从 Docker 注册表 API 下载私有存储库的清单
Download manifest of private repository from Docker Registry API
通常,例如,对于 alpine 图像,我们通过以下方式获得授权令牌:
curl -i "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
然后我们可以使用它从注册表中获取清单:
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/library/alpine/manifests/latest
当我们用我们的私有存储库 (ourcompany/ourrepo) 替换 library/alpine 时,获取令牌仍然有效,但是,下载清单结果:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:ourcompany/ourrepo:pull",error="insufficient_scope"
Date: Tue, 26 May 2020 10:32:56 GMT
Content-Length: 168
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ourcompany/ourrepo","Action":"pull"}]}]}
如何避免这个401错误?
我们需要获得额外的代币吗?另外发送身份验证凭据?做一些完全不同的事情?
您需要使用基本身份验证对 /token 的调用进行身份验证
https://docs.docker.com/registry/spec/auth/jwt/#getting-a-bearer-token
然后您会收到一个 Bearer 令牌,您可以像使用 public 存储库一样使用它。 /token 端点仅支持基本身份验证。
curl -i -H "Authorization: Basic $BASIC_AUTH" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:myprivaterepo/myprivateimage:pull"
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/myprivaterepo/myprivateimage/manifests/latest
通常,例如,对于 alpine 图像,我们通过以下方式获得授权令牌:
curl -i "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
然后我们可以使用它从注册表中获取清单:
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/library/alpine/manifests/latest
当我们用我们的私有存储库 (ourcompany/ourrepo) 替换 library/alpine 时,获取令牌仍然有效,但是,下载清单结果:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:ourcompany/ourrepo:pull",error="insufficient_scope"
Date: Tue, 26 May 2020 10:32:56 GMT
Content-Length: 168
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ourcompany/ourrepo","Action":"pull"}]}]}
如何避免这个401错误?
我们需要获得额外的代币吗?另外发送身份验证凭据?做一些完全不同的事情?
您需要使用基本身份验证对 /token 的调用进行身份验证 https://docs.docker.com/registry/spec/auth/jwt/#getting-a-bearer-token
然后您会收到一个 Bearer 令牌,您可以像使用 public 存储库一样使用它。 /token 端点仅支持基本身份验证。
curl -i -H "Authorization: Basic $BASIC_AUTH" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:myprivaterepo/myprivateimage:pull"
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/myprivaterepo/myprivateimage/manifests/latest