Moby: Docker login fails with v2.1.1 registry because auth fails and calls v1 endpoints
Description of problem
Docker login fails in a private v2 registry behind nginx, because authentication fails and then calls v1 endpoints. Credentials are 100% right.
docker version:
Client:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:10:10 UTC 2015
OS/Arch: darwin/amd64
Server:
Version: 1.8.2
API version: 1.20
Go version: go1.4.2
Git commit: 0a8c2e3
Built: Thu Sep 10 19:10:10 UTC 2015
OS/Arch: linux/amd64
docker info:
Containers: 0
Images: 0
Storage Driver: aufs
Root Dir: /mnt/sda1/var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 0
Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.0.9-boot2docker
Operating System: Boot2Docker 1.8.2 (TCL 6.4); master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
CPUs: 1
Total Memory: 996.2 MiB
Name: default
ID: ZWF6:H3Q3:3LXK:O7OB:AESE:6WWF:76TM:ZTPL:MYUC:RLR4:ZVWB:FAO7
Debug mode (server): true
File Descriptors: 10
Goroutines: 17
System Time: 2015-09-30T10:52:48.727867992Z
EventsListeners: 0
Init SHA1:
Init Path: /usr/local/bin/docker
Docker Root Dir: /mnt/sda1/var/lib/docker
Labels:
provider=virtualbox
uname -a:
Darwin
Steps to Reproduce:
- Configure NGINX to forward requests to a v2.1.1 registry (https://docs.docker.com/registry/nginx/):
server {
listen 443 ssl;
server_name docker.somecompany.com;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
auth_basic "Registry realm";
auth_basic_user_file /srv/registry/.htpasswd;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0';
proxy_set_header Host \$http_host; # required for docker client's sake
proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 900;
proxy_pass http://localhost:5555;
}
}
Login:
docker login docker.somecompany.com
Actual Results:
Username: andre
Password:
Email:
Error response from daemon: Unexpected status code [404] : <html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.2 (Ubuntu)</center>
</body>
</html>
Additional info:
Logs from nginx:
192.168.1.102 - - [30/Sep/2015:11:54:46 +0100] "GET /v2/ HTTP/1.1" 401 203 "-" "docker/1.8.2 go/go1.4.2 git-commit/0a8c2e3 kernel/4.0.9-boot2docker os/linux arch/amd64"
192.168.1.102 - - [30/Sep/2015:11:54:46 +0100] "GET /v1/_ping HTTP/1.1" 404 151 "-" "docker/1.8.2 go/go1.4.2 git-commit/0a8c2e3 kernel/4.0.9-boot2docker os/linux arch/amd64"
192.168.1.102 - - [30/Sep/2015:11:54:46 +0100] "POST /v1/users/ HTTP/1.1" 404 151 "-" "docker/1.8.2 go/go1.4.2 git-commit/0a8c2e3 kernel/4.0.9-boot2docker os/linux arch/amd64"
Docker fails to authenticate into /v2/ although credentials are right, and then issues requests to /v1/_ping and /v1/users.
By doing a CURL I check that the credentials are ok and that the Docker-Distribution-Api-Version header is right:
curl https://andre:[email protected]/v2/ -i
HTTP/1.1 200 OK
Server: nginx/1.6.2 (Ubuntu)
Date: Wed, 30 Sep 2015 13:12:30 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2
Connection: keep-alive
Docker-Distribution-Api-Version: registry/2.0
{}
andrefreitas
>All comments
Fixed this issue: was missing the always option in Docker-Distribution-Api-Version Header:
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
Related issues
kunyan
路
3Comments
bhuvan
路
3Comments
gndgnd
路
3Comments
anshumanbh
路
3Comments
dbanck
路
3Comments
Most helpful comment
Fixed this issue: was missing the always option in Docker-Distribution-Api-Version Header: