Docker registry and index

Question

Good day!

I have looked a ton of info about docker registry and still have some questions about it... Please, help me to understand some things about index and registry.

1. I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i index.docker.io?

2. If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.

3. Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?

4. I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?

UPD:

I worked a lot with docker-registry this night, so I have a bit confused:

1. If standalone mode is true, then disable_token_auth is not used in any variant. So we can:

   1.1 Use this repo without auth (pull and push rights to anyone).

   1.2 Use basic auth with nginx and docker login my.registry.com, so every user that have basic auth info can push and pull. So, we don't have authorization at this mode.

2. If standalone mode is false, then docker-registry need to communicate with index.docker.io, but it doesn't. Two variants:

   2.1. If disable_auth_token is true - I get 405 error (method not allowed), but it means that I allow anyone to push or to pull images, or not?

   2.2. If disable_auth_token is false - I get 405 error...

And for 2.1 and 2.2 docker login my.registry.com not working - it shows me 404 error... Maybe it is my misconfiguration?

Answer 1

1.I have installed docker-registry for private repositories. And I worked with standalone mode true. As I understand, docker registry can't authenticate users - it asks index for permissions and auth. So, I disabled standalone mode, so docker-registry needs to authenticate me by index.docker.io, but it don't work - registry allows me to push and pull any images I want. So the question is - why docker-registry doesn't try to authenticate me by i index.docker.io?

The private docker registry you setup has no authentication because you did not set it up. You have to use nginx as a reverse proxy to setup the authentication, and since docker client does not support basic authentication without SSL, you have to setup SSL on the reverse proxy as well.

When you push or pull, you are using the docker client. It can connect to any registry, private registry you setup, as well as docker hub. Here are several points to consider:

• When you fire off a docker search from your docker client, it will by default search the docker hub, and let you pull any image from there as long as it's public.

• Login is needed to push the image in Docker Hub.

• Now if you want to search your private docker registry you have to tell the docker client to search that registry in the following format:

    docker search private.repo.domain:5000/vozerov 
  

• Now, depending on which registry you actually want to search, your private registry will require it's own authentication if you setup it up with reverse proxy, docker hub will require you to login as well if you want to use it to push images.

• The reason you can push/pull/search is because you are probably telling docker client to do those actions in your private registry only by specifying the domain_name:port/image_name, even if you don't specify and use Docker Hub by default, you will not run into authentication issues unless you try to push the image.

2.If docker-registry authenticates me through index.docker.io, so where authorization parameters are stored? I mean, if I want to grant user vozerov to push only to private.repo.domain:5000/vozerov repository.

• Authorization parameters are stored on your docker client machine in the following file (it's a hidden file, so use ls -la). File is called: ".dockercfg"

• Inside that file you find the login credential details of registries you tried logging into with successfully:

  {
          "your_domain.com": {
                  "auth": "dXNlcjE6cGFzc3dvcmQxMjM="
                  "email": ""
  }
  

• The "auth" is your base 64 encoded (username:password) credentials

• Docker private registry provides login (with help of reverse proxy) only. If you want a full blown user based authentication/authorization or access control system, you could look at solutions like Artifactory or core OS enterprise registry

3.Docker searches through index. So if I want to search my images in my private repository I need to tell index.docker.io that there is new private repository. Is it real or I tell something wrong?

• Docker Client search through the index.io if you don't specify you want it to search you private registry. That is default behavior of docker. Your private docker registry is totally separate from the official docker index, simply nothing to do with it. If you want to search your private registry in your Docker client, here are some commands you could use, native or curl:

• Using curl (apt-get install jq):

  curl -s -X GET http://private.repo.domain:5000/v1/search | jq '.results[].name'
  

• Using docker search:

  docker search private.repo.domain:5000/<search_keyword>
  

4.I found docker-index project at github - https://github.com/ekristen/docker-index. It is alternative for index.docker.io. So, if I install it, login to it, would docker search command search through my private index or through index.docker.io?

• Looks like that project is coming to a stop as Docker is rolling out with a new registry. Never really tried it, so I would not know which registry it searches. I would assume it is something you integrate with a private registry since Docker Hub already has it's own index, so if I were to make a guess, it would search your private registry.