Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proget: docker login returns unauthorized
-
Hi there
I've just run a fresh install of proget and I'm having real problems with "docker login". I've tried a whole load of configurations with both Proget 5.0.4 and Proget 4.8.8 but nothing works. Here are steps to replicate with a fresh install of Proget 5.0.4 (running in Docker) without any permissions or accounts being played with:
- Activate Proget
- Create a new container feed.
- From your terminal run "docker login -u Admin -p Admin host.name.net"
The result is always:
Error response from daemon: login attempt to https://host.name.net/v2/ failed with status: 401 Unauthorized
Browsing to https://host.name.net/v2/ (while logged in via the browser as Admin) returns:
code "UNAUTHORIZED"
message "Anonymous is not permitted to perform the Feeds_ViewFeed task for the current scope."As a temporary work around I've found that I can create an auth token with:
echo -n 'Admin:Admin' | base64
And add that to my local docker instance's config.json, but that only works locally and is no use in CI environments etc.
Many thanks
MattProduct: ProGet
Version: 5.0.4
-
Actually the base64 token creation and editing config.json doesn't work locally either - please ignore that part.
-
Sorry to spam, but further to this, if I deliberately use an incorrect password with docker login I get this message:
Error response from daemon: Get https://myhost.net/v2/: denied: requested access to the resource is denied
If I use the correct password I get:
Error response from daemon: login attempt to https://myhost.net/v2/ failed with status: 401 Unauthorized
So I must have some screwed up permissions somewhere, but as mentioned this is just a vanilla deployment of the proget docker image. I had this working before with no issues (though likely with an earlier version if that could be making the difference).
I have NPM and NuGet feeds running and connecting with no issues on the same instance.
Please help me! :)
Thanks
Matt
-
OK, if I roll back to 4.7.14 the Docker client will login with no issues.
-
Hello Matt,
Is
Web.BaseUrlset tohttps://host.name.netin https://host.name.net/administration/advanced-settings? Is there a reverse proxy between ProGet and the internet that requires authentication, or that might be modifying authentication headers?If you access the
/v2/URL in your browser, there should be a header likeWWW-Authenticate: Bearer realm="https://host.name.net/v2/_auth",service="host.name.net".EDIT: We have updated our Docker documentation to include this information and more information about setting up your Docker client and ProGet server.
-
Hi Ben, thanks for your reply and sorry for the delay in getting back to you.
I just spun up a new docker instance of Proget 5.0.6 and tested again.
Web.BaseUrl was empty, but updating it to contain the full host did not fix docker login.
There is an nginx proxy in front of Proget in my setup. The following proxy settings are in the nginx config:
location / { proxy_pass http://127.0.0.1:5080; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Url-Scheme https; proxy_set_header X-Forwarded-Host $host:443; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Port 443; }I can confirm that the WWW-authenticate header is returned and correct when browsing /v2/.
As mentioned above, I have no problems when falling back as far as 4.7.14 so this appears to be a regression?
Many thanks,
Matt
-
There was a regression in v5.0.6 with Docker Registries, but it's been upated now in v5.0.7, and it should work now.
-
Hi, just tested with Proget 5.0.8 and the issue persists.
-
Hello Matt,
What version of Docker do you have installed? As of ProGet 4.8.2, we require Docker 1.11.0 or newer because we use token authentication (PG-1059).
-
Hi everyone,
I'am currently using ProGet v5.0.12 on Windows server 2016 with IIS, and https enable (443) but i'am not able to push a single docker image on my repo.
I have docker v17.12.1-cs installed on an Ubuntu 18.04 LTS, and when i push the image, the download initialized, and then i get the error:
"requested URL /v2/(my-repo)/(my-image)/blobs/uploads/ was not found on this server."Is there any way to redirect into IIS, all the requests for /v2/(my-repo) ? or to specify on docker client the api (or not) to use when pushing ?
Thx
-
Hello Everone,
Having the same issue as Matt.
We are on Proget 5.0.12 (was on 5.0.11) and using Docker Version 18.05.0-ce-win66 (17760) Channel: edge
On Win 2016, IIS with HTTPS binding and explicit host name (e.g. FQDN) is specified. CA cert is used as well.
Perfect Forward Secrecy script was also run on the server with TLSv1.0/1.1/1.2 enabled. Will be removing everything except TLSv1.2 shortly.Using IIS with Integrated Windows Auth and I has been working for some time over multiple version of Proget, however, never tried Docker or /v2/ before. Now that we are looking into private Docker registry, need some help...
