for a project i need to communicate with a privat Docker Registry via AJAX Requests, but I get an error because of the "Same Origin Rule" and I should enable CORS.
I managed to start the Docker Remote API with CORS enabled (flag: --api-enable-cors) is there any equivalent way to do this with a private Registry?
Or is there another way to enable CORS when starting a private Registry?
[EDIT: FYI - Registry and the mentioned Remote API are on different Machines]
To set up de private Registry I followed the steps of the official Documentation:
https://docs.docker.com/registry/deploying/
and I am using the Compose Version, to switch between Registry Version 1.0 and 2.0...
I'm quite a noob in Web implementation, but it is necessary for my project.
Thanks in advance for help & sry for the bad english :)
No, unfortunately, the v2 registry does not support any CORS options as of this question and answer. The v2 registry is a brand new project written in a completely different language (Go versus v1's Python), and so many of the features available for v1 have not yet been implemented for v2. Actually the flag you used (--api-enable-cors) is a feature currently only available in the docker remote API, and not in the v2 registry.
The way I get around v2's (currently) limited registry API is to use Jason Wilder's Nginx reverse proxy for docker, which uses his homegrown docker-gen utility to proxy for docker containers. Doing this opens up a bunch of "standard" features like authentication, CORS, SSL, etc. Even though right now this feature isn't implemented in the v2 registry, keep in mind that development is moving very quickly. Good luck!
Related
I am planning to launch container cluster from an SDK/API. Presently, I am fine with any language, but I prefer NodeJS SDK. As far as I have seen, I could not find any Container engine SDK. Here is the NodeJS SDK for GCP which does not contain container engine. In fact it contains SDK only for very few GCP services.
I came across OAuth API for container engine but it involves human intervention to launch it. I am looking for service account based authentication for the SDK.
Are there container engine SDKs available ?
Update after discussion with Robert Lacok:
This is the code I tried to use for container APIs with API-key, it does not work. It expects Oauth 2 token, or some other credentials other than Service account. I tried API-key it didnt work. I dont know how to use Service account authentication with the API.
Here is my source code:
Here is the error:
I see a method for Application Default credentials. But I dont think so it will be useful for my use-case. I am trying to create container cluster from AWS Lambda. So, I cant use application default credentials. Is there any other options ?
The API for Google Container Engine is very limited at the moment as all the features are in Alpha status and because they can change not many people are incorporating them into the SDKs they are developing.
These are the current available APIs: https://cloud.google.com/sdk/gcloud/reference/container/
And here is the Alpha APIs: https://cloud.google.com/sdk/gcloud/reference/alpha/container/
What you probably want to do is making calls to the REST API and using the client library for OAuth2 authentication.
You can browse the API documentation and see that every method has a short how-to for a number of languages, NODE.JS being one of them. Have a look here for an example on how to create a container cluster.
You also mentioned service account authentication. The preferred way to do this is to use the application default credentials, you can have a little read about them here.
In short, you want to set an environment variable GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json which is a key to service account you generated in console.
Then the client library will take care of the rest (getting the OAuth tokens and what not).
I am currently using the Java Google Cloud Client for Compute Engine. I was able to successfully create a Network. Is it possible to programatically create a new firewall rule (given source, protocol, port, tags, etc)? It seems this is possible using gcloud command line, but I'd like to know how to do this via API. I've looked through all of the documentation but can't seem to find anything related to this. In addition, how can I tie the firewall rule to a specific Network? Thanks!
Sure, see the API reference, at the bottom it has examples for a variety of languages:
https://cloud.google.com/compute/docs/reference/latest/firewalls/insert
Note that if we can do something with gcloud, we can always do it with REST API (and its language bindings), gcloud is just a command line wrapper for the API. If you add --log-http flag in the command, it will show you the HTTP details.
I'm trying to expose an ASP WebApi to the internet for testing purposes. I thought that this can't be too difficult, but here I am, asking for help. I'm a novice when it comes to networking so please, be as explicit with instructions.
