How to push docker images through reverse proxy to artifactory

Question

I've an issue pushing my docker image to artifactory [Artifactory Pro Power Pack 3.5.2.1 (rev. 30160)] (which is used as a docker registry).

I have docker version:

$ sudo docker version
Client version: 1.5.0  
Client API version: 1.17  
Go version (client): go1.3.3  
Git commit (client): a8a31ef/1.5.0  
OS/Arch (client): linux/amd64  
Server version: 1.5.0  
Server API version: 1.17  
Go version (server): go1.3.3  
Git commit (server): a8a31ef/1.5.0  

I've followed this link http://www.jfrog.com/confluence/display/RTF/Docker+Repositories and this one artifactory as docker registry I create a docker registry in artifactory called docker-local and enable docker support for it. My artifactory doesn't have an option where I can say docker v1 or v2 like in this document so I'm assuming it uses docker v1.

Artifactory generated these for me:

<distributionManagement>
    <repository>
        <id>sdpvvrwm812</id>
        <name>sdpvvrwm812-releases</name>
        <url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
    </repository>
    <snapshotRepository>
        <id>sdpvvrwm812</id>
        <name>sdpvvrwm812-snapshots</name>
        <url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
    </snapshotRepository>
</distributionManagement>

Though something's not working with these settings.

I installed the reverse proxy nginx and copied these settings into its /etc/nginx/nginx.conf:

http {

##
# Basic Settings
##
[...]

server {
    listen 443;
    server_name sdpvvrwm812.ib.tor.company.com;

    ssl on;
    ssl_certificate /etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
    ssl_certificate_key /etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;

    access_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.access.log;
    error_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.error.log;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Original-URI $request_uri;
    proxy_read_timeout 900;

    client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    location /v1 {
        proxy_pass http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1;
    }
} }

I generated my ssl key as shown at http://www.akadia.com/services/ssh_test_certificate.html and placed in the 2 directories

/etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
/etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;

I'm not sure how to ping the new docker registry, but doing

 sudo docker login -u adrianus -p AT65UTJpXEFBHaXrzrdUdCS -e [email protected] http://sdpvvrwm812.ib.tor.company.com

gives this error:

FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://sdpvvrwm812.ib.tor.company.com/v1/_ping: dial tcp 172.25.10.44:443: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry sdpvvrwm812.ib.tor.company.com to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt

BUT the certificate /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt exists so what's going on?

sudo curl -k -uadrianus:AP2pKojAeMSpXEFBHaXrzrdUdCS "https://sdpvvrwm812.ib.tor.company.com"

gives this error:

curl: (35) SSL connect error

I do start docker client with:

sudo docker -d --insecure-registry https://sdpvvrwm812.ib.tor.company.com

Could it be that since my docker registry is http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local and docker and nginx are looking for http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local/v1?

Any clues how to get docker to push images to artifactory?

Answer 1

The <distributionManagement/> part is for maven. It's a bit facepalm that Artifactory 3 shows maven snippet for Docker repos (fixed in Artifactory 4, you're welcome to upgrade), so please disregard it.

Generally with Docker you can't use /artifactory/repoName. It's Docker limitation, your registry must be hostname:port, without any additional path.

That's exactly why you have to configure the reverse proxy. What you are doing in your nginx config is forwarding all the requests to sdpvvrwm812.ib.tor.company.com:443/v1 to http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1, which is correct thing to do.

Please note that the location for certificates should be /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/, not /etc/ssl/certs/.