use jib-maven-plugin push image to harbor success, also can pull image from harbor, but can not find image in harbor's web ui

[dragontree101]

If you are reporting a problem, please make sure the following information are provided:
1)Version of docker engine and docker-compose.
docker version is 18.06.1-ce
docker-compose version is 1.22.0
harbor verison is 1.6.0-rc2

2)Config files of harbor, you can get them by packaging "harbor.cfg" and files in the same directory, including subdirectory.

## Configuration file of Harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version = 1.6.0
#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = hb.cnhnkj.cn

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = http

#Maximum number of job workers in job service
max_job_workers = 10

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key
#for generating token to access the registry. If the value is off the default key/cert will be used.
#This flag also controls the creation of the notary signer's cert.
customize_crt = on

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key

#The path of secretkey storage
secretkey_path = /data

#Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
admiral_url = NA

#Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
log_rotate_count = 50
#Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
#If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
#are all valid.
log_rotate_size = 200M

#Config http proxy for Clair, e.g. http://my.proxy.com:3128
#Clair doesn't need to connect to harbor ui container via http proxy.
http_proxy =
https_proxy =
no_proxy = 127.0.0.1,localhost,ui,registry

#NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
#only take effect in the first boot, the subsequent changes of these properties
#should be performed on web ui

#************************BEGIN INITIAL PROPERTIES************************

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity =

email_server = smtp.cnhnkj.com
email_server_port = 25
email_username = [email protected]
email_password = HnMon4ml
email_from = admin <[email protected]>
email_ssl = false
email_insecure = false

##The initial password of Harbor admin, only works for the first time when Harbor starts.
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = hB@_8642

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = db_auth

#The url for an ldap endpoint.
ldap_url = ldaps://ldap.mydomain.com

#A user's DN who has the permission to search the LDAP/AD server.
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
#ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com

#the password of the ldap_searchdn
#ldap_search_pwd = password

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=people,dc=mydomain,dc=com

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
#ldap_filter = (objectClass=person)

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
ldap_uid = uid

#the scope to search for users, 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_scope = 2

#Timeout (in seconds)  when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
ldap_timeout = 5

#Verify certificate from LDAP server
ldap_verify_cert = true

#The base dn from which to lookup a group in LDAP/AD
ldap_group_basedn = ou=group,dc=mydomain,dc=com

#filter to search LDAP/AD group
ldap_group_filter = objectclass=group

#The attribute used to name a LDAP/AD group, it could be cn, name
ldap_group_gid = cn

#The scope to search for ldap groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
ldap_group_scope = 2

#Turn on or off the self-registration feature
self_registration = on

#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30

#The flag to control what users have permission to create projects
#The default value "everyone" allows everyone to creates a project.
#Set to "adminonly" so that only admin user can create project.
project_creation_restriction = everyone

#************************END INITIAL PROPERTIES************************

#######Harbor DB configuration section#######

#The address of the Harbor database. Only need to change when using external db.
db_host = postgresql

#The password for the root user of Harbor DB. Change this before any production use.
db_password = root123

#The port of Harbor database host
db_port = 5432

#The user name of Harbor database
db_user = postgres

##### End of Harbor DB configuration#######

##########Redis server configuration.############

#Redis connection address
redis_host = redis

#Redis connection port
redis_port = 6379

#Redis connection password
redis_password =

#Redis connection db index
#db_index 1,2,3 is for registry, jobservice and chartmuseum.
#db_index 0 is for UI, it's unchangeable
redis_db_index = 1,2,3

##########Redis server configuration.############

##########Clair DB configuration############

#Clair DB host address. Only change it when using an exteral DB.
clair_db_host = postgresql
#The password of the Clair's postgres database. Only effective when Harbor is deployed with Clair.
#Please update it before deployment. Subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
clair_db_password = root123
#Clair DB connect port
clair_db_port = 5432
#Clair DB username
clair_db_username = postgres
#Clair default database
clair_db = postgres

#The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
clair_updaters_interval = 0

##########End of Clair DB configuration############

#The following attributes only need to be set when auth mode is uaa_auth
uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem


### Docker Registry setting ###
#registry_storage_provider can be: filesystem, s3, gcs, azure, etc.
registry_storage_provider_name = filesystem
#registry_storage_provider_config is a comma separated "key: value" pairs, e.g. "key1: value, key2: value2".
#Refer to https://docs.docker.com/registry/configuration/#storage for all available configuration.
registry_storage_provider_config =
#registry_custom_ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#of registry's container.  This is usually needed when the user hosts a internal storage with self signed certificate.
registry_custom_ca_bundle =

#If reload_config=true, all settings which present in harbor.cfg take effect after prepare and restart harbor, it overwrites exsiting settings.
#reload_config=true
#Regular expression to match skipped environment variables
#skip_reload_env_pattern=(^EMAIL.*)|(^LDAP.*)

storage:
  filesystem:
    rootdirectory: /data/registry

3)Log files, you can get them by package the /var/log/harbor/ .

[reasonerjt]

@dragontree101
This may be expected because Harbor adds a record to DB so the image can be shown, it's triggered by a webhook, and it filters the user-agent, only the request triggered by docker will be treated as a "push" so the image will be shown on the UI.

[dragontree101]

you means jib push image will not show on harbor ui?

[reasonerjt]

Probably

https://github.com/goharbor/harbor/blob/master/src/ui/service/notifications/registry/handler.go#L162

[dragontree101]

i don't know who would fix this issue, harhor or jib? i also open issue in harbor project.

