I am running docker in windows 10 professional edition. I need to access to container with browser.
screenshot of running container
I tried to access by typing : http://172.17.0.2:9000 and http://localhost:9000
But my browser says:
This site can’t be reached
172.17.0.2 took too long to respond.
Any ideas to resolve this?
use simpleDockerUI which is a chrome extension. and enter you docker daemon IP https://"docker-machine ip":2376
before connecting via simpleDockerUI, import the docker certificates
inside the chrome certificates
go to the folder where docker certificates are installed(in my machine it was in C:\Users\"name"\.docker\machine\machines\default)
then do the following steps
1) $ cat cert.pm ca.pem >> clientcertchain.pem
2) $ openssl pkcs12 -inkey key.pm -in clientcertchain.pem -export -out import.pfx -passout pass:"password"
3) now go to google chrome setting --> manage certificates
4) under trusted root certification authoirities import ca.pem. it will prompt for password ( same as above)
5) import import.pfx as a personal certificate under personal certificate tab
(it will ask to set the password so set it)
to test the connection open new tab in google chrome and type https://ip:2376/_ping
you should get OK response
or use portainer image
docker run -d -p 9000:9000 portainer/portainer
Your container web service should start using 0.0.0.0 host instead localhost, in that way you can access from your local machine.
Simply
Go to Settings -> General -> activate Expose daemon
Expose daemon on tcp://localhost:2375 without TLS: Click this option
to enable legacy clients to connect to the Docker daemon. You must use
this option with caution as exposing the daemon without TLS can result
in remote code execution attacks.
https://docs.docker.com/docker-for-windows/
Related
I'm using https to protect the docker daemon socket. Followed all the steps as mentioned here. The environment variables are set as below,
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=~/.docker == All my client, ca & server certificates + keys exist here
DOCKER_HOST=tcp://$HOST:2376
The below command works (when I pass ca, client certificate & key):
docker --tlsverify --tlscacert=~/.docker/ca.pem --tlscert=~/.docker/client-cert.pem --tlskey=~/.docker/client-key.pem -H=$HOST:2376 ps
According to Docker documentation , I can secure docker client connections by default and do not need to pass certificates every time but the command "docker ps" , doesn't work for me. It always expects client certificate to be passed.
I also tried executing the below,
docker-compose --tlsverify --tlscacert=~/.docker/ca.pem --tlscert=~/.docker/client-cert.pem --tlskey=~/.docker/client-key.pem -H=$HOST:2376 up
ERROR: TLS configuration is invalid - make sure your DOCKER_TLS_VERIFY and DOCKER_CERT_PATH are set correctly
How can I secure the docker client connections by default ? I just want to execute like "docker ps" without passing client certificate every time since it already exists in ~/.docker
I have also referred a similar question here
I found the answer myself ! The client certificate and key generated are having the names as cert.pem and key.pem when I followed the official documentation instructions. I renamed the cert.pem to client-cert.pem and key to client-key.pem in my ~/.docker directory.
Apparently, docker picks the client certificate by default, only if it has name as cert.pem and key.pem. So, my issue here is because of changing the client certificate / key names.
When I try to deploy something with docker registry I every time view errors:
x509: cannot validate certificate for 10.2.10.7 because it doesn't contain any IP SANs
Question:
How I can disable ssl from deploy image in docker registry to Kubernetes ?
Assuming relaxed security is OK for your environment, a way to accomplish in Kubernetes what you want is to configure Docker to connect to the private registry as an insecure registry.
Per the doc here:
With insecure registries enabled, Docker goes through the following
steps:
First, try using HTTPS. If HTTPS is available but the certificate is invalid, ignore the error about the certificate.
If HTTPS is not available, fall back to HTTP.
Notice that the change to /etc/docker/daemon.json described in that doc - adding "insecure-registries" configuration - has to be applied to all nodes in the Kubernetes cluster on which pods/containers can be scheduled to run. Plus, Docker has to be restarted for the change to take effect.
