from a user perspective though.

@techknowlogick Could you maybe help clarify, how authentication works via a third party API? Is there a password involved?

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Sep 4, 2017

@mikehaertl For third party authentication, they have various files in that authn directory that connect to various authentication providers. So there are various options, 1. complete #27 to add an Oauth provider to Gitea and then you have the GitHub provider in cesanta that you can re-use (this option requires work for both projects). Option 2. create a new provider in cesanta that uses user/pass that is sent to it, and it queries the Gitea api (via basic auth) to see if the credentials are valid. Note for option 2 you may run into issues if you have third party auth enabled in Gitea (for example LDAP, Oauth w/ GitLab or GitHub, SMTP, etc..)

Then after you've authenticated (via option 1, or 2 above), you can use an external binary that queries the API to see if a user has authorization to access a specific repo.

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Sep 5, 2017

@techknowlogick I see, thanks. Personally I'd say that option 1) (OAuth2 based authentication) is the most solid then and we should wait for #27.

I still wonder how all this works from a user perspective. I.e. when using docker to pull an image from your private repo, how does authentication work? If you're on the command line, redirecting to Github's authentication authorization page is not an option. And entering the github password isn't either (as stated here).

So how does the OAuth token from Github reach cesenta in the CLI case?

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Sep 5, 2017

@mikehaertl You'll have to first auth via web browser to GitHub, then it'll give you a temp pass to use in command line. In the link to the file you sent (the example configuration for the cesanta docker registry), one line down it'll give you more in depth detail on how the auth works.

@mikehaertl

This comment has been minimized.

Copy link
Author

commented Sep 6, 2017

Oh, right, I see now, thanks. It's not as tightly integrated as Gitlab but still acceptable I think.

@lunny

This comment has been minimized.

Copy link
Member

commented Jun 8, 2018

Now I think this feature is necessary and not very difficult to implement. We could create a new tab named containers or something like that, which could be configed on repository setting, the registry auth information. And at first, we could support the standard registry https://hub.docker.com/_/registry/ and the Golang SDK https://github.com/docker/distribution/tree/master/registry

@bkcsoft

This comment has been minimized.

Copy link
Member

commented Jun 17, 2018

@lunny I really don't think that injecting containers into Gitea makes sense. Setting up registry has to be done separately anyhow. Providing a way to authenticate a user makes sense though...

@lunny

This comment has been minimized.

Copy link
Member

commented Jun 19, 2018

@bkcsoft, in my mind, the new tab only a UI to retrieve the docker tags from registry. You could set up a global registry URL or specify one on repository setting. Then the container tags could be retrieved and listed on repository tab.

@DblK

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2018

For my personal usage I use this as docker registry:
http://port.us.org/

Authentification is done by an ldap server, configured both in gitea and portus

@sphrak

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2018

I thought I might aswell drop my $0.02 here.
I believe that one might take the external issues/wiki route initially, to allow a user to specify a external registry for convenience reasons on a repository, which simply redirects the user to say portus -- then later, one could integrate authentication and maybe also be able to list images available in the registry related to a particular repository.

Not entirely sure about the latter part if it could even be done. But if I understood @bkcsoft correctly I agree that gitea itself should be a yet another docker registry™, since gitea is not a one stop shop like gitlab has become, I do however believe it should allow for linking to external tools like it already does with external issues, external wikis etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.