This is great -- I've been waiting for this capability for the past couple of months.

Currently, my CI server pushes to my private registry as part of the deployment process, but since I have no way of protecting with auth, I have a few hoops:

• hide my registry behind firewall
• set up, tear down an SSH tunnel around my push and pull
• edit my CI-server's and consumers' hosts file to trick push and pull into using my tunneled port

+1 for the capability allowed by this PR

backflips

@lukewpatterson Thanks for the feedback -- does the https requirement work for you? I was thinking of maybe adding a --force-auth parameter if you want to use basic auth over HTTP connections (mostly for testing/development purposes). I'm interested to hear about real life use cases there, and how I can make your life easier. :)

Hey @shin- , I like the development/testing option of HTTP w/ auth. I'd picture it as more of a --allow-auth-http process than a --force-auth ("allow" rather than "force"), but either wording works for me.

One big thing that would help me is a complete, minimal nginx.conf example file to accompany the feature. I've been following progress on this topic - and occasionally see references to people declaring success with basic auth - but I can never reproduce success with the information I can glean from the various threads. I want to believe it can work :)

LGTM

Hey @shin-, thanks for the work. I'm curious on how to compile the program to try it. I haven't found any instructions so far on how to build Docker.

Any hints?

@allardhoeve see http://docs.docker.io/en/latest/contributing/devenvironment/ :)

@shin- This needs to be rebased.

ping @shin-

Done!

I tried to get this working and ran into problems with the login function. It seems that Login in auth/auth.go does not handle a 401 response correctly. I added the following code which gets the job done but may not be what you want in the end:

@@ -224,6 +224,26 @@ func Login(authConfig *AuthConfig, factory *utils.HTTPRequestFactory) (string, e
            } else {
                    return "", fmt.Errorf("Registration: %s", reqBody)
            }
+  } else if reqStatusCode == 401 {
+    req, err := factory.NewRequest("GET", serverAddress+"users/", nil)
+    req.SetBasicAuth(authConfig.Username, authConfig.Password)
+    resp, err := client.Do(req)
+    if err != nil {
+      return "", err
+    }
+    defer resp.Body.Close()
+    body, err := ioutil.ReadAll(resp.Body)
+    if err != nil {
+      return "", err
+    }
+    if resp.StatusCode == 200 {
+      status = "Login Succeeded"
+    } else if resp.StatusCode == 401 {
+      return "", fmt.Errorf("Wrong login/password, please try again")
+    } else {
+      return "", fmt.Errorf("Login: %s (Code: %d; Headers: %s)", body,
+        resp.StatusCode, resp.Header)
+    }
    } else {
            return "", fmt.Errorf("Unexpected status code [%d] : %s", reqStatusCode, reqBody)
    }

Thanks @dvoet, that might be an oversight on my part, I'll take a look asap.

@dvoet : Oh hey, I just had an epiphany today about this. Of course, the /v1/users/ endpoints need to be whitelisted for this to work, otherwise you're asking someone to be logged in before you're letting them log in...

@shin- But if it is white listed I don't think authentication will happen on a login call and the credentials will not be verified. If they get set incorrectly in the auth config it will lead to 401 error down the line. The normal basic auth pattern is a challenge/response which is what I was trying to accomplish.

the URL called in pingRegistryEndpoint needs to be whitelisted

I see what you mean! I'll integrate your patch. Thanks!

Integrated @dvoet 's patch. Thanks! Also rebased all the changes. Can you guys take another look? :)

@dvoet @allardhoeve is this working for you ?

yes

@crosbymichael @vieux Are we ready to merge this? If there's any outstanding issue I'm available to sort it out. :)

@crosbymichael @creack I must say I wasn't able to get it working, probably my nginx config...

Let's say I don't have access to the index.docker.io. Hoe do I create my login/passwd ?

Login/passwords aren't created dynamically, they're in the nginx/apache2/etc. config.

Yes, on the docker cli size I meant.

On Wed, Nov 13, 2013 at 11:28 AM, Joffrey F [email protected]:

Login/passwords aren't created dynamically, they're in the
nginx/apache2/etc. config.

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/2339#issuecomment-28425540
.

Victor VIEUX
http://vvieux.com

docker login had been updated a while ago to accept an optional server parameter, so you can for example type docker login my.registry.io and it will create an entry in .dockercfg for that particular server.

Works without issues, here's my working nginx config: https://gist.github.com/lucas-clemente/7518350

In config.yml i have

standalone: true
disable_token_auth: true

Looking forward to seeing this merged!

to be well tested

Good point :-)

Can all people asking for it spend some time testing and provide some feedback?

I have used the login, push and pull commands successfully.

ping @shin-

This needs to be rebased

Rebased!
cc @crosbymichael

Can confirm re based version does exactly what it says on the tin

Will +1 again for merging

sweet! thanks guys.

@shin- great work! I'm having some trouble though because this line in the registry code is blowing up because the auth header is Basic rather than Token, any thoughts?

@lmars Unsetting the Authorization header in the web server worked for me, eg for nginx:

proxy_set_header Authorization "";

Anyone with the final nginx conf that will work for SSL and basic auth ?
Btw, should one use "docker login myregistry.myco.com:443" or "docker login myregistry.myco.com" ?

@coderlol Sample Nginx conf can be found here
You don't need to include the port.

@shin- the file you pointed works fine but has no basic auth support. any example with basic auth? if i add

auth_basic            "Restricted";
auth_basic_user_file  /docker-registry/.htpasswd;

to my config nothing i only get HTTP 500 responses from registry

@aluedeke check out docker-archive/docker-registry#82 (comment) =)

Was the use of basic auth over HTTP connections ever been implemented (some thing like --allow-auth-http or --force-auth; mentioned here and here)?

A real life scenario for this would be trying to deploy a docker image to multiple VMs in a private network which this same network contains a private Docker registry.

@farahfa Docker will refuse to send credentials over plain text connections.