Navigating to https://FQDN/v2/ in a browser causes 401 when I provide valid credentials and I do see WWW-Authenticate header:
WWW-Authenticate: Bearer realm="https://FQDN/v2/_auth", service=FQDN, Negotiate, NTLM@Sebastian
Are you using Integrated Authentication? Also, are you saying you have authentication working for you, but cannot push? Could you navigate in your browser to https://yourFQDN/v2/ with trailing slash?Thanks,
Vitalii
-
Oddly, looking into another issue just now I was able to login via Docker but still get 401 when accessing new url (https://FQDN1/v2/) via browser.
I was trying to expose some feeds to Anonymous Users, so went with one of your suggestions here.
Note the URL is different than Integrated Auth URL, https://FQDN/v2/ vs https://FQDN1/v2/ with later being configured with Anonymous Auth and working. Docker still prompts me for credentials and when I enter correct credentials login succeeds, If I provide incorrect creds login fails with unauthorized: authentication required error.
Also, if I use Forms Auth instead of Integrated, then Visual Studio package management will not work. Team City Build Server most likely will have an issue as well (I haven't tried API Key option yet).
At last, we are using LDAP user directory and haven't tried Active Directory (New) option.
Hope this is enough details for you to guide me in the right direction.
Thanks in advance,
Vitalii
-
Hi Vitalii,
About the authentification, i give the right to anonymous to push / publish in the task tab (Administration > Security). I will create a group later, but i wanted to check if it works properly for containers as for NPMs and NuGets packages.
On IIS i use an Auto Signedin certificate without windows authentification.
About the docker push i got these messages:
- the push refers to repository (my-repo)*
- hashes of every layers: Preparing
- error 404: The requested URL /v2/(my-repo)/(my-image)/blobs/uploads was not found on this server
I tries from my browser https://(my-repo)/v2/ and i got the same error message 404
-
Hello,
I'm having the same issue as Matt, i can sucessfully push a docker image to Proget 4.7.14 but not to Proget 5.1.15 (unauthorized error 401).
Here is my setup:- Docker host version 17.05.0-ce
- Proget version 5.1.15
- PostgresSQL 9.5
I'm pushing images from debian vm with docker 18.06.1-ce.
Can you help me ?
-
Hey, weirdly I just revisited this last week. I had the same issues on trying to upgrade but found the fix.
Go to Settings > Advanced Settings and set Web.BaseUrl to your Proget URL e.g https://registry.example.com
Worked for me. Good luck.
Cheers
Matt
-
Actually - setting the WebUrl was advised by Ben above! Not sure what changed between then and now, but it works for me now.
Cheers,
Matt
-
Hello,
Thanks for the tip, unfortunately i still have the same issue.
To make a clarification on my issue; when i use docker login with wrong creds i get "denied: requested access to the resource is denied" and with good creds " failed with status: 401 Unauthorized".
I will try a setup without nginx-proxy in front of Proget container.Regards.
-
Any update on this.
Have the same setup - nginx as a reverse proxy to proget.
And the same issue "401 Unauthorized" when performing docker login.
BaseUrl is configured. If wrong credentials are passed to docker login message changes to "Get https://nuget.my.domain/v2/: denied: requested access to the resource is denied"SSL cert s issued with letsencrypt and valid
Docker version 18.09.1, build 4c52b90
-
Hi,
I still have the same issue on latest builds (tested this week)
Only image inedo/proget:4.7.14 work for me with my setup.Regards.
-
Exact same issue here, running 5.1.23 as a docker image on a Debain 8 host behind nginx as a reverse proxy and for SSL termination using a lets encrypt certificate.
Was working fine before the weekend, was able to push up a docker image, and pull it down on a server, but I came in this morning and am now getting the same authentication issues "Error response from daemon: login attempt to https://host.domain/v2/ failed with status: 401 Unauthorized" using valid credentials and "Error response from daemon: Get https://host.domain/v2/: denied: requested access to the resource is denied" if I use invalid credentials.
-
Here's what I currently have that is working; I'm running ProGet 5.2.0 on Windows with the self-hosted (non-IIS) web server. SSL is using Let's Encrypt; nginx is running on a Linux machine.
server { include /etc/nginx/lubar.me-shared.conf; server_name proget.local.lubar.me; server_name proget.lubar.me; # CSP header removed for brevity; irrelevant to this issue client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; location / { if ($lan_ip = 0) { limit_rate_after 200k; limit_rate 50k; } proxy_pass http://proget-upstream; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Accept-Encoding ''; proxy_hide_header X-AspNet-Version; proxy_http_version 1.1; proxy_buffering off; proxy_request_buffering off; proxy_connect_timeout 1m; proxy_read_timeout 1h; proxy_send_timeout 1h; } }It looks like the current issue people are facing might be related to something specific to the Docker version of ProGet. I will investigate this.
