Ensure auth metadata using port 5000

[vsoch]

For the examples, setting the realm to just localhost means we get a header that has "realm" set to "localhost" when we actually need to it be "localhost:5000" for the authentication flow to work.

Signed-off-by: vsoch vsoch@users.noreply.github.com

[sajayantony]

Thank @vsoch

[sajayantony]

@jdolitsky do you know anything about the CI failures? Doesn't seem related to the change here.

[vsoch]

I just ran locally and i don't see an error, so I suspect it's something to do with the version of something that has changed. If we look at the last working one (end of January) https://app.netlify.com/sites/oras-project/deploys/61f486cc0694b4000854e475 we can see the packages being installed, so it happens before that, with the command poetry install -v . The trace also seems to go into poetry. So either we can try pinning that to the working version, or updating pip (which weirdly sometimes works). let's see what @jdolitsky thinks!

[vsoch]

Looks like maybe this python-poetry/poetry#4210 so we could try:

poetry config experimental.new-installer false

[vsoch]

And don't merge this yet I'm not sure it's correct - the endpoint returns 200 but I don't have a token. Let me quickly read up on setting up auth for a registry I haven't done it this way before.

[vsoch]

Yeah it looks like this setup only provides basic (not token) auth - @jdolitsky how did you get the examples here to work?

[vsoch]

I'm going to try making my own certs.

[vsoch]

Nope it doesn't like the self signed ones! I'm not sure what to do here.

[sajayantony]

@vsoch - For token auth how are you running distribution?

[vsoch]

@sajayantony exactly as the instructions here specify. It works fine to do basic auth, but when you go through the process to ask for a token, the server returns 401, I then get the Www-Authenticate header, but there is no auth server actually running! I first thought it was just the wrong specification on my part, but I think we are required to deploy a separate server for tokens to work.

[vsoch]

Here are my local notes (derived from the docs for oras)

Registry

You should see supported registries, or if you want to deploy a local testing registry (without auth), you can do:

$ docker run -it --rm -p 5000:5000 ghcr.io/oras-project/registry:latest

To test token authentication, you can either set up your own auth server or just use an actual registry. The most we can do here is set up an example that uses basic auth.

# This is an htpassword file, "b" means bcrypt
htpasswd -cB -b auth.htpasswd myuser mypass

The server below will work to login (using "basic" auth), but you won't be able to issue tokens.

# And start the registry with authentication
docker run -it --rm -p 5000:5000 \
    -v $(pwd)/auth.htpasswd:/etc/docker/registry/auth.htpasswd \
    -e REGISTRY_AUTH="{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" \
    ghcr.io/oras-project/registry:latest

[vsoch]

Huzzah! Worked out of the box with GitHub packages as the remote, so I can use that to develop 🥳

[vsoch]

Woot!!

$ oras-py pull -a ghcr.io/pakages/linux-ubuntu22.04-x86_64-gcc-11.2.0-zlib-1.2.11.spack:latest
Successfully pulled /home/vanessa/Desktop/Code/oras-py/oras/main/linux-ubuntu22.04-x86_64-gcc-11.2.0-zlib-1.2.11-dltydx7vkppmgwyigktgabya6q7epz4n.spack.

(sorry excited)

[jdolitsky]

sry not sure what exactly is going on w/ CI here..

[FeynmanZhou]

Upgrade pip could be the solution. Have you tried it before?

[vsoch]

That could work, but actually let's close this PR because I don't think the docs should be updated here - the auth server is meant for basic (and not token) auth.