Access of registry without given credentials

[FalkNisius]

Description

A docker swarm have services with containers from a private registry.

The registry is saved with basic auth.

The credentials are saved local after the docker login command.

The first call to the registry root is always unauthorized, because the stored credentials are not used.

As a result fail2ban can block the swarm at updates, redeploys etc.

May 25 07:52:06 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - - [25/May/2022:05:52:06 +0000]  "GET https://registry.equeo.de/v2/ HTTP/1.1" 401 172 0.000 260 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:52:06 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:06 +0000]  "HEAD https://registry.equeo.de/v2/visitberlinnginx/manifests/prod HTTP/1.1" 200 0 0.028 655 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:52:06 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:06 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/manifests/sha256:c5bef12a99a3bf990604848ee51186bbf6efccb8cc3b54a09a24fb6d8043a3cc HTTP/1.1" 200 3227 0.007 744 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:52:06 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:06 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:c8ef482aba1a2859438d571acdbb255130685b915c3718c86dd47c11b406c943 HTTP/1.1" 200 10934 0.011 421 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"


May 25 07:52:10 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - - [25/May/2022:05:52:10 +0000]  "GET https://registry.equeo.de/v2/ HTTP/1.1" 401 172 0.000 211 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:52:10 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:10 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/manifests/sha256:c5bef12a99a3bf990604848ee51186bbf6efccb8cc3b54a09a24fb6d8043a3cc HTTP/1.1" 200 3227 0.021 695 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:52:10 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:10 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:c8ef482aba1a2859438d571acdbb255130685b915c3718c86dd47c11b406c943 HTTP/1.1" 200 10934 0.010 372 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:52:10 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:52:10 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:c0a02e9502ec42460fadb5787011e11090ec216c0f8cdb313df96d531e5c767c HTTP/1.1" 200 2366 0.010 372 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"


May 25 07:55:58 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - - [25/May/2022:05:55:58 +0000]  "GET https://registry.equeo.de/v2/ HTTP/1.1" 401 172 0.000 260 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:55:58 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:55:58 +0000]  "HEAD https://registry.equeo.de/v2/visitberlinnginx/manifests/prod HTTP/1.1" 200 0 0.024 655 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:55:58 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:55:58 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/manifests/sha256:63ea56db0f89541f1c8925aed473298e9b57ae7552c0f7aae35db8fa0c0466b3 HTTP/1.1" 200 3227 0.006 744 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"
May 25 07:55:58 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:55:58 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:40c790ad544a3ff77ae2602bd23a0dacbaba97b809a92dff28572f61feac1d3a HTTP/1.1" 200 10932 0.010 421 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.12 \x5C(linux\x5C))" "-" "-"


May 25 07:56:02 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - - [25/May/2022:05:56:02 +0000]  "GET https://registry.equeo.de/v2/ HTTP/1.1" 401 172 0.000 211 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:56:02 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:56:02 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/manifests/sha256:63ea56db0f89541f1c8925aed473298e9b57ae7552c0f7aae35db8fa0c0466b3 HTTP/1.1" 200 3227 0.021 695 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:56:02 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:56:02 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:40c790ad544a3ff77ae2602bd23a0dacbaba97b809a92dff28572f61feac1d3a HTTP/1.1" 200 10932 0.011 372 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"
May 25 07:56:02 dev1-manager nginx_nginx.gp4egxgegz48429l22l8cp0i2.fqrccy2br86zh9qe08yd9py6t[1262]: 46.101.118.254 - registry_admin [25/May/2022:05:56:02 +0000]  "GET https://registry.equeo.de/v2/visitberlinnginx/blobs/sha256:2133a59b719f4757bb6382c93764ebde4eef8a34da733f8bfe9e2a5399e99a5b HTTP/1.1" 200 2371 0.010 372 "-" "docker/20.10.12 go/go1.16.2 git-commit/20.10.12-0ubuntu2~20.04.1 kernel/5.4.0-113-generic os/linux arch/amd64" "-" "-"

Always the first get request GET https://registry.equeo.de/v2/ HTTP/1.1 receives a 401, because the user is missed

Steps to reproduce the issue:

1. create a swarm
2. add a compose file for a stack with one service to a basic auth secured registry
3. start this stack

Describe the results you received:

It looks like the first request, has the function is the registry accessible and answers, is always unauthorized.

Describe the results you expected:

Every http access to a registry with given credentials, should use these credentials.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.2
 Git commit:        20.10.12-0ubuntu2~20.04.1
 Built:             Wed Apr  6 02:14:38 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.2
  Git commit:       20.10.12-0ubuntu2~20.04.1
  Built:            Thu Feb 10 15:03:35 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.9-0ubuntu1~20.04.4
  GitCommit:        
 runc:
  Version:          1.1.0-0ubuntu1~20.04.1
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        

Output of docker info:

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 10
  Running: 8
  Paused: 0
  Stopped: 2
 Images: 10
 Server Version: 20.10.12
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: ifxsv42fla2fwuyeh5srka3yv
  Is Manager: true
  ClusterID: tuiyx439s00o797re4b7ifixs
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.135.227.149
  Manager Addresses:
   10.135.227.149:2377
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 
 runc version: 
 init version: 
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-113-generic
 Operating System: Ubuntu 20.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.771GiB
 Name: vb-prod
 ID: EUMY:X7KN:3QKS:6VNM:CXEU:CWDS:G4S3:RETU:MLKP:CBIN:KRO4:Y2UM
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

[thaJeztah]

This is the expected behavior; the /v2/ endpoint is used to detect if the registry supports the OCI distribution v2 spec, and wether or not the registry expects authentication; https://github.com/opencontainers/distribution-spec/blob/dd38b7ed8a995fc2f6e730a4deae60e2c0ee92fe/spec.md#determining-support

[FalkNisius]

It is ok for me and accepted.

Perhaps it would be a nice idea to increase the documentation under https://docs.docker.com/registry, and especially the examples under recipes/nginx / apache.

Simplest enhancement would be a link to the specification at one of these points.

More advanced, would be the information that the v2 endpoint is used as health endpoint, and would always called without the given credentials from docker clients, what results in expected 401 on secured registries and can be irritate intrusion detection systems, that should be have configured exceptions or the proxy configuration should have only authorization under the /v2/ endpoint, not for the endpoint self.

In my eyes it is an inconsistency, but easy to work around.