Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replication of an entire project fails when images in it have signatures attached #21636

Open
noahsoeffky opened this issue Feb 13, 2025 · 2 comments
Open

Replication of an entire project fails when images in it have signatures attached #21636

noahsoeffky opened this issue Feb 13, 2025 · 2 comments
Assignees
@stonezdj
Labels
area/ldap

Comments

@noahsoeffky
Copy link

Expected behavior and actual behavior:

Setup description:
We have two Harbor instances running. The first one is connected to an AD and holds the project ("test-project") which needs to be replicated into the second one. A couple of images in that project have signatures attached to them.
The second Harbor has the first one configured as a registry and uses a service account for authentication. This service account is stored in the AD.

What happens:
A replication of the complete project "test-project" fails. The UI returns the http error message "401 unauthorized". In the file core.log is an ldap error message visible.
The harbor can connect to the AD without issues and the user is existing.

What is confusing about this: The harbor is capable of replicating a single image with signatures on it whithout problems.

Expected behaviour:
The replication of the complete project "test-project" is successful.

Steps to reproduce the problem:
First Harbor:

  • Connect the Harbor to an AD and create an account in the AD.
  • Create a project and load an image with a signature attached into it
  • Set the user created before as a member of the project with "Guest" rights or higher

Second Harbor:

  • Configure the first Harbor as a connected registry using the Account from the AD for authentication
  • Create a project for use as the destination for the replication
  • Configure a replication 
    Pull based
Source registry: the_first_Harbor
Source resource filter:
  Name: your_test_project/**
  - leave the rest as is
Destination:
  Namespace: your_destination_project
  Flattening: your_choice
  • Trigger the replication

Versions:
Please specify the versions of following systems.

  • harbor version: 2.12.2
  • docker engine version: Docker Engine - Community 27.5.0
  • docker-compose version: Docker Compose version v2.32.3

Additional context:

