Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker registry mirror not used

Tags:

docker

When I try to pull an image from my local mirror, it works :

$ docker login -u docker -p mypassword nexus3.pleiade.mycomp.fr:5000
$ docker pull nexus3.pleiade.mycomp.fr:5000/hello-world
Using default tag: latest
latest: Pulling from **hello-world**
78445dd45222: Pull complete 
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7
Status: Downloaded newer image for **nexus3.pleiade.mycomp.fr:5000/hello-world:latest**

But then, when I want to use this registry as mirror, it is just ignored, images are always pulled from web Docker hub, not from my local mirror :

$ ps -ef | grep docker
/usr/bin/dockerd -H fd:// --storage-driver=overlay2 --registry-mirror=https://nexus3.pleiade.mycomp.fr:5000

$ docker info
Registry Mirrors:
 https://nexus3.pleiade.mycomp.fr:5000/

$ docker rmi nexus3.pleiade.mycomp.fr:5000/hello-world

_

$ docker pull hello-world
Using default tag: latest
latest: Pulling from **library/hello-world**
78445dd45222: Pull complete 
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7
Status: Downloaded newer image for **hello-world:latest**

I know for sure it doesn't use my mirror, because when I unset the proxy settings, it cannot reach hello-world image.

Is it a Docker bug, or am I missing something ?

Docker info (short) :

Server Version: 1.13.1
Storage Driver: overlay2
(...)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.8.0-37-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 15.67 GiB
(...)
Registry Mirrors:
 https://nexus3.pleiade.edf.fr:5000/

UPDATE :

Doing "journalctl -xe", I can see some useful information :

level=error msg="Attempting next endpoint for pull after error: Get https://nexus3.pleiade.mycomp.fr:5000/v2/library/hello-world/manifests/latest: no basic auth credentials"

It looks related to : https://github.com/docker/docker/issues/20097, but the workaround is not working : when I replace --registry-mirror=https://nexus3.pleiade.mycomp.fr:5000 by --registry-mirror=https://docker:[email protected]:5000

I get exactly the same error.

If it matters, the nexus is using a self signed certificate which has been copied to /etc/docker/certs.d/nexus3.pleiade.mycomp.fr:5000/ca.crt and this allowed to login via "docker login".

like image 487
Tristan Avatar asked Feb 09 '17 17:02

Tristan


People also ask

What is Docker registry mirror?

How does it work? 🔗 The first time you request an image from your local registry mirror, it pulls the image from the public Docker registry and stores it locally before handing it back to you. On subsequent requests, the local registry mirror is able to serve the image from its own storage.

What is the default Docker registry?

Docker Hub is Docker's official cloud-based registry for Docker images. As you might expect, since Docker Hub is Docker's official registry, it is the default registry when you install Docker.

How are Docker images stored in registry?

Docker Registry Using the docker push command, you can send your docker image to the Registry to be stored and saved. A Docker Image is stored within a Repository in the Docker Registry. Each Repository is unique for each user or account.

Where is the Docker cache stored?

The docker images, they are stored inside the docker directory: /var/lib/docker/ images are stored there.

What is Docker registry mirroring?

The local docker registry mirror is able to serve the picture from its own storage upon subsequent requests. Pass the ‘registry mirrors’ to the Docker daemon as a flag during startup or as a key/value pair in the daemon JSON configuration file. This is the first step to docker registry mirroring. There are two forms of pull-through cache registry.

Is it possible to mirror a private registry?

It’s currently not possible to mirror another private registry. Only the central Hub can be mirrored. Note. Mirrors of Docker Hub are still subject to Docker’s fair usage policy. Solution. The Registry can be configured as a pull through cache. In this mode a Registry responds to all normal docker pull requests but stores all content locally.

Can I host my own Docker registry?

This page contains information about hosting your own registry using the open source Docker Registry. For information about Docker Hub, which offers a hosted registry with additional features such as teams, organizations, web hooks, automated builds, etc, see Docker Hub.

Can I distribute Docker official images to third parties?

Distributing Docker Official Images to third parties without a prior agreement can constitute a violation of Docker Terms of Service. Alternatively, if the set of images you are using is well delimited, you can simply pull them manually and push them to a simple, local, private registry.


2 Answers

It's a docker bug : https://github.com/docker/docker/issues/30880

The workaround is to set up a https reverse proxy setting a hard-coded authentication header.

Here is an example config from Felipe C. :

In nginx docker config, add :

proxy_set_header Authorization "Basic a2luZzppc25ha2Vk";

Full example:

server {
    listen *:443 ssl http2;
    server_name docker.domain.blah.net;
    ssl on;
    include ssl/domain.blah.net.conf;
    # allow large uploads of files - refer to nginx documentation
    client_max_body_size 0;
    chunked_transfer_encoding on;
    location / {
        proxy_pass http://127.0.0.1:8083/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization "Basic YWRtaW46YWRtaW4xMjM=";

        #proxy_set_header X-Forwarded-Proto "https";
    }
}

server {
    listen *:80;
    server_name docker.domain.blah.net;
    return 301 https://$server_name$request_uri;
}
like image 141
Tristan Avatar answered Oct 09 '22 03:10

Tristan


Another way is docker logout other servers. And enable the registry config Allow anonymous docker pull ( Docker Bearer Token Realm required ).

like image 38
binglong li Avatar answered Oct 09 '22 02:10

binglong li