There is no requirement for secure registry. I just need to connect to a registry using http protocol.
The registry must be on a pod and not directly on the VM.
docker has registry image that is made just for this purpose but when I'm using it inside a pod, docker fails to communicate with it because it thinks its a secure registry:
> docker pull 192.168.64.3:31549/repo630444582240256/image1
Using default tag: latest
Error response from daemon: Get https://192.168.64.3:31549/v2/: http: server gave HTTP response to HTTPS client
I came across these solutions but each of them requires installing prerequisits in the VM or doesn't use a pod to setup a registry:
https://github.com/SeldonIO/k8s-local-docker-registry
https://github.com/alexellis/k8s-tls-registry
https://github.com/ContainerSolutions/trow
> set -x && curl -X GET 192.168.64.3:31549/v2/_catalog
+ curl -X GET 192.168.64.3:31549/v2/_catalog
{"repositories":[]}
I tried this on my local machine: https://github.com/SeldonIO/k8s-local-docker-registry and works like a charm. (I had to make a few changes to the K8s manifests so they support the latest K8s)
You can get to the registry using curl -X GET 192.168.64.3:31549/v2/_catalog which means there is no redirect to https.
I believe your docker client config doesn't have explicit Insecure Registry config for 192.168.x.x. You can check with:
$ docker info | grep -i -A5 'Insecure Registries'
Insecure Registries:
10.96.0.0/12
127.0.0.0/8
192.168.64.0/24 <== should have something like this
If not you can configure your 192.168.0.0/24 as an insecure registry in the daemon.json config:
{
"insecure-registries" : ["10.96.0.0/12", "127.0.0.0/8", "192.168.64.0/24" ]
}
just came across another path where you can add the insecure registries
$ vi /var/lib/boot2docker/profile
add the following
EXTRA_ARGS='
--label provider=virtualbox
--insecure-registry 127.0.0.0/8
--insecure-registry 192.168.99.0/24
'
restart docker daemon
$ /etc/init.d/docker restart
Related
On Ubuntu 18, I installed Docker (19.03.12) from these instructions
https://docs.docker.com/engine/install/ubuntu/
And then went through these steps
manage docker as non-root user
https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
start on boot using systemd
https://docs.docker.com/engine/install/linux-postinstall/#configure-docker-to-start-on-boot
and set up a private docker registry using this
docker run -d -p 5000:5000 -e REGISTRY_DELETE_ENABLED=true --restart=always --name registry registry:2
I also added this to the daemon.json file
{ "insecure-registries" : ["my.registrydomain.lan:5000"] }
And restarted the docker daemon
sudo /etc/init.d/docker restart
I checked docker info to make sure the setting for insecure registry was applied and I saw this at the end so it seems ok
Insecure Registries:
my.registrydomain.lan:5000
127.0.0.0/8
On the same machine I start minikube (1.12.3) with this command
minikube start --driver=docker --memory=3000 --insecure-registry=my.registrydomain.lan:5000
So everything is running and fine, and I proceed to apply my deployments using kubectl except when I get to the pod that needs to pull the container form the local registry I get an ErrImagePull status. Here is part of my deployment
spec:
containers:
- name: my-container
image: my.registrydomain.lan:5000/name:1.0.0.9
imagePullPolicy: IfNotPresent
When I describe the pod that failed using
kubectl describe pod mypod-8474577f6f-bpmp2
I see this message
Failed to pull image "my.registrydomain.lan:5000/name:1.0.0.9": rpc
error: code = Unknown desc = Error response from daemon: Get
https://my.registrydomain.lan:5000/v2/: http: server gave HTTP
response to HTTPS client
EDIT: I forgot to mention that I am able to PUSH my images into the registry without any issues from a separate machine over http (machine is Windows 10 and I set the insecure registry option in the daemon config)
I tried to reproduce your issue with exact same settings that you provided and this works just fine. Image is being pulled without any problem. I tested this with my debian 9 and fresh ubuntu installation with this settings:
minikube version: v1.12.3
docker version: v19.03.12
k8s version: v1.18.3
ubuntu version: v18
What I`ve done what is not described in the question is to place an entry in minikube container hosts file:
root#minikube:/# cat /etc/hosts
...
10.128.5.6 my.registrydomain.lan
...
And the tag/push commands:
docker tag 4e2eef94cd6b my.registrydomain.lan:5000/name:1.0.0.9
docker push my.registrydomain.lan:5000/name:1.0.0.9
Here`s the describe from the pod:
Normal Pulling 8m19s (x5 over 10m) kubelet, minikube Pulling image "my.registrydomain.lan:5000/name:1.0.0.9"
As suggested in the comments already you may want to check this github case. It goes thru couple of solution of your problem:
First is to check your hosts file and update it correctly if you hosting your repository on another node. Second solution is related to pushing images in to repository which turned for the user that both insecure-registries and docker push command are case sensitive. Third one is to use systemd to control docker daemon.
Lastly If those would not help I would try to clear all settings, uninstall docker, clear docker configuration and start again from scratch.
I have just run a docker registry by:
$ docker run -d --name registry --restart always -p 5961:5000 registry:2.7.1
Now I can push to it by:
$ docker tag ubuntu:v2 localhost:5961/ubuntu:v2
$ docker push localhost:5961/ubuntu:v2
But not from outside. For example I can not push to it from another machine on the same network by executing:
$ docker tag ubuntu:v2 192.168.1.122:5961/ubuntu:v2
$ docker push 192.168.1.122:5961/ubuntu:v2
The error is:
The push refers to repository [192.168.1.122:5961/ubuntu]
Get https://192.168.1.122:5961/v2/: http: server gave HTTP response to HTTPS client
Why?
Also I don't know how to pull this image (192.168.1.122:5961/ubuntu:v2) from outside world. For example by:
$ docker pull <public-ip>:5961/ubuntu:v2
Note that I can port forward the port 5961 of the machine 192.168.1.122 to the same port of <public-ip>.
1 Regarding local network:
Your docker registry is insecure and is using HTTP, not HTTPS. So you need to define an insecure registry for the client daemon, by updating the /etc/docker/daemon.json file like so:
{
"insecure-registries" : ["192.168.1.122:5961"]
}
See: docs
2 Regarding pulling the image from the outside world:
It should work the way you described it docker pull <public-ip>:5961/ubuntu:v2 (as long as all clients defines the registry as insecure if it is)
But please DO NOT use an insecure registry open to the outside world, and unless you want everyone in the world to be able to pull your images, add some authentication mechanism in front of your registry service
when I try to deploy application in Kubernetes using images in my private Docker registry on same server (master node), I receive following error:
Failed to pull image
"0.0.0.0:5000/continuous-delivery-tutorial:5ec98331a69ec5e6f818583d4506d361ff4de89b-2020-02-12-14-37-03":
rpc error: code = Unknown desc = Error response from daemon: Get
https://0.0.0.0:5000/v2/: http: server gave HTTP response to HTTPS
client
When I print docker system info I can see there is my registry as insecure registry:
I run my registry by following command:
docker run -d -p 5000:5000 --restart=always --name registry -v $PWD/docker_reg_certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
Thank you for any advice
you need to add your hostname to the list of allowed insecure registries in /etc/docker/daemon.json, for example:
{
"insecure-registries" : ["your-computer-hostname:5000"]
}
(this file is supposed to contain 1 json object, so if it's not empty then add insecure-registries property to the existing object instead of creating a new one. Also remember to restart your docker daemon afterwards)
also, you should not use 0.0.0.0 as it is not a real address. use your hostname instead when specifying image, like your-computer-hostname:5000/continuous-delivery-tutorial:5ec98331a69ec5e6f818583d4506d361ff4de89b-2020-02-12-14-37-03
i created a registry using below command -
docker run -d -p 5000:5000 --restart=always --name registry registry
if i use command
Docker pull localhost:5000/…
everything works
but if i use
Docker pull ipaddress:5000/…
everything fails
i tried editing /etc/default/docker file with DOCKER_OPTS that made docker service to crash
i added /etc/docker/daemon.json file with insecure registry entries but even that i get below error on docker pull/push -
request canceled time out awaiting headers
i am stuck here need help
i was able to fix the issue , it was due to missing no_proxy which when i added for my ipaddress it started working.
You need to declare the registry as an insecure registry by editing the deamon.json file. By default, when connecting to a registry on localhost there is no need to have TLS certificates configured.
However, when you try to connect to remote registry and it is insecure, you need to add an insecure registry line for the remote registry.
I receive this error when I try to push and sign image in a private registry. Steps to reproduce:
Deploy registry:
$ docker run -d -p 5000:5000 --restart=always --name registry registry:2
Tag the image:
$ docker tag hello-world localhost:5000/hello-world:latest
Enable content trust:
$ export DOCKER_CONTENT_TRUST=1
Push on registry:
$ docker push localhost:5000/hello-world:latest
=> The push refers to a repository [localhost:5000/hello-world]
a02596fdd012: Pushed
latest: digest: sha256:a18ed77532f6d6781500db650194e0f9396ba5f05f8b50d4046b294ae5f83aa4 size: 524
Signing and pushing trust metadata
tls: oversized record received with length 20527
Your registry is not accepting https connections since it is on http. forget about the DOCKER_CONTENT_TRUST and add your registry as an insecure registry using --insecure-registry daemon option in your docker daemon config and then restart docker afterwards
I resolved this only when I set up the content trust server to point to running notary server.
export DOCKER_CONTENT_TRUST_SERVER=https://localhost:4443
In case you're using a proxy to pull down the images, take a look at proxy configuration. In particular, make sure https proxy URL does not contain "https" string, for example:
Environment="HTTPS_PROXY=https://proxy.url:8080/" => Environment="HTTPS_PROXY=http://proxy.url:8080/"
Also see here for a more complete explanation