Develop Reference

Whitelisting URL for nginx in Binary authorization

I am testing my binary authorization policies and put an exemption entry to allow nginx .
Following are the entries I tried by adding them under Images exempt from policy
registry.hub.docker.com/library/nginx*
registry.hub.docker.com/library/nginx.latest
docker.io/library/nginx*
but it is failing with below error
$ kubectl run httpd-server --image=nginx --restart=Never -l app=httpd-server --port 80
Error from server (VIOLATES_POLICY): admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image nginx denied by Binary Authorization default admission rule. Denied by always_deny admission rule
If i disable binary authorization and install the nginx package , it shows the following repository is used to pull the image
image: docker.io/library/nginx:latest
This entry is already there in Images exempt from policy , but the download is still blocked . Any suggestions ?

Raspbian / Mercure - bind: permission denied

I'm trying to run Mercure on my Raspbian.
First :
I tried with mercure-legacy_0.13.0_Linux_armv6.tar.gz using the following command to run mercure
JWT_KEY='example'; ADDR='localhost:3000'; DEMO='1'; ALLOW_ANO NYMOUS='1'; CORS_ALLOWED_ORIGINS='*'; PUBLISH_ALLOWED_ORIGINS='*'; PUBLISHER_JWT_KEY='example' ./mercure run
It returns :
"msg":"Unexpected error","error":"listen tcp :80: bind: permission denied"
Second : I tried with mercure_0.13.0_Linux_armv6.tar.gz using the following command to run Mercure
MERCURE_PUBLISHER_JWT_KEY='!ChangeMe!' MERCURE_SUBSCRIBER_JWT _KEY='!ChangeMe!' ./mercure run
Caddy file :
{
{$GLOBAL_OPTIONS}
}
{
auto_https off
}
{$SERVER_NAME:localhost}
log
route {
encode zstd gzip
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt://mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
respond /healthz 200
respond "Not Found" 404
}
It returns :
run: loading initial config: loading new config: http app module: start: tcp: listening on :443: listen tcp :443: bind: permission denied
Can anyone provide a solution : I intend to host my symfony project on a web server using apache2 on the same Raspberrry

I don't know this specific application, but your error message:
listen tcp :80: bind: permission denied
could be related with restriction for ports 80 and 443 (second message) - non-root user cannot use ports lower than 1024 on standard Linux configuration. Try to use different port or (if you don't care about security - i.e. local hobby project) run app as root.
Keep in mind that you can run Nginx as reverse proxy, so you can run your app on any high port (like 3000) on standard user.

it's a rights issue with your user.
Try with sudo, it should work.

404 after upgrading artifactory from 6.20 to 7.6.2

I am getting 404 accesing to https://my-dmain/ui/. If I try to access to https://my-dmain/artifactory it redirects to https://my-dmain/ui/ with 404. No log errors, only one warning:
2020-07-10T08:06:04.535L [35m[tomct][0m [WARNING] [ ]
[org.apache.catalina.startup.HostConfig]
[org.apache.catalina.startup.HostConfig deployDescriptor] - A docBase
[/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/artifactory.war]
inside the host appBase has been specified, and will be ignored
2020-07-10T08:06:04.540L [35m[tomct][0m [WARNING] [ ]
[org.apache.catalina.startup.HostConfig]
[org.apache.catalina.startup.HostConfig deployDescriptor] - A docBase
[/opt/jfrog/artifactory/app/artifactory/tomcat/webapps/access.war]
inside the host appBase has been specified, and will be ignored

Just to confirm it, can you try to access the Artifactory using the server IP and port, like HTTP://1.2.3.4:8082? If you are able to access the Artifactory UI using the server IP and Port, I believe you need to tweak the reverse proxy being used.

Your problem is that with Artifactory 7.x the reverse proxy configuration is different. In this KB article you can find a working NGINX configuration.
One easy way to generate such configuration is to bypass your reverse proxy and go to Artifactory directly, there in the UI you will be able to log in, head to HTTP settings, and generate a new Apache or NGINX config.

Jfrog Artifactory tries to list docker tags from remote repos too

I see ton of logs from jfrog artifactory for listing docker tags. It tries to list my local docker registry images from remote repos too. Is there any way to disable that? If it finds the tags from local repo, not to seek from remote repos?
2019-10-09 15:43:40,319 [http-nio-8081-exec-70] [INFO ] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:266) - Fetching docker tags for 'company/someapp-app' in repo 'bintray-docker-remote'
2019-10-09 15:43:40,504 [http-nio-8081-exec-70] [ERROR] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:283) - Unable to fetch tags from 'https://registry-1.docker.io/v2/company/someapp-app/tags/list?': HTTP/1.1 401 Unauthorized
2019-10-09 15:43:40,463 [http-nio-8081-exec-70] [ERROR] (o.a.a.d.r.v.DockerV2RemoteRepoHandler:283) - Unable to fetch tags from 'https://docker.bintray.io/v2/company/someapp-app/tags/list?': HTTP/1.1 404 Not Found

Installing Artifactory OSS port on FreeBSD jail

I have installed artifactory-5.4.1 on a FreeBSD 11.1 jail. I have localhost and a loopback interface defined, but its IP address is 127.0.0.169. When I install the artifactory package and attempt to start it, it fails to configure because it initially only allows the admin user to connect via 127.0.0.1:
2017-10-20 14:52:04,177 [art-init] [ERROR] (o.a.w.s.ArtifactoryContextConfigListener:97) - Application could not be initialized: HTTP response status 403:{
"errors" : [ {
"code" : "FORBIDDEN",
"message" : "User 'admin' is not allowed to login from remote address: 127.0.0.169"
} ]
}
Where can I modify the artifactory configuration so that admin is allowed to log in from a different IP address before this configuration takes place?