When I try to pull an image from my local mirror, it works :
$ docker login -u docker -p mypassword nexus3.pleiade.mycomp.fr:5000
$ docker pull nexus3.pleiade.mycomp.fr:5000/hello-world
Using default tag: latest
latest: Pulling from **hello-world**
78445dd45222: Pull complete
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7
Status: Downloaded newer image for **nexus3.pleiade.mycomp.fr:5000/hello-world:latest**
But then, when I want to use this registry as mirror, it is just ignored, images are always pulled from web Docker hub, not from my local mirror :
$ ps -ef | grep docker
/usr/bin/dockerd -H fd:// --storage-driver=overlay2 --registry-mirror=https://nexus3.pleiade.mycomp.fr:5000
$ docker info
Registry Mirrors:
https://nexus3.pleiade.mycomp.fr:5000/
$ docker rmi nexus3.pleiade.mycomp.fr:5000/hello-world
_
$ docker pull hello-world
Using default tag: latest
latest: Pulling from **library/hello-world**
78445dd45222: Pull complete
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7
Status: Downloaded newer image for **hello-world:latest**
I know for sure it doesn't use my mirror, because when I unset the proxy settings, it cannot reach hello-world image.
Is it a Docker bug, or am I missing something ?
Docker info (short) :
Server Version: 1.13.1
Storage Driver: overlay2
(...)
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.8.0-37-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 15.67 GiB
(...)
Registry Mirrors:
https://nexus3.pleiade.edf.fr:5000/
UPDATE :
Doing "journalctl -xe", I can see some useful information :
level=error msg="Attempting next endpoint for pull after error: Get https://nexus3.pleiade.mycomp.fr:5000/v2/library/hello-world/manifests/latest: no basic auth credentials"
It looks related to : https://github.com/docker/docker/issues/20097, but the workaround is not working : when I replace --registry-mirror=https://nexus3.pleiade.mycomp.fr:5000 by --registry-mirror=https://docker:[email protected]:5000
I get exactly the same error.
If it matters, the nexus is using a self signed certificate which has been copied to /etc/docker/certs.d/nexus3.pleiade.mycomp.fr:5000/ca.crt and this allowed to login via "docker login".
How does it work? 🔗 The first time you request an image from your local registry mirror, it pulls the image from the public Docker registry and stores it locally before handing it back to you. On subsequent requests, the local registry mirror is able to serve the image from its own storage.
Docker Hub is Docker's official cloud-based registry for Docker images. As you might expect, since Docker Hub is Docker's official registry, it is the default registry when you install Docker.
Docker Registry Using the docker push command, you can send your docker image to the Registry to be stored and saved. A Docker Image is stored within a Repository in the Docker Registry. Each Repository is unique for each user or account.
The docker images, they are stored inside the docker directory: /var/lib/docker/ images are stored there.
The local docker registry mirror is able to serve the picture from its own storage upon subsequent requests. Pass the ‘registry mirrors’ to the Docker daemon as a flag during startup or as a key/value pair in the daemon JSON configuration file. This is the first step to docker registry mirroring. There are two forms of pull-through cache registry.
It’s currently not possible to mirror another private registry. Only the central Hub can be mirrored. Note. Mirrors of Docker Hub are still subject to Docker’s fair usage policy. Solution. The Registry can be configured as a pull through cache. In this mode a Registry responds to all normal docker pull requests but stores all content locally.
This page contains information about hosting your own registry using the open source Docker Registry. For information about Docker Hub, which offers a hosted registry with additional features such as teams, organizations, web hooks, automated builds, etc, see Docker Hub.
Distributing Docker Official Images to third parties without a prior agreement can constitute a violation of Docker Terms of Service. Alternatively, if the set of images you are using is well delimited, you can simply pull them manually and push them to a simple, local, private registry.
It's a docker bug : https://github.com/docker/docker/issues/30880
The workaround is to set up a https reverse proxy setting a hard-coded authentication header.
Here is an example config from Felipe C. :
In nginx docker config, add :
proxy_set_header Authorization "Basic a2luZzppc25ha2Vk";
Full example:
server {
listen *:443 ssl http2;
server_name docker.domain.blah.net;
ssl on;
include ssl/domain.blah.net.conf;
# allow large uploads of files - refer to nginx documentation
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass http://127.0.0.1:8083/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "Basic YWRtaW46YWRtaW4xMjM=";
#proxy_set_header X-Forwarded-Proto "https";
}
}
server {
listen *:80;
server_name docker.domain.blah.net;
return 301 https://$server_name$request_uri;
}
Another way is docker logout other servers. And enable the registry config Allow anonymous docker pull ( Docker Bearer Token Realm required ).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With