Self-signed docker registry in CircleCI - docker

I'm using CircleCI 2.0 and I have a private docker registry with self-signed certificate. I'm able to configure my local docker, just like documented here, the problem is in CircleCI:
I'm using remote dockers so when I try to login in Docker registry it's failing with Error response from daemon: Get https://docker-registry.mycompany.com/v2/: x509: certificate signed by unknown authority.
Is there a way to install the certificate in a remote docker? I don't have access to the docker host's shell. I don't want to use machine executor type.

It's not possible. It could only be accomplished by using CircleCI's Enterprise level system.

Related

Docker remote access

I followed Docker Documentation in order to access a remote docker (installed on a server B) daemon from a server A.
So, all certificates were generated on server B and copied in the docker client machine, server A.
I had already tested the remote access by running the following command :
docker --tlsverify -H=$MY_HOST:$MY_PORT
--tlscacert=$MY_PATH/ca.pem
--tlscert=$MY_PATH/client-cert.pem
--tlskey=$MY_PATH/client-key.pem
Everything is looking good so far, and I had succefully access the remote docker daemon.
However, when I tried to access it by exporting Docker envrionment variables
export DOCKER_HOST=tcp://MY_HOST:$MY_PORT DOCKER_TLS_VERIFY=1 DOCKER_CERT_PATH=~/certs
things don't turn out as expected (tls: bad certificate) :
The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: Get https://MY_HOST:MY_PORT/v1.40/containers/json?all=1: remote error: tls: bad certificate
Anyone knows how to fix this?

Unable to login to private docker registry from Jenkins

I am trying to use Jenkins to build and push docker images to private registry. However, while trying docker login command, I am getting this error:
http: server gave HTTP response to HTTPS client
I know that this might be happening because the private registry is not added as an insecure registry. But, how I can resolve this in CI pipeline?
Jenkins is set up on a Kubernetes cluster and I am trying to automate the deployment of an application on the cluster.
This has nothing to do with the Jenkins CI pipeline or Kubernetes. Jenkins will not be able to push your images until configure follow either of the below steps
You have two options here
1) Configure your docker client to use the secure registry over HTTPS. This will include setting up self signed certificates or getting certificates from your local certificate authority.
2) Second solution is to use your registry over an unencrypted HTTP connection.
So if you are running docker on kubernetes. You will have to configure the daemon.json file in /etc/docker/daemon.json.
PS: This file might not exist. You will have to create it.
Then add in the below content. Make sure you change the url to match your docker registry
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
Then restart docker using systemctl restart docker or etc/init.d/docker restart depending on the version of linux distro installed on your cluster
Let me know if you have any questions

accessing docker private registry

I have my private docker registry running on a remote machine, which is secured by TLS and uses HTTPS. Now I want to access it from my local docker-machine installed on Windows 7. I have copied the certificates to "/etc/docker/certs.d/" in the docker-machine VM and restarted docker.
After this I can successfully login to my private registry using credentials, but when I try to push an image to it, it gives me a certificate signed by unknown authority error. After researching a little I restarted the docker daemon with docker -d --insecure-registry https://<registry-host>, and it worked.
My question is: if I have copied my certificates to the host machine, why do I need to start the registry with the --insecure-registry option?
I can only access the registry from another host with certificates as well as restarting docker with --insecure-registry , which looks a little wrong to me.
Docker version: 1.8.3
Any pointers on this would be really helpful.
certificate signed by unknown authority
The error message gives it away - your certificates are self-signed (as in not trusted by a known CA).
See here.
If you would like to access your registry with HTTP, follow the instructions here
Basically (do this on the machine from which you try to access the registry):
edit the file /etc/default/docker so that there is a line that reads: DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000" (or add that to existing DOCKER_OPTS)
restart your Docker daemon: on ubuntu, this is usually service docker stop && service docker start

docker is using the v1 registry api when it should use v2

I'm trying to use a self hosted docker registry v2. I should be able to push a docker image, which does work locally on the host server (coreos) running the registry v2 container. However, on a separate machine (also coreos, same version) when I try to push to the registry, it's try to push to v1, giving this error:
Error response from daemon: v1 ping attempt failed with error: Get
https://172.22.22.11:5000/v1/_ping: dial tcp 172.22.22.11:5000: i/o timeout.
If this private registry supports only HTTP or HTTPS with an unknown CA
certificate, please add `--insecure-registry 172.22.22.11:5000` to the
daemon's arguments. In the case of HTTPS, if you have access to the registry's
CA certificate, no need for the flag; simply place the CA certificate at
/etc/docker/certs.d/172.22.22.11:5000/ca.crt
both machine's docker executable is v1.6.2. Why is it that one works and is pushing to v2 but the other is v1?
Here's the repo for the registry: https://github.com/docker/distribution
You need to secure the registry before you can access it remotely, or explicitly allow all your Docker daemons to access insecure registries.
To secure the registry the easiest choice is to buy an SSL certificate for your server, but you can also self-sign the certificate and distribute to clients.
To allow insecure access add the argument --insecure-registry myregistrydomain.com:5000 to all the daemons who need to access the registry. (Obviously replace the domain name and port with yours).
The full instructions (including an example of your error message) are available at: https://github.com/docker/distribution/blob/master/docs/deploying.md
Regarding the error message, I guess Docker tries to use v2 first, fails because of the security issue then tries v1 and fails again.
This may be due to an env variable being set. I had a very similar issue when using a system with this env variable set.
export DOCKER_HOST="tcp://hostname:5000"
Running docker login http://hostname:5000 did not work and gave the same v1 behaviour. I did not expect the env variable to take precedence over an argument passed directly to the command.
Go to /etc/docker/daemon.json. If the file is not present, create a file and add the following
{
"insecure-registries": ["hosted-registry-IP:port"]
}
After that restart the docker service by
service docker restart

docker client can't read from both "docker private registry" and "online docker registry" if custom ssl certificate are used

Docker version 1.2.0, build 2a2f26c/1.2.0,
docker registry 0.8.1
i setup docker private registry on cenots7 and created my custom ssl cert. when I try to access my docker registry using https I get x509: certificate signed by unknown authority. i found a solution for this by placing the cert file under "/etc/pki/tls/certs" then do
"update-ca-trust"
"service docker restart"
now it started to read my certificate.i can login and pull and push to docker private registry
"https://localdockerregistry".
now when i tries to read from online docker registry(https://index.docker.io/v1/search?q=centos) like
"docker search centos"
i get
"Error response from daemon: Get https://index.docker.io/v1/search?q=centos: x509: certificate signed by unknown authority"
i exported docker.io cert from firefox brower and put it under "/etc/pki/tls/certs" then do "update-ca-trust" and "service docker restart" but same error. it looks like docker client cant decide which cert to use for which repository.
Any ideas how we can fix "x509: certificate signed by unknown authority" for online docker registry while using your own docker private registry.
The correct place to put the certificate is on the machine running your docker daemon (not the client) in this location: /etc/docker/certs.d/my.registry.com:5000/ca.crt where my.registry.com:5000 is the address of your private registry and :5000 is the port where your registry is reachable. If the path /etc/docker/certs.d/ does not exist, you should create it -- that is where the Docker daemon will look by default.
This way you can have a private certificate per private registry and not affect the public registry.
This is per the docs on http://docs.docker.com/reference/api/registry_api/
I had the problem with a docker registry running in a container behind a Nginx proxy with a StartSSL certificate.
In that case you have to append the intermediate ca certs to the nginx ssl certificate, see https://stackoverflow.com/a/25006442/1130611

Resources