core.log:
[...]
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/controllers/base.go:159]: Config path: /etc/core/app.conf
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:145]: initializing cache ...
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:164]: initializing configurations...
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/lib/config/systemconfig.go:178]: key path: /etc/core/key
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/lib/config/config.go:92]: init secret store
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:166]: configurations initialization completed
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/common/dao/base.go:67]: Registering database: type-PostgreSQL host-postgresql port-5432 database-registry sslmode-"disable"
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/lib/metric/server.go:37]: Prometheus metric server running on port 9090
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/common/dao/base.go:72]: Register database completed
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/common/dao/pgsql.go:135]: Upgrading schema for pgsql ...
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/common/dao/pgsql.go:138]: No change in schema, skip.
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:204]: The database has been migrated successfully
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/lib/encrypt/encrypt.go:60]: the path of key used by key provider: /etc/core/key
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:98]: User id: 1 already has its encrypted password.
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:321]: Registering Trivy scanner
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/pkg/scan/init.go:64]: Scanner registration already exists: https://trivy-adapter:8443/
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:343]: Setting Trivy as default scanner
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/pkg/scan/init.go:79]: Skipped setting Trivy as the default scanner. The default scanner is already set to https://trivy-adapter:8443/
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/core/main.go:242]: initializing notification...
Jan 24 09:47:26 172.18.0.1 core[1673]: 2025-01-24T08:47:26Z [INFO] [/pkg/notification/notification.go:77]: notification initialization completed
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025-01-24T08:47:27Z [INFO] [/core/main.go:248]: internal TLS enabled, Init TLS ...
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025-01-24T08:47:27Z [INFO] [/core/main.go:252]: load client key: /etc/harbor/ssl/core.key client cert: /etc/harbor/ssl/core.crt
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025-01-24T08:47:27Z [INFO] [/core/main.go:261]: Version: v2.12.2, Git commit: 73072d0d
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025-01-24T08:47:27Z [INFO] [/core/main.go:263]: Fix empty subiss for meta info data.
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025-01-24T08:47:27Z [INFO] [/pkg/oidc/fix.go:37]: Not found any records with empty subiss, good to go.
Jan 24 09:47:27 172.18.0.1 core[1673]: 2025/01/24 08:47:27.126 #033[1;34m[I]#033[0m [server.go:248]  https server Running on https://:8443
Jan 24 09:50:17 172.18.0.1 core[1673]: 2025-01-24T08:50:17Z [INFO] [/controller/registry/controller.go:222]: Start regular health check for registries with interval 5m0s
Jan 24 09:52:03 172.18.0.1 core[1673]: 2025-01-24T08:52:03Z [INFO] [/controller/event/handler/internal/project.go:42]: delete project id: 57
Jan 24 09:52:03 172.18.0.1 core[1673]: 2025-01-24T08:52:03Z [INFO] [/controller/event/handler/internal/project.go:42]: delete project id: 56
Jan 24 09:59:00 172.18.0.1 core[1673]: 2025-01-24T08:59:00Z [WARNING] [/core/auth/ldap/ldap.go:74]: ldap search fail: can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:37214->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:00 172.18.0.1 core[1673]: 2025-01-24T08:59:00Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.220.0.1" requestID="f0a2e431-fc3c-41eb-bbce-941c06e52a84" user agent="Go-http-client/1.1"]: failed to authenticate user:ad_account_name, error:can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:37214->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:01 172.18.0.1 core[1673]: 2025-01-24T08:59:01Z [WARNING] [/core/auth/ldap/ldap.go:74]: ldap search fail: can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:38334->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:01 172.18.0.1 core[1673]: 2025-01-24T08:59:01Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.220.0.1" requestID="6d46f054-e36b-45c2-a78d-80d897f3e5fc" user agent="Go-http-client/1.1"]: failed to authenticate user:ad_account_name, error:can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:38334->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:03 172.18.0.1 core[1673]: 2025-01-24T08:59:03Z [WARNING] [/core/auth/ldap/ldap.go:74]: ldap search fail: can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:42456->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:03 172.18.0.1 core[1673]: 2025-01-24T08:59:03Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.220.0.1" requestID="0a76af15-5dc0-49d6-ba69-d5e1cc878137" user agent="Go-http-client/1.1"]: failed to authenticate user:ad_account_name, error:can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:42456->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:05 172.18.0.1 core[1673]: 2025-01-24T08:59:05Z [WARNING] [/core/auth/ldap/ldap.go:74]: ldap search fail: can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:44484->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:05 172.18.0.1 core[1673]: 2025-01-24T08:59:05Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.220.0.1" requestID="82bf5f3a-a9ca-48cc-b283-51e3e5e2204f" user agent="Go-http-client/1.1"]: failed to authenticate user:ad_account_name, error:can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:44484->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:09 172.18.0.1 core[1673]: 2025-01-24T08:59:09Z [WARNING] [/core/auth/ldap/ldap.go:74]: ldap search fail: can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:49030->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:09 172.18.0.1 core[1673]: 2025-01-24T08:59:09Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.220.0.1" requestID="a18ff8da-485e-4445-9877-131ecfbce110" user agent="Go-http-client/1.1"]: failed to authenticate user:ad_account_name, error:can not bind search dn, error: unable to read LDAP response packet: read tcp 172.18.0.9:49030->10.2.42.45:636: read: connection reset by peer
Jan 24 09:59:25 172.18.0.1 core[1673]: 2025-01-24T08:59:25Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
Jan 24 09:59:25 172.18.0.1 core[1673]: message repeated 3 times: [ 2025-01-24T08:59:25Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution]
Jan 24 09:59:26 172.18.0.1 core[1673]: 2025-01-24T08:59:26Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
Jan 24 09:59:26 172.18.0.1 core[1673]: 2025-01-24T08:59:26Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
Jan 24 09:59:26 172.18.0.1 core[1673]: message repeated 5 times: [ 2025-01-24T08:59:26Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution]
Jan 24 09:59:45 172.18.0.1 core[1673]: 2025-01-24T08:59:45Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
Jan 24 09:59:45 172.18.0.1 core[1673]: 2025-01-24T08:59:45Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
Jan 24 09:59:46 172.18.0.1 core[1673]: 2025-01-24T08:59:46Z [WARNING] [/server/v2.0/handler/assembler/report.go:104]: overview is empty, retrieve sbom status from execution
@wy65701436
Copy link
Contributor

per the error of core.log(user:ad_account_name, error:can not bind search dn), can you confirm that the ad_account_name has the access scope of all the AD users?

@noahsoeffky
Copy link
Author

Yes, it has. We do not see any issues with users or service accounts authenticating otherwise. Through testing, we already could narrow it down to only being an issue when images with signatures attached to them are involved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stonezdj @wy65701436 @noahsoeffky