Sorry for another wall of text
Docker
I'm not sure i understand what logging into docker would do for me here, but i tried it on my and another machine:
docker login https://registry.myserver.net
I got two different responses on two different machines:
return: Error response from daemon: Get https://registry.myserver.net/v2/: x509: certificate signed by unknown authority
return: Error response from daemon: Get https://registry.myserver.net/v2/: error parsing HTTP 400 response body: invalid character 'I' looking for beginning of value: "Invalid scope"
I found that one can add --insecure-registry
, but docker says that there is no such flag.
User:Password api call
Then i tried using balena cli generated api key with the name as user:password in the api command as so:
curl -u something:43DtE5kH0qmpOWDwlS5phg218cyMn23y -vk -X DELETE https://registry.myserver.net/v2/0143e850de5a54e920e299f8673eb257/manifests/sha256:e8d13a27a28be7Gd41f37c1f6dd65ed028c05322243a1b0ba76cfc4a0699b797
Since the api is https://registry.myserver.net/v2/
i was not sure if i need to also put the v2
from the image name, but i tried that also:
curl -u something:43DtE5kH0qmpOWDwlS5phg218cyMn23y -vk -X DELETE https://registry.myserver.net/v2/v2/0143e850de5a54e920e299f8673eb257/manifests/sha256:e8d13a27a28be7Gd41f37c1f6dd65ed028c05322243a1b0ba76cfc4a0699b797
return: { "errors": [ { "code": "UNAUTHORIZED", "message": "authentication required", "detail": [ { "Type": "repository", "Class": "", "Name": "0143e850de5a54e920e299f8673eb257", "Action": "delete" } ] } ] }
header return: Bearer realm="https://api.myserver.net/auth/v1/token",service="registry.myserver.net",scope="repository:0143e850de5a54e920e299f8673eb257:delete",error="insufficient_scope"
Token api call
Then i retried again generating the token:
balena api-key generate something
return: ixnrIEcyUyuU3To6IShprrJgvTn41nRV
curl -k "https://api.myserver.net/auth/v1/token?service=registry.myserver.net&scope=repository:0143e850de5a54e920e299f8673eb257:pull" -H "Content-Type: application/json" -H "Authorization: Bearer ixnrIEcyUyuU3To6IShprrJgvTn41nRV"
return:eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlhKTEg6TzRUTjpRUFZQOkNISVM6UVpWVzpXSVI3OlFBSVg6N01XQzpKVFBDOkhPMko6N01EMzpTTUJRIn0.eyJqdGkiOiJlMDRmZGY3Yy04ZmVmLTRmN2ItYTdhYy01MjlmNjgwNzU3NmIiLCJuYmAiOjE1NzQ2ODc0MjksImFjY2VzcyI6W10sImlhdCI6MTU3NDY4NzQzOSwiZXhwIjoxNTc0NzAxODM5LCJhdWQiOiJyZWdpc3RyeS5pYW11cy5ldSIsImlzcyI6ImFwaS5pYW11cy5ldSIsInN1YiI6InJvb3QifQ.09nS9ZwLaL_bkCwv6N00uIh4SQ2Rmp6GiWpRPQ-qKilk5nQmeR5BR_H3XZEwrVkOsn0CDc886kfUynP5eXkBiw
With this token i:
curl -X DELETE -i -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlhKTEg6TzRUTjpRUFZQOkNISVM6UVpWVzpXSVI3OlFBRVg6N01XQzpKVFBDOkhPMko6N01SDzpTTQJRIn0.eyJqdGkiOiI4MmEzYzRmOS03ZDg0LTQ4ZWQtYWYzNC01MzE4ODBmNGI3ZmYiLCJuYmYiOjE1NzQ2NjU5NTAsImFjY2VzcyI6W10sImlhdCI6MTU3NDY2NTk2MCwiZXhwIjoxNTc0NjgwMzYwLCJhdWQiOiJyZWdpc3RyeS5pYW11cy5ldSIsImlzcyI6ImFwaS5pYW11cy5ldSIsInN1YiI6InJvb3QifQ.NvzEeRDC2Ww_1838tNiaCeya5tKork-1bOf8y4sYVuuyFe4-yFl7Zufzv7ibdmObyLj53w77KeE9WYosptMbOA" http://registry.myserver.net/v2/0143e850de5a54e920e299f8673eb257/manifests/sha256:e8d13a27a28be7bd41f37c1f6dd65ed028c05322243a1b0ba76cfc4a0699b797
return: { "errors": [ { "code": "UNAUTHORIZED", "message": "authentication required", "detail": [ { "Type": "repository", "Class": "", "Name": "0143e850de5a54e920e299f8673eb257", "Action": "delete" } ] } ] }
header return: Bearer realm="https://api.myserver.net/auth/v1/token",service="registry.myserver.net",scope="repository:0143e850de5a54e920e299f8673eb257:delete",error="insufficient_scope"
Is it possible the balena cli user does not have the needed permissions to communicate with the registry?
I found in one forum:
Only the system administrators have the privilege to catalog repositories, so you need to request the token with system admin users
Is the user generated when following the https://www.balena.io/open/docs/getting-started/ tutorial an administrator?