Permissions on Docker repositories

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Permissions on Docker repositories

Reinhard Nägele
Hi,

I'm currently setting up Artifactory Pro and am playing around with Docker support. Different projects which all have their own permissions will host their Docker images in this repo. I found out that it does not suffice to put permissions on the repositories folder hierachy but they are also needed on the .images folder. However, I would basically have to grant full permissions to everyone on this folder. I would expect Artifactory to automatically grant permissions to the underlying image layers based on the image tag.

Are their any improvements in sight or should I file a ticket?

Thanks,
Reinhard
Reply | Threaded
Open this post in threaded view
|

Re: Permissions on Docker repositories

priitliivak
I have encountered exactly the same issue and no RewriteRule magic seems to help here. Did you file a ticket or found any solution to this?

Set of symbols allowed in repository name is very limited and Docker also translates @ sign to tag name separator. Otherwise Apache could be configured in a way to translate urls containing Artifactory repository keys as well. Something like artifactory.smth.com:8443/namespace/repoName@docker-local
Reply | Threaded
Open this post in threaded view
|

Re: Permissions on Docker repositories

markg

One simple approach would be to create multiple docker registries on different ports (use the proxy to assign different ports to different artifactory docker repositories)  this is what we recommend in docker promotion examples. Because of the checksum file store you don't need to worry about wasting disk space on multiple copies of the base images.

-Mark Galpin

On May 30, 2015 9:19 PM, "priitliivak" <[hidden email]> wrote:
I have encountered exactly the same issue and no RewriteRule magic seems to
help here. Did you file a ticket or found any solution to this?

Set of symbols allowed in repository name is very limited and Docker also
translates @ sign to tag name separator. Otherwise Apache could be
configured in a way to translate urls containing Artifactory repository keys
as well. Something like
artifactory.smth.com:8443/namespace/repoName@docker-local



--
View this message in context: http://forums.jfrog.org/Permissions-on-Docker-repositories-tp7580234p7580319.html
Sent from the Artifactory - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users

------------------------------------------------------------------------------

_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions on Docker repositories

shayy
In reply to this post by priitliivak
That is indeed a problem with the Docker V1 layout.
The good news are that Docker V2 (available from Artifactory 3.7.0) no longer have this problem and manifests are now self contained without a global ".images" shared blobs folder.
If all of your clients uses Docker 1.6 and above, you could migrate your repositories into a V2 layout
and as you can see here you can now give permissions on 3 different levels (the entire repository, the docker repository or for a specific tag).

I hope that helps.

Regards,
Shay

On Fri, May 29, 2015 at 4:13 PM, priitliivak <[hidden email]> wrote:
I have encountered exactly the same issue and no RewriteRule magic seems to
help here. Did you file a ticket or found any solution to this?

Set of symbols allowed in repository name is very limited and Docker also
translates @ sign to tag name separator. Otherwise Apache could be
configured in a way to translate urls containing Artifactory repository keys
as well. Something like
artifactory.smth.com:8443/namespace/repoName@docker-local



--
View this message in context: http://forums.jfrog.org/Permissions-on-Docker-repositories-tp7580234p7580319.html
Sent from the Artifactory - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users


------------------------------------------------------------------------------

_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions on Docker repositories

priitliivak
We are actually starting to use Artifactory as Docker registry so there is nothing to migrate yet. How do you exactly set these permissions on docker repository level? I just cannot see it.

2015-05-31 11:30 GMT+03:00 shayy [via Artifactory] <[hidden email]>:
That is indeed a problem with the Docker V1 layout.
The good news are that Docker V2 (available from Artifactory 3.7.0) no longer have this problem and manifests are now self contained without a global ".images" shared blobs folder.
If all of your clients uses Docker 1.6 and above, you could migrate your repositories into a V2 layout
and as you can see here you can now give permissions on 3 different levels (the entire repository, the docker repository or for a specific tag).

I hope that helps.

Regards,
Shay

On Fri, May 29, 2015 at 4:13 PM, priitliivak <[hidden email]> wrote:
I have encountered exactly the same issue and no RewriteRule magic seems to
help here. Did you file a ticket or found any solution to this?

Set of symbols allowed in repository name is very limited and Docker also
translates @ sign to tag name separator. Otherwise Apache could be
configured in a way to translate urls containing Artifactory repository keys
as well. Something like
artifactory.smth.com:8443/namespace/repoName@docker-local



--
View this message in context: http://forums.jfrog.org/Permissions-on-Docker-repositories-tp7580234p7580319.html
Sent from the Artifactory - Users mailing list archive at Nabble.com.

------------------------------------------------------------------------------
_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users


------------------------------------------------------------------------------

_______________________________________________
Artifactory-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/artifactory-users



If you reply to this email, your message will be added to the discussion below:
http://forums.jfrog.org/Permissions-on-Docker-repositories-tp7580234p7580321.html
To unsubscribe from Permissions on Docker repositories, click here.
NAML



--
Priit Liivak
GSM: +372 55550418