API v2 does not work as expected with HTTP_ALLOW_PUBLIC_READ=true #57
Comments
|
Apparently the 401 return code is only relevant to the Docker client for the first "GET /v2/" call --- we cannot know yet whether the client wants to perform a push or a only a pull. |
|
Background information: we need to support the HTTP_ALLOW_PUBLIC_READ mode for our Open Source Docker Registry (https://registry.opensource.zalan.do/). |
|
I reported this as a bug (issue already reported by somebody else) in the Docker client: moby/moby#17317 |
|
Current suggestion: To work around this issue, we want to support multiple domains. One domain would be read-only and the other r/w but with forced authentication. In order to configure that, every request should be forced authenticated. If the used host matches HTTP_ALLOW_PUBLIC_READ_DOMAIN, then have it read-only. |
|
I think we should check the latest Docker client (1.9.1), I think they changed the behavior (hopefully to the better). We should return WWW-Authenticate header here https://github.com/zalando-stups/friboo/blob/master/src/org/zalando/stups/friboo/system/oauth2.clj#L52 |
|
Current workaround plan: Use two different domains, one for pulling (registry.opensource.zalan.do) and one for pushing (registry-write.opensource.zalan.do). This is a dirty hack until the Docker client gets fixed.. 😞 ⏳ |
|
BTW I created a new issue in Docker for this: moby/moby#18569 |
|
Workaround was now deployed, I will keep this issue open as long as we need to use the workaround solution. |
I could not find a way of getting the Docker client to use auth for push, but no-auth for pull 😞
The text was updated successfully, but these errors were encountered: