Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using private registry hosted on docker

I'm hosting my own docker-registry in a docker container. It's fronted by nginx running in a separate container to add basic auth. Checking the _ping routes I can see that nginx is routing appropriately. When calling docker login from boot2docker (on Mac OSX) I get this error:

FATA[0003] Error response from daemon: Invalid registry endpoint https://www.example.com:8080/v1/: Get https://www.example.com:8080/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry www.example.com:8080 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/www.example.com:8080/ca.crt

Which is odd - because it's a valid CA SSL cert. I've tried adding --insecure-registry in EXTRA-ARGS as per these instructions: https://github.com/boot2docker/boot2docker#insecure-registry but initially the 'profile' file doesn't exist it. If I create it, and add

EXTRA_ARGS="--insecure-registry www.example.com:8080"

I see no improvement. I wanted to isolate the example and so tried docker login from an ubuntu VM (not boot2docker). Now I get a different error:

Error response from daemon: 

The docker registry is run directly from the public hub, e.g.

docker run -d -p 5000:5000 registry

(Note that nginx routes from 8080 to 5000). Any help and/or resources to help debug this would be much appreciated.

UPDATE

I was looking to a guide to help comprehensively solve this problem. Specifically:

  • Create a private registry
  • Secure the registry with basic Auth
  • Use the registry from boot2docker

I have created the registry and tested locally, it works. I have secured the registry with nginx adding basic auth.

The trouble is now actually using the registry from two types of client:

1) Non boot2docker client. One of the answers below helped with this. I added --insecure-registry flag to options in /etc/default/docker and now I can talk to my remote docker registry. However, this isn't compatible with auth as docker login gets an error:

2015/01/15 21:33:57 HTTP code 401, Docker will not send auth headers over HTTP.

So, if I want to use auth I'll need to use HTTPS. I already have this server serving over HTTPS but that doesn't work if I set --insecure-registry. There appears to be a certificate trust issue, which I'm confident I can solve on non-boot2docker but..

2) For a boot2docker client, I can't get --insecure-registry to work or certificates to be trusted?

UPDATE 2

Following this stack exchange question I managed to add the ca to my ubuntu VM and I can now use from non boot2docker client. However, there is still a lot of odd behavior.

Even though my current user is a member of the docker group (so I don't have to use sudo) I now have to use sudo or I get the following error when trying to login or pull from my private registry

user@ubuntu:~$ docker login example.com:8080
WARNING: open /home/parallels/.dockercfg: permission denied

parallels@ubuntu:~$ docker pull example.com:8080/hw:1
WARNING: open /home/parallels/.dockercfg: permission denied

And when running containers pulled from my private registry for the first time, I have to specify them by image ID - not their name.

like image 329
ConfusedNoob Avatar asked Jan 06 '15 06:01

ConfusedNoob


3 Answers

Edit the docker file

sudo vim /etc/default/docker

Add the DOCKER_OPTS

DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=www.example.com:8080"

Restarting the docker service

sudo service docker restart
like image 100
anish Avatar answered Oct 19 '22 04:10

anish


Run the following command:

boot2docker ssh "echo $'EXTRA_ARGS=\"--insecure-registry <YOUR INSECURE HOST>\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"
like image 28
JaTo Avatar answered Oct 19 '22 02:10

JaTo


Docker version > 1.3.1 communicates over HTTPS by default when connecting to docker registry

If you are using Nginx to proxy_pass to port 5000 where docker registry is listening you will need to terminate docker client's SSL connection to docker registry at webserver/LB (Nginx in this case). To verify if Nginx is terminating SSL connection well use cURL https://www.example.com:8081/something where 8081 is another port set up for testing SSL cert.

If you don't care if your docker client connects to the registry over HTTP and not HTTPS, add

OPTIONS="--insecure-registry www.example.com:8080"

in /etc/sysconfig/docker (or equivalent in other distros) and restart docker service.

Hope it helps.

like image 23
farshidlk Avatar answered Oct 19 '22 02:10

farshidlk