It is also to note that the above assumes the cluster uses the Docker container runtime and not some other runtime (e.g. CRI-O) that supports the Docker image format and registry.
As you're using self signed TLS certificate, you need to add the certificate to the known certificates list.
Grab you .crt file and cope it to the client machine's ssl certificates directory.
For ubuntu:
$ sudo cp registry.crt /usr/local/share/ca-certificates/registry.crt
$ sudo update-ca-certificates
Now restart docker:
$ sudo systemctl restart docker
For CentOS 7:
copy the certificate inside /etc/pki/ca-trust/source/anchors/
Use update-ca-trust command
My problem was with certificates because I used self-signed TLS certificates. It is not good idea. You might encounter with known certificates list and you will need to add certificates each time and use command update-ca-certificates (if you are using Centos 7). However, you might encounter another issue with certificates with another error code.
To resolve this issue i've used 3rd party Certificate Authority called Let'sEncrypt.
I have a project where i need to set up a dev environment with letsEncrypt.
Self signed cert doesn't work for me as i need to connect to react native, unless i tinker with the android code/ objective-C code, which i dont think is the right thing to do. (Ignore errors for self-signed SSL certs using the fetch API in a ReactNative App?)
I am aware there are some docker projects: https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/
I followed along to start the NGINX-LETSENCRYPT container, and bind them with my own container using:
docker run --name loginPOC -e "VIRTUAL_HOST=XPS15"
-e "LETSENCRYPT_HOST=XPS15" -p 8000:80 -d f91893ef3a6f
Note:
f91893ef3a6f(my C# image - web api)
XPS15(local machine)
i only get result when i connect to :
http://xps15:8000/api/values [Works fine]
https://xps15:8000/api/values [HTTPS] [Received "This site can’t provide a secure connection"]
I then check my cert status with
docker exec d9d1b9b5c933 /app/cert_status
Result:No cert status is found.
After some googling i found:
https://letsencrypt.org/docs/certificates-for-localhost/
and
https://community.letsencrypt.org/t/can-i-use-letsencrypt-in-localhost/21741
I have few questions in mind:
1. Most of the examples they have a top level in their domain name. My doubt is perhaps XPS15 is not a valid host name ?
Appreciate if anyone knows any workaround. Thanks
I run Windows machine and I'm super new to docker, I'm trying to setup LetsEncrypt on my site for HomeAssistant purpose.
I create a folder in C:/Docker/LetsEncrypt in my Windows machine and then I run this command.
PS C:\Users\test> docker run -it --rm -p 80:80 --name certbot -v "C:Docker/LetsEncrypt/etc/letsencrypt:/etc/letsencrypt" -v "C:Docker/LetsEncrypt/var/lib/letsencrypt:/var/lib/letsencrypt" -v "C:Docker/LetsEncrypt/var/log/letsencrypt:/var/log/letsencrypt" quay.io/letsencrypt/letsencrypt:latest certonly --standalone --standalone-supported-challenges http-01 --email myemail#mail.com -d mysite.duckdns.org
This is the result I got
Warning: This Docker image will soon be switching to Alpine Linux.
You can switch now using the certbot/certbot repo on Docker Hub.
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
/opt/certbot/venv/local/lib/python2.7/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysite.duckdns.org/privkey.pem
Your cert will expire on 2018-06-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Looks like everything is fine except I can't find the file fullchaim.pem and privkey.pem in my Windows machine which is suppose to be inside C:\Docker\LetsEncrypt\etc\letsencrypt.
What am I missing?
