I'm hosting my own docker-registry in a docker container. It's fronted by nginx running in a separate container to add basic auth. Checking the _ping routes I can see that nginx is routing appropriately. When calling docker login
from boot2docker (on Mac OSX) I get this error:
FATA[0003] Error response from daemon: Invalid registry endpoint https://www.example.com:8080/v1/: Get https://www.example.com:8080/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry www.example.com:8080
to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/www.example.com:8080/ca.crt
Which is odd - because it's a valid CA SSL cert. I've tried adding --insecure-registry
in EXTRA-ARGS as per these instructions: https://github.com/boot2docker/boot2docker#insecure-registry but initially the 'profile' file doesn't exist it. If I create it, and add
EXTRA_ARGS="--insecure-registry www.example.com:8080"
I see no improvement. I wanted to isolate the example and so tried docker login
from an ubuntu VM (not boot2docker). Now I get a different error:
Error response from daemon:
The docker registry is run directly from the public hub, e.g.
docker run -d -p 5000:5000 registry
(Note that nginx routes from 8080 to 5000). Any help and/or resources to help debug this would be much appreciated.
UPDATE
I was looking to a guide to help comprehensively solve this problem. Specifically:
I have created the registry and tested locally, it works. I have secured the registry with nginx adding basic auth.
The trouble is now actually using the registry from two types of client:
1) Non boot2docker client. One of the answers below helped with this. I added --insecure-registry flag to options in /etc/default/docker and now I can talk to my remote docker registry. However, this isn't compatible with auth as docker login gets an error:
2015/01/15 21:33:57 HTTP code 401, Docker will not send auth headers over HTTP.
So, if I want to use auth I'll need to use HTTPS. I already have this server serving over HTTPS but that doesn't work if I set --insecure-registry. There appears to be a certificate trust issue, which I'm confident I can solve on non-boot2docker but..
2) For a boot2docker client, I can't get --insecure-registry to work or certificates to be trusted?
UPDATE 2
Following this stack exchange question I managed to add the ca to my ubuntu VM and I can now use from non boot2docker client. However, there is still a lot of odd behavior.
Even though my current user is a member of the docker group (so I don't have to use sudo) I now have to use sudo or I get the following error when trying to login or pull from my private registry
user@ubuntu:~$ docker login example.com:8080
WARNING: open /home/parallels/.dockercfg: permission denied
parallels@ubuntu:~$ docker pull example.com:8080/hw:1
WARNING: open /home/parallels/.dockercfg: permission denied
And when running containers pulled from my private registry for the first time, I have to specify them by image ID - not their name.
Edit the docker file
sudo vim /etc/default/docker
Add the DOCKER_OPTS
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=www.example.com:8080"
Restarting the docker service
sudo service docker restart
Run the following command:
boot2docker ssh "echo $'EXTRA_ARGS=\"--insecure-registry <YOUR INSECURE HOST>\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"
Docker version > 1.3.1 communicates over HTTPS by default when connecting to docker registry
If you are using Nginx to proxy_pass to port 5000 where docker registry is listening you will need to terminate docker client's SSL connection to docker registry at webserver/LB (Nginx in this case). To verify if Nginx is terminating SSL connection well use cURL https://www.example.com:8081/something where 8081 is another port set up for testing SSL cert.
If you don't care if your docker client connects to the registry over HTTP and not HTTPS, add
OPTIONS="--insecure-registry www.example.com:8080"
in /etc/sysconfig/docker (or equivalent in other distros) and restart docker service.
Hope it helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With