When I run my API application locally, hitting https://localhost:44316/{api-method} (or http://localhost:49511/{api-method}) executes the API method. How can I configure IIS/my machine/firewall/whatever-I-need-to in order to be able to hit the API at https://<my public IP>:44316/{api-method} (or http://<my public IP>:49511/{api-method})? The ports 44316 and 49511 are defaults, I didn't select them (I'm guess that's obvious and probably irrelevant).
I'm also working on an Azure VM (this may or may not be relevant) and have added endpoints on ports 44316 and 49511 (both public and private, and not behind load balancing) already.
Additionally, I'm not overly concerned by security (though more knowledge won't go amiss) as I'll teardown anything that I've set up to get this working once I've done with testing.
You're on the right track. Adding the endpoints in the Azure portal is one step. You'll also need to open them on your Firewall if you have one up. The way to do this depends on what kind of server you're running. Assuming it's a Windows 2012 server, go to the Server menu, check Tools -> Firewall, and add Rules for inbound and outbound on the ports that you want.
One thing to note is that Azure doesn't respond to 'ping' commands in the expected way, so it may not look like your rules are working if you're just using Ping to test. However it will work with your API.
I have a blog post that breaks down steps to run a multiplayer game using Azure which shows the Firewall setup. Steps 6, and 10 are the important ones but you've already done 10. http://secondtruth.com/2014/12/how-to-simulate-a-tiny-universe-in-azure/
Here's the Windows 2012 Firewall setup in particular http://www.rackspace.com/knowledge_center/article/managing-the-windows-server-2012-firewall
So I've been tasked to develop some enterprise web applications, but our users hate logging in to every site. After our users authenticate to eDirectory, is it possible to provide a Single Sign On feature for them. I know it's possible to do with AD, but I was wondering if anyone has actually done it with Novell?
Currently, I'm testing out solutions on WAMP (Apache 2.2). I was looking into mod_auth_sspi but I'm not sure if it will work with Novell.
The typical issue on these setups is how you are going to pass credentials from the Browser to the Web Application. You can setup Kerberos on eDirectory which should work similar to Microsoft Active Directory using GSSAPI which is vendor independent.
You may need to make some changes to browser settings to make any of these work seamlessly.
However, SPPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types and AFIK, will not work easily with eDirectory or browsers other than IE.
If possible, look into a Access Manager product that will be (at least nearly) seamless. Most will allow any(?) WEB based application to utilize SSO in one form or another.
-jim
I have a feeling I've stumbled into a technical black hole. There have been many questions and not many (recent) answers out there.
Short summary:
I have a Windows environment operating with a domain controller and Active Directory implementation (soon to be operating with Quest's Authentication Services). I have a series of Spring-based web applications I want to deploy to this environment and we need them to operate seamlessly with Single Sign-On using the domain credentials.
It looked like the answer was this:
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I was informed by some of the local AD admins that ktpass, though, was an unsafe (principals and keys stored in plain-text file) and outdated solution. Given the blog linked above is 3 years old, it was tough to argue.
Then I came across this:
http://forum.springsource.org/showthread.php?134465-JDK-7-0-and-Spnego-Extension-don-t-work!
Posted just a week or so ago, it looks like recent efforts to integrate SPNEGO extensions have shown that it's incompatible with JDK 7 and no longer supported!
It seems like this would be a common thing for people to want to do. I'm surprised that with a framework as widespread as Spring that there's not a simple way to achieve this. Is there another approach I haven't found in the documentation?
Thanks for any insights or suggestions.
Check out WAFFLE.
WAFFLE is a native Windows Authentication Framework consisting of two
C# and Java libraries that perform functions related to Windows
authentication, supporting Negotiate, NTLM and Kerberos. Waffle also
includes libraries that enable drop-in Windows Single Sign On for
popular Java web servers, when running on Windows.
It has a tutorial for using it with Spring Security.