Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Docker image pull through connector fails

    Scheduled Pinned Locked Moved Support
    22 Posts 4 Posters 101 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • atrippA Offline
      atripp inedo-engineer @guyk
      last edited by

      Hi @guyk ,

      Can you bypass the squid proxy and go directly to ACR? I saw a blog post long ago, where someone said something about proxies being an issue:

      https://faultbucket.ca/2022/05/aks-image-pull-failed-from-proget/

      Thanks,
      Alana

      G 1 Reply Last reply Reply Quote 0
      • G Offline
        guyk @atripp
        last edited by guyk

        @atripp That's not so easy, I'm afraid. It would take a while to get someone to change the firewall config for me, and it sort of goes against the policy here anyway.

        I might try to setup a proget instance on my laptop instead, just to test. But it does seem like a pretty long shot, the post you're referring to is talking about a different type of proxy. Also, as squid is tunnelling TLS traffic in our case (on both sides), I don't think it would be able to screw with the contents of HTTP headers tbh.

        Is it by the way possible to disable the proxy for only the one connector or feed, isn't that a global setting?

        1 Reply Last reply Reply Quote 0
        • Dan_WoolfD Offline
          Dan_Woolf inedo-engineer
          last edited by

          Hi @guyk,

          You are correct, the proxy settings are global, not at a feed level.

          Would you be able to provide us with a URL and a scope-mapped token we can debug with? You can email these to support@inedo.com with the subject of [QA-1148]. If so, we can easily debug this and see what is going on. Once we complete the fix, we can let you know and you can revoke access from us.

          Thanks,
          Dan

          G 1 Reply Last reply Reply Quote 0
          • G Offline
            guyk @Dan_Woolf
            last edited by

            @Dan_Woolf Thank you, I have now sent an email as suggested.

            1 Reply Last reply Reply Quote 0
            • Dan_WoolfD Offline
              Dan_Woolf inedo-engineer
              last edited by

              Hi @guyk,

              Thanks, I have it and I'm testing now. I'll reach out shortly and let you know what I find.

              Thanks,
              Dan

              1 Reply Last reply Reply Quote 0
              • Dan_WoolfD Offline
                Dan_Woolf inedo-engineer
                last edited by

                Hi @guyk,

                The error I'm getting is a 401 unauthorized exception. Can you confirm that the token you sent me is a token password? Following Micorosft's documentation https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions, you need to create a token password for the token. Then the docker login username is the name of the token and the password is the token password.

                Thanks,
                Dan

                G 2 Replies Last reply Reply Quote 0
                • G Offline
                  guyk @Dan_Woolf
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    guyk @Dan_Woolf
                    last edited by

                    @Dan_Woolf It does look OK on our end, I've tried the following:

                    $ read -s pw
                    [pasted the token I sent you]
                    $ echo $pw | docker login -u tokenname --password-stdin registryname.azurecr.io
                    WARNING! Your password will be stored unencrypted in /home/x/.docker/config.json.
                    Configure a credential helper to remove this warning. See
                    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
                    
                    Login Succeeded
                    $
                    

                    I was then able to pull images from the registry.

                    1 Reply Last reply Reply Quote 0
                    • Dan_WoolfD Offline
                      Dan_Woolf inedo-engineer
                      last edited by

                      Hi @guyk,

                      Thanks for confirming that for me. On that same email you sent me, can you please send me a repository name that is available to that token?

                      Thanks,
                      Dan

                      1 Reply Last reply Reply Quote 0
                      • Dan_WoolfD Offline
                        Dan_Woolf inedo-engineer
                        last edited by

                        Hi @guyk,

                        After some research, it looks like scope-mapped tokens require a custom authentication procedure. It looks like if you use an Admin User, it will then use the standard Docker authentication procedure. Would you be able to try that and see if it works with ProGet?

                        Thanks,
                        Dan

                        G 1 Reply Last reply Reply Quote 0
                        • G Offline
                          guyk @Dan_Woolf
                          last edited by

                          @Dan_Woolf I can confirm that it works when we use an admin user access key. Thanks! It's a workaround, I suppose, but it's of course not optimal to give proget such wide permissions to the registry. Scope mapped tokens will be supported in a future version of proget, I hope? 🙏

                          stevedennisS 1 Reply Last reply Reply Quote 0
                          • stevedennisS Offline
                            stevedennis inedo-engineer @guyk
                            last edited by

                            @guyk thanks for letting us know; unfortunately this would require a substantial change to the way we handle authentication on connectors; if we see more of this down the line we'll definitely consider it further :)

                            1 Reply Last reply Reply Quote 0

                            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                            With your input, this post could be even better 💗

                            Register Login
                            • 1
                            • 2
                            • 1 / 2
                            • First post
                              Last post
                            Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation