Setting up authenticated access to a docker repository

bradawk · December 2, 2021, 10:45am

Problem: When defining the docker repository via the gui, there are options to enter SSL Client Cert and SSL Client Key. However, they are not text box entries, but rather appear to be drop-down lists and are empty. How is one supposed to enter the client cert and key?

Expected outcome: Either a populated drop down list, or a text box to enter the locations.

Foreman and Proxy versions: foreman 2.4.1, katello 4.0.3

Foreman and Proxy plugin versions:

Distribution and version: CentOS 7.9

Other relevant data:

ehelms · December 2, 2021, 1:49pm

You’ll need to first create Content Credentials to use with the repository.
For a bit more information checkout:

https://docs.theforeman.org/2.4/Content_Management_Guide/index-katello.html#Importing_Content-Importing_Custom_SSL_Certificates

bradawk · December 2, 2021, 3:20pm

Thanks! I will take a look.

bradawk · March 1, 2022, 11:21am

The account on the docker repository is created using the server certificate from our satellite server. In content credentials, I created my-cert with the certificate contents and my-key with the key of the certificate.
I created a product for docker repositories. Within that I created a repository for this particular external docker repository. For SSL Client Cert I used my-cert. For SSL Client Key I used my-key. When I try to sync, I get error:

[SSL] PEM lib (_ssl.c:3533)

I’m not realy sure what that means?

bradawk · March 1, 2022, 11:33am

Doing a little research seems to indicate that the private key does not match the server certificate. I don’t think that is it. I ran:

openssl rsa -check -noout -in myserver.key
# and got RSA key is ok.  I then ran:
openssl rsa -modulus -noout -in myserver.key | openssl md5
# and received an md5 sum.  I then ran:
openssl x509 -modulus -noout -in myserver.crt | openssl md5
# and got back the same md5 sum.

So, I do not believe it is a miss-match between key and certificate.

bradawk · March 8, 2022, 4:20pm

Is there an updated version of foreman-docker-plugin. It says to run foreman-installer –enable-foreman-plugin-docker but that just gives back: ERROR: Unrecognised option '--enable-foreman-plugin-docker'

aruzicka · March 8, 2022, 4:29pm

No, the plugin has been discontinued.

From the page you linked:

NOTE

This plugin has been discontinued. The latest release helps only with its removal. If you’re interested in taking over the maintenance, let us know.

bradawk · March 9, 2022, 8:47am

Thanks! I guess I didn’t see that. That puts a big crimp in things.

aruzicka · March 9, 2022, 9:50am

That depends what you’re after. Afaik the foreman-docker plugin was only useful for running containers. If you want to use foreman with katello as a registry, then you shouldn’t really need it.

bradawk · March 9, 2022, 10:07am

Well, that is what I am trying to do. We have many racks of servers in a remote location. Our satellite server is in that same location. The docker registry they use is back at the main campus. We believe it would greatly improve performance if our satellite server could host the docker images needed by the servers so that they could all pull over a local network rather than have them all pull across the WAN. The docker registry allows pulling with an account created from a signed server certificate - using docker. I can not get foreman-katello to even authenticate to it correctly and I can’t seem to find any documentation on how to correctly set up the authentication to a docker registry.

Justin_Sherrill · March 9, 2022, 4:36pm

have you tried setting the CA certificate as well on the repository? Or disabling ssl verification (but using the CA is preferred)

bradawk · March 9, 2022, 5:34pm

No, I have not. I’ll give that a shot in the morning. Thanks!