[dragontree101]

i think harbor should support other docker client, thanks!

[reasonerjt]

@dragontree101
It may introduce side effect, i.e. Harbor can not differentiate a real push from a regular http call by arbitrary http client.

Would you think of a solution and write a proposal for us to evaluate?

[saikirandusari]

Probably

https://github.com/goharbor/harbor/blob/master/src/ui/service/notifications/registry/handler.go#L162

This is now moved to https://github.com/goharbor/harbor/blob/master/src/core/service/notifications/registry/handler.go#L162

[saikirandusari]

Probably
https://github.com/goharbor/harbor/blob/master/src/ui/service/notifications/registry/handler.go#L162

This is now moved to https://github.com/goharbor/harbor/blob/master/src/core/service/notifications/registry/handler.go#L162

Here are the registry logs when pushing image to goharbor registry using skopeo. Here is the http useragent that is used when pushing image

http.request.useragent="Go-http-client/1.1"

Can we please allow to show the images on web UI when pushed to goharbor registry using other docker clients such as skopeo

time="2018-09-19T22:06:30.664474616Z" level=info msg="response completed" go.version=go1.7.3 http.request.contenttype="application/octet-stream" http.request.host=HOST_URL http.request.id=b1e345b6-d1cb-4a00-86cf-6f7301cb90b9 http.request.method=PUT http.request.remoteaddr=REMOTE_IP_ADDR http.request.uri="/v2/xxx/yyyy/blobs/uploads/d0808da1-c9e9-44c2-9ff0-a83c837b7c1a?_state=DWhk79IrbwvmvrrK-LgYxEs0wkAqREdb6bDsi6ZSlAF7Ik5hbWUiOiJlc2NlL2NzdC1zZWFyY2gtc3ZjLXYwMSIsIlVVSUQiOiJkMDgwOGRhMS1jOWU5LTQ0YzItOWZmMC1hODNjODM3YjdjMWEiLCJPZmZzZXQiOjI0MTI2LCJTdGFydGVkQXQiOiIyMDE4LTA5LTE5VDIyOjA2OjMwWiJ9&digest=sha256%3A60d5e9830658ddcc1031afa309aecbe494038cd992c4ec745df9fd38419ae1af" http.request.useragent="Go-http-client/1.1" http.response.duration=103.768951ms http.response.status=201 http.response.written=0 instance.id=84c7c09f-25f3-49cd-9db2-2ca810a4ac54 service=registry version=v2.6.2

100.65.2.253 - - [19/Sep/2018:22:06:30 +0000] "PUT /v2/xxx/yyyy/blobs/uploads/d0808da1-c9e9-44c2-9ff0-a83c837b7c1a?_state=DWhk79IrbwvmvrrK-LgYxEs0wkAqREdb6bDsi6ZSlAF7Ik5hbWUiOiJlc2NlL2NzdC1zZWFyY2gtc3ZjLXYwMSIsIlVVSUQiOiJkMDgwOGRhMS1jOWU5LTQ0YzItOWZmMC1hODNjODM3YjdjMWEiLCJPZmZzZXQiOjI0MTI2LCJTdGFydGVkQXQiOiIyMDE4LTA5LTE5VDIyOjA2OjMwWiJ9&digest=sha256%3A60d5e9830658ddcc1031afa309aecbe494038cd992c4ec745df9fd38419ae1af HTTP/1.1" 201 0 "" "Go-http-client/1.1"

[fassmus]

Same issue here. We build our images on a Kubernetes cluster in which exposing the Docker daemon for image build/push is not an option. I think this is a very common scenario and Harbor should support various different tools. Currently, this does not allow us to use Harbor at all.

[reasonerjt]

@fassmus are you also using jib or some other tools?

[fassmus]

@reasonerjt Yes we are using jib for building images and Skopeo for promoting images.

[floriankoch]

podman is also affected by this

[mtrmac]

Can someone explain why the User-Agent checks exists at all, please?

The code already exists in the very first commit at

harbor/service/notification.go

Line 46 in f859348

if e.Target.MediaType == MEDIA_TYPE_MANIFEST && strings.HasPrefix(e.Request.UserAgent, "docker") {

, so I can’t find any rationale or previous conversations in this GitHub repository.

It would make sense to me if the server changed the behavior of the API (e.g. to apply a specific workaround, or maybe to refuse known-invalid requests completely) depending on User-Agent; but if the request is accepted and performed in the same way for all kinds of clients, it seems reasonable to me that the UI should also behave consistently.

It’s tempting to submit a PR that just removes the check, but I’d like to understand the purpose of the check first.

[fmarot]

Hi all, I do not want to tell false news, and I'm not sure at all but Harbor had a new release today and I feel like this bug is corrected: notification.go file mentionned above has been moved but I found this one that seems to handle the jib user agent: https://github.com/goharbor/harbor/blob/56d57b0093242e1e44d3e0c239e3537b50af71bb/src/core/service/notifications/registry/handler.go
I lost my morning due to this bug so i'll have my system admin install the new version tomorrrow to test it !

What I do not understand is why the need for a limited fixed hardcoded list of 'whitelisted' user-agent...

[avanier]

I can confirm, v1.7.0 does not fix this issue. We're unable to push images with Podman.

[rhatdan]

@reasonerjt Could answer #5729 (comment)
Anyone? We would like to get podman/Buildah to be able to play with harbor, but don't want to say we are using Docker client.