通常,例如,对于 alpine 图像,我们通过以下方式获得授权 token :
curl -i "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"
然后我们可以使用它从注册表中获取 list :
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/library/alpine/manifests/latest
当我们用我们的私有(private)存储库 (ourcompany/ourrepo) 替换 library/alpine 时,获取 token 仍然有效,但是,下载 list 结果:
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:ourcompany/ourrepo:pull",error="insufficient_scope"
Date: Tue, 26 May 2020 10:32:56 GMT
Content-Length: 168
Strict-Transport-Security: max-age=31536000
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ourcompany/ourrepo","Action":"pull"}]}]}
如何规避这个 401 错误?
我们需要获得额外的代币吗?另外发送身份验证凭据?做一些完全不同的事情?
最佳答案
您需要使用基本身份验证对/token 的调用进行身份验证 https://docs.docker.com/registry/spec/auth/jwt/#getting-a-bearer-token
然后您会收到一个 Bearer token ,您可以像使用公共(public)存储库一样使用它。/token 端点仅支持基本身份验证。
curl -i -H "Authorization: Basic $BASIC_AUTH" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:myprivaterepo/myprivateimage:pull"
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/myprivaterepo/myprivateimage/manifests/latest
关于docker - 从 Docker Registry API 下载私有(private)存储库 list ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62020235/