Private Docker registry in pull through cache mode return "invalid authorization credential"

Asked 30/4, 2018 at 9:41 Answered 7/9, 2021 at 19:8

I'm using the official Docker registry image, and have configured it as a pull though cache.

My clients can log in and push/pull local images, such as this:

docker login -u username -p secret docker.example.local:5000
docker pull docker.example.local:5000/myImage

I've configured my clients to use the Docker registry server as a proxy:

root@server:/# cat /etc/docker/daemon.json
  {
     "registry-mirrors": ["https://docker.example.local:5000"]
  }

But when my clients tries to pull images not already present on the registry server, I get an error. Example pull command:

docker pull alpine

The registry server then responds with this message in its log file:

error authorizing context: basic authentication challenge for realm \"Registry Realm\": invalid authorization credential

I came across this SO post suggesting putting a Nginx proxy server in front, but this seems like a hack and I'd prefer some cleaner way of doing this if possible.

How have others set up their registry server in a pull through cache mode - did you find a better solution than setting up an Nginx proxy in front of the registry server?

Tourism answered 30/4, 2018 at 9:41 Comment(0)

You are using wrong name of registry-server-name.
Do not use https:// prefix

#>docker login -u username -p secret docker.example.local:5000

Sluice answered 30/4, 2018 at 10:55 Comment(1)

Thanks for the reply. Actually, this was just a copy/paste error on my behalf. When logging in, I use "docker.example:5000", not "docker.example:5000". I apologize for the confusion. – Tourism 30/4, 2018 at 11:19

You should ensure that you either provide environment variable REGISTRY_HTTP_HOST=https://docker.example.local:5000 or specify it in /etc/docker/registry/config.yml file of registry image

http:
  addr: localhost:5000
  prefix: /my/nested/registry/
  host: https://docker.example.local:5000

# see https://docs.docker.com/registry/configuration/

Reason is that address used in docker login should match host configuration of docker registry.

Invoice answered 7/9, 2021 at 18:55 Comment(0)

It's been a bit since I dug through that code, but I believe docker will attempt to login to your pull through cache using your Hub credentials. It only uses that registries individual credentials when you pull from it directly. So you need to run docker login without a hostname to configure the Hub login. This is only between the docker engine and the mirror.

From the pull through cache to Hub, you configure the user/password in the pull through cache and anyone that can reach the cache will use those credentials when pulling from Hub. This means you need to ensure the cache is configured with a minimal access user or is only accessible by devices on the network that you trust.

Interstellar answered 7/9, 2021 at 19:8 Comment(0)

Recommended topics

Hot tags