Here is the command you executed
PS C:\Users\test> docker run -it --rm -p 80:80 --name certbot
-v "C:Docker/LetsEncrypt/etc/letsencrypt:/etc/letsencrypt"
-v "C:Docker/LetsEncrypt/var/lib/letsencrypt:/var/lib/letsencrypt"
-v "C:Docker/LetsEncrypt/var/log/letsencrypt:/var/log/letsencrypt"
quay.io/letsencrypt/letsencrypt:latest
certonly --standalone --standalone-supported-challenges
http-01 --email myemail#mail.com -d mysite.duckdns.org
docker allows you to mount directories on our local machine such that internal to the launched container those same directories are mapped to new names however the directory contents are identical. For example in above it says
-v "C:Docker/LetsEncrypt/etc/letsencrypt:/etc/letsencrypt"
which is a volume pair where left of : delimiter is a directory local to your machine C:Docker/LetsEncrypt/etc/letsencrypt and on right hand side is what that same directory gets called from perspective inside container as per /etc/letsencrypt ... this mapping frees up the container's internal perspective to be isolated from a given person's local directory structure ... now look closely at this message :
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
that is from perspective of inside the container ... so now your are armed with the knowledge to discover where you missing keys are
SOLUTION when inside of container it says
/etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
that same file is mapped to your local machine at location
C:Docker/LetsEncrypt/etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
Background:
To setup a private docker registry server at path c:\dkrreg on localhost on Windows 10 (x64) system, installed with Docker for Windows, have successfully tried following commands:
docker run --detach --publish 1005:5000 --name docker-registry --volume /c/dkrreg:/var/lib/registry registry:2
docker pull hello-world:latest
docker tag hello-world:latest localhost:1005/hello-world:latest
docker push localhost:1005/hello-world:latest
docker pull localhost:1005/hello-world:latest
Push and Pull from localhost:1005/hello-world:latest via command line succeeds too.
Issue:
If i use my IP address via docker pull 192.168.43.239:1005/hello-world:latest it gives following error in command shell:
Error response from daemon: Get https://192.168.43.239:1005/v1/_ping: http: server gave HTTP response to HTTPS client
When using 3rd party Docker UI Manager via docker run --detach portainer:latest it also shows error to connect as:
2017/04/19 14:30:24 http: proxy error: dial tcp [::1]:1005: getsockopt: connection refused
Tried other stuff also. How can I connect my private registry server that is localhost:1005 from LAN using any Docker Management UI tool ?
At last find solution to this which was tricky
Generated CA private key and certificate as ca-cert-mycompany.pem and ca-cert-key-companyname.pem. And configured docker-compose.yml to save both files as :ro in these locations: /usr/local/share/ca-certificates, /etc/ssl/certs/, /etc/docker/certs.d/mysite.com. But I also tried only copying certificate to /usr/local/share/ca-certificates was enough as docker will ignore duplicate CA certificates. This extra copying is because at many placed docker fellow recommended the same. I did not executed command: update-ca-certificates this time in registry container but was doing earlier as against what is suggested by many.
Defined in docker-compose.yml: random number as REGISTRY_HTTP_SECRET, and server's chained certificate (CA certificate appended to end of it) to REGISTRY_HTTP_TLS_CERTIFICATE amd server's public key to REGISTRY_HTTP_TLS_KEY. Had disabled HTTP authentication. Especially used some naming for file names as found with other certificates in container folder as mysite.com_server-chained-certificate.crt instead of just certificate.crt.
V-Imp: pushed certificate to trusted root in windows using command certutil.exe -addstore root .\Keys\ca-certificate.crt followed with restarting Docker for Windows from taskbar icon and then creating container using docker-compose up -d. This is most important step without this nothing worked.
Now can perform docker pull mysite.com:1005/my-repo:my-tag.
You need to specify to your Docker daemon that your registry is insecure: https://docs.docker.com/registry/insecure/
Based on your OS/system, you need to change the configuration of the daemon to specify the registry address (format IP:PORT, use 192.168.43.239:1005 rather than localhost:1005).
Once you have done that, you should be able to execute the following:
docker pull 192.168.43.239:1005/hello-world:latest
You should also be able to access it via Portainer using 192.168.43.239:1005 in the registry field.
If you want to access your registry using localhost:1005 inside Portainer, you can try to run it inside the host network.
docker run --detach --net host portainer:latest