-
Ben, I can confirm the issue doesn't seem to be related to nginx as I still get the same errors when trying to connect to the container itself directly.
-
FYI: I'm running the exactly same version of ProGet with the exact same nginx config and it's working fine for me
-
We had the same issue suddenly rear its head out of no where.
We were running ProGet 5.1.22 for a long time with no issues. Then all the sudden we started getting 401 unauthorized responses for
docker loginattempts.The suggested fixes have no effect.
I thought it might be a compatibility issue, and upgraded ProGet to 5.2.23 - no fix.
We're running docker 19.03.2.
-
@ben - Any movement on the potential cause being a Docker version within ProGet?
-
Thanks Matt,
Really hope Proget creates better documentation around setting up Proget with a nginx proxy in front of it (the current documentation is pretty useless). I've wasted an entire evening trying to figure this out. I almost gave up and went back to using Nexus3.
Matts fix where he went to 'Settings > Advanced Settings' and set the 'Web.BaseUrl' to your Proget URL e.g https://registry.example.com worked fro me.
I was able to get it working nicely with this proxy in front of it.
https://github.com/evertramos/docker-compose-letsencrypt-nginx-proxy-companionAlong with Jenkins, and my other dev tooling services.
Regards,
Mark
-
Our (paying) customer hardly ever configures ProGet in this manner, and we aren't exactly Linux experts so writing documentation on seemingly dozens of different ways on how to do this sort of thing is really tough for us.
I'd very much welcome your contribution to our documentation, it's on GitHub (just click "Propose an Edit" at the bottom): https://docs.inedo.com/docs/proget/installation/installation-guide/linux-docker
I want ProGet to be a great community tool, and hope you can help contribute to the Linux installation experience; thanks!
-
@apxltd After re-reading my post I think I was a bit harsh, sorry. Proget really is a great tool and I love what Inedo has done with it up to this point. The documentation is quite good as I've referenced it quite a few times and found it helpful. Just found to be lacking where I had got stuck (and my frustration got the best of me). I shouldn't complain as it's trial option is free with heavy hitting features; Enough to really test it out. I'll make a note to create a page on how to set this up on a Linux box when I have some downtime.
Thanks!
-
@markcodyre_7146 thanks for the note Mark, I appreciate it! Glad it's working well, despite the challenging install - we've got a lot of great container features in the pipeline, so hopefully we'll learn more about Linux in the process ;)
-
@apxltd @ben
Hello, we faced with same problem. Docker can't login to docker repositorydocker login proget.company.comreturn this message
Error response from daemon: login attempt to https://proget.company.com/v2/ failed with status: 401 UnauthorizedProget version 5.2.25 (Build 14) . Running in docker container on Centos 7
BaseURL = https://proget.company.com
Nginx configserver { client_max_body_size 0; listen 443 ssl; server_name proget.company.com; ssl on; chunked_transfer_encoding on; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_redirect off; proxy_buffering off; proxy_request_buffering off; proxy_connect_timeout 1m; proxy_read_timeout 1h; proxy_send_timeout 1h; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_pass http://intenal.proget; } }
-
anyone ?
-
Hello; this should get resolved in PG-1676, which is scheduled for the next maintence release.
-
Thank you!
-
@atripp
Unfortunately update didn't help.docker login proget.company.com Username: Admin Password: Error response from daemon: Get https://proget.company.com/v2/: unauthorized: authentication required
-
Guys ?! It's a real blocker.
-
It's really hard to say. This doesn't seem to be impacting others... we can't repro it... and I'm not sure what else it could be.
If you can get us some more very specific details about it, perhaps using some sort of fidler trace, then we can try to investigate further.
-
Seeing the same error after disabling anonymous access
-
@ben Thank you so much I spend a lot of times searching for that. Should it be in proget docker installation documentation (in HTTPS Support section) ? Thank again.
My setup docker client > HAProxy > Proget. Also don't forget to add a HTTP frontend that redirects to HTTPS frontend in HAProxy.
-
Hi @mikhael_3947,
I have updated our Docker documentation to include this information about using a proxy with ProGet. I have also included more information about insecure registries and using self-signed certificates with Docker registries,
Thanks,
Rich
