Harbor: 用户登录认证失败（docker login）

The option --insecure-registry should be same with hostname in harbor.cfg, I guess. If your hostname is a public IP, and --insecur-registry should be IP too.

I set up the network testing machine，Don't use the hostname, instead of using the IP。

What's your docker client version ? You can refer my post。It seems that the version <= 1.7 can not work well.

@ltz3317 have you restarted docker after making update to /etc/default/docker?

the same issue, docker login failed after docker-compose up, all settings the same as offical docs. It does not work as well.

me to. I can acess the ui,but can't login. I just do all as the offical docs .

Run into same issue here too.

I just installed the 0.1.1 release following official document. I can access the web UI and create project and user correctly. The only difference I made is letting the web UI listening on 8001 instead of 80 by changing compose file.

Then I tried to login from CLI with the newly created user, however, it fails.

zhangzh@base[~]$sudo docker login 192.168.30.231:8001
Username: admin
Password:
Error response from daemon: Get http://192.168.30.231:8001/v2/: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.4.6 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n"

From the server side, I saw log that needs token to auth this request.

Jul 12 18:40:32 172.17.0.1 docker/registry[858]: time="2016-07-12T10:40:32.951028712Z" level=debug msg="authorizing request" go.version=go1.5.3 http.request.host=192.168.30.231 http.request.id=da32b003-b827-4b3b-9144-eccd8c4826e7 http.request.method=GET http.request.remoteaddr=192.168.220.111 http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/3.13.0-91-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=678e7aa6-6e93-457e-8fd0-6c109945c521 service=registry version=v2.3.0
Jul 12 18:40:32 172.17.0.1 docker/registry[858]: time="2016-07-12T10:40:32.952069804Z" level=warning msg="error authorizing context: authorization token required" go.version=go1.5.3 http.request.host=192.168.30.231 http.request.id=da32b003-b827-4b3b-9144-eccd8c4826e7 http.request.method=GET http.request.remoteaddr=192.168.220.111 http.request.uri="/v2/" http.request.useragent="docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/3.13.0-91-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))" instance.id=678e7aa6-6e93-457e-8fd0-6c109945c521 service=registry version=v2.3.0
Jul 12 18:40:32 172.17.0.1 docker/registry[858]: 172.17.0.6 - - [12/Jul/2016:10:40:32 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.11.2 go/go1.5.4 git-commit/b9f10c9 kernel/3.13.0-91-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.11.2 \\(linux\\))"

Well, I doesn't try to build harbor against source. Is it fixed in master? Or will the next release be soon?

Thanks.

in this case you need to let the nginx "proxy" listen on 8001 port, not the UI.

I'm having a very similar issue to @ltz3317.

$ docker -D login x.x.x.x
Username: admin
Password: 
Error response from daemon: Get https://x.x.x.x/v1/users/: dial tcp x.x.x.x:443: getsockopt: connection refused

I am not sure how to troubleshoot this. I've added DOCKER_OPTS="--insecure-registry=x.x.x.x" to my harbor server's /etc/default/docker (matching hostname from harbor.cfg) and restarted docker and that did not help.

My harbor.cfg is:

root@harbor:~/harbor/Deploy# grep -v '#' harbor.cfg 
hostname = x.x.x.x
ui_url_protocol = http
email_server = smtp.mydomain.com
email_server_port = 25
email_username = [email protected]
email_password = abc
email_from = admin <[email protected]>
email_ssl = false
harbor_admin_password = Harbor12345
auth_mode = db_auth
ldap_url = ldaps://ldap.mydomain.com
ldap_basedn = uid=%s,ou=people,dc=mydomain,dc=com
db_password = root123
self_registration = on
production = on
max_job_workers = 3 
verify_remote_cert = off
customize_crt = on
crt_country = US
crt_state = Minnesota
crt_location = US
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = [email protected]

Is this working for others? Any known setup I need to do or guide I need to read? If you need more info let me know!

@jmccann, normally adding "--insecure-registry=x.x.x.x" fix such issues.

could you run "ps -ef|grep docker" to double check this setting actual takes effect?

please also package the directory Deploy/config and attach to the issue, if convenient.

Here is the output of ps -ef | grep docker.

root     20699     1  0 Jul27 ?        00:01:17 /usr/bin/docker daemon -H fd:// --insecure-registry=x.x.x.x
root     20707 20699  0 Jul27 ?        00:00:03 docker-containerd -l /var/run/docker/libcontainerd/docker-containerd.sock --runtime docker-runc --start-timeout 2m
root     22919 22557  0 13:59 pts/0    00:00:00 docker-compose up
root     22920 22919  0 13:59 pts/0    00:00:04 docker-compose up
root     23018 20699  0 13:59 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 1514 -container-ip 172.18.0.2 -container-port 514
root     23024 20707  0 13:59 ?        00:00:00 docker-containerd-shim 741b3650fbda92509bfccdadd75ff652223f4d4c99b2a220740003c83f6d1846 /var/run/docker/libcontainerd/741b3650fbda92509bfccdadd75ff652223f4d4c99b2a220740003c83f6d1846 docker-runc
root     23124 20707  0 13:59 ?        00:00:00 docker-containerd-shim 2fd3fa74f0813716fa873a55ce05d46ba278d86dc495591405c830897383516b /var/run/docker/libcontainerd/2fd3fa74f0813716fa873a55ce05d46ba278d86dc495591405c830897383516b docker-runc
root     23219 20707  0 13:59 ?        00:00:00 docker-containerd-shim 65267a4f840cda5e9bf35da295b6db55435bf26daf194b7fea0ffe1b7719510a /var/run/docker/libcontainerd/65267a4f840cda5e9bf35da295b6db55435bf26daf194b7fea0ffe1b7719510a docker-runc
root     23378 20707  0 13:59 ?        00:00:00 docker-containerd-shim aeb078202cb8e8292da0bd9002b7a3200542398969c1aa6f7aa51a2b25cdf40f /var/run/docker/libcontainerd/aeb078202cb8e8292da0bd9002b7a3200542398969c1aa6f7aa51a2b25cdf40f docker-runc
root     23480 20699  0 13:59 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5001 -container-ip 172.18.0.6 -container-port 5001
root     23486 20707  0 13:59 ?        00:00:00 docker-containerd-shim 0a1e0a1aea405205035e34a03379ef70c92e660a714f2a509111a035eaadec25 /var/run/docker/libcontainerd/0a1e0a1aea405205035e34a03379ef70c92e660a714f2a509111a035eaadec25 docker-runc
root     23603 20699  0 13:59 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.18.0.7 -container-port 443
root     23612 20699  0 13:59 ?        00:00:00 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.18.0.7 -container-port 80
root     23617 20707  0 13:59 ?        00:00:00 docker-containerd-shim 650a0141fdeb825e89a8b8d08f5c2f1e854abaa82f8917019b8c51c66c9cf17e /var/run/docker/libcontainerd/650a0141fdeb825e89a8b8d08f5c2f1e854abaa82f8917019b8c51c66c9cf17e docker-runc
root     23770 23516  0 14:13 pts/1    00:00:00 grep --color=auto docker

It wasn't there earlier so I had to fix startup of docker to have the flag added. So thanks for pointing that out ... but doesn't seem to have solved my issue.

So I think the issue may have something to do that I'm trying to run this in an Openstack instance that is fronted by a floating IP. When on the instance that is running harbor I can do:

root@harbor:~# docker -D login 127.0.0.1
Username (admin): admin
Password: 
Login Succeeded

But still when trying to access it remotely/externally through the FIP (floating IP) I still get:

$ docker -D login x.x.x.x
Username: admin
Password: 
Error response from daemon: Get https://x.x.x.x/v1/users/: dial tcp x.x.x.x:443: getsockopt: connection refused

Not sure about attaching all the configs yet ... have to look through them to see what was generated ...

OK, I finally figured out my issue. Hopefully this will help someone else in the future.

1) Add --insecure-registry=x.x.x.x on the client (when using default harbor config)

• I was setting it on my server which does nothing.

2) Test with docker -D login x.x.x.x from client (when using default harbor config)

After those 2 things it seems to work!

$ docker -D login x.x.x.x
Username (admin): admin    
Password: 
Login Succeeded

@jmccann Great stuff! Thanks.
@reasonerjt Let's enhance our documentation to include it. This might be confusing, especially for new Docker users.

@jmccann, this is weird because this:
--insecure-registry=x.x.x.x
it tells docker to access x.x.x.x on port 80 with http

@reasonerjt YOU ARE RIGHT! Shows my lack of docker experience with private registries. :(

I updated my comment above to reflect the more correct way of doing things.

So in the end the main issue was setting that on the server instead of on the client.

Thanks for all the help and responses @reasonerjt even though this was probably a simple issue.

no problem

这里不得不说,harbor里面有个大坑.端口号一定不能省略.恰恰是你用xxx代替的地址,我遇到过,解决了这个问题

harbor 的配置中 hostname = xxx.xxx.xxx.xxx 不加端口的话，默认是走的80 端口。
我刚开始没有加，走的nginx转发，在页面上可以访问。进行 docker login hostname:port 登陆的时候，这里的port不是80，一直报如上所示的错误 404 error。
然后我将 harbor 配置改成了 hostname:port , 再进行 docker login hostname:port 就没问题了。
所以你应该保证 docker login 方式登陆 和 页面登陆走的是同一个端口