Can i setup docker Run an externally-accessible registry with self signed certificate or i required CA certificate only after configuration of nginx with ssl self singed certificate i run below command and its given me the error so can somebody help me int that
i) # cd /etc/nginx
ii) # docker run -d \
--restart=always \
--name sogetiaws \
-v pwd/ssl:/ssl \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/docker-reg.sogeti-aws.nl.crt \
-e REGISTRY_HTTP_TLS_KEY=/ssl/docker-reg.sogeti-aws.nl.key \
-p 5000:5000 \
registry:2
Domain Name : docker-reg.sogeti-aws.nl
ERROR
iii) # docker push docker-reg.sogeti-aws.nl/my-ubuntu
The push refers to a repository [docker-reg.sogeti-aws.nl/my-ubuntu]
Get https://docker-reg.sogeti-aws.nl/v1/_ping: x509: certificate signed by unknown authority
Add
--insecure-registry docker-reg.sogeti-aws.nl:5000
To your local daemon (the one you use to push the image)
Or
add
{
"insecure-registries" : [ "docker-reg.sogeti-aws.nl:5000" ]
}
to your /etc/docker/daemon.json config file.
Source : Add Insecure Registry to Docker
Related
I am trying to create a secure docker registry to be used inside a development kind cluster. I am going to use a container for the registry and 3 other containers for kind workers. In order to be consistent with the production environment I want to use TLS, so I created a self signed certificate for the docker registry. I connected the containers using docker network. However, when I create a deployment based on an image from that registry, I get x509 certificate signed by unknown authority error.
I used this tutorial
containerdConfigPatches: # Enable a local image registry, placeholders automatically replaced in bootstrap script -- https://kind.sigs.k8s.io/docs/user/local-registry/
- |-
[plugins."io.containerd.grpc.v1.cri".registry.configs.my-registry.tls]
cert_file = "/etc/docker/certs.d/my-registry/domain.crt"
key_file = "/etc/docker/certs.d/my-registry/domain.key"
But it does not seem to work.
My kind version:
kind v0.17.0 go1.20 linux/amd64
The command I use to create the registry:
docker run -d \
--restart=always \
--name my-registry \
-v `pwd`/auth:/auth \
-v `pwd`/certs:/certs \
-v `pwd`/certs:/certs \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:80 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 7443:80 \
registry:2
You are using a self-signed certificate for your docker registry instead of a certificate issued by a trusted certificate authority (CA). The docker daemon does not trust the self-signed certificate, which is causing the x509 error.
This may occur due to the expiration of the current certificate, due to a changed hostname, and other changes.
Verify that the $HOME/.kube/config file contains a valid certificate, and regenerate a certificate if necessary. The certificates in a kubeconfig file are base64 encoded. The base64 --decode command can be used to decode the certificate and openssl x509 -text -noout can be used for viewing the certificate information.
Unset the KUBECONFIG environment variable using:
unset KUBECONFIG
Or set it to the default KUBECONFIG location:
export KUBECONFIG=/etc/kubernetes/admin.conf
Another workaround is to overwrite the existing kubeconfig for the "admin" user:
mv $HOME/.kube $HOME/.kube.bak
mkdir $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
For more information refer to the documentation
I want to run schema registry for my AWS MSK cluster on EC2 within the same VPC as my MSK cluster using confluentinc/cp-schema-registry.
But the container is exiting without any proper error message.
Here is my docker command:
docker run \
--net=host \
--name=schema-registry \
-e SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL=<PLAINTEXT-ZOOKEEPER-CONNECTION-URL> \
-e SCHEMA_REGISTRY_HOST_NAME=localhost \
-e SCHEMA_REGISTRY_LISTENERS=http://localhost:8081 \
-p 8081:8081 \
confluentinc/cp-schema-registry
===== UPDATE ======
I have also tried by running confluent schema-registry as follows:
bin/schema-registry-start etc/schema-registry/schema-registry.properties
But getting the error:
java.lang.RuntimeException: Error initializing the ssl context for RestService
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
I have generated the signed certificate, added to keystore by following:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html
This keystore is working fine with console-producer and consumers but not working with schema-registry.
and here is my content of schema-registry.properties
listeners=http://0.0.0.0:8081
kafkastore.bootstrap.servers=<MY-MSK-BOOTSTRAP-SERVER>
kafkastore.topic=_schemas
debug=true
security.protocol=SSL
ssl.truststore.location=/tmp/kafka/kafka.client.truststore.jks
ssl.keystore.location=/tmp/kafka/kafka.client.keystore.jks
ssl.keystore.password=xxxx
ssl.key.password=xxxx
I was able to run repository using $docker container run -itd --publish 5000:5000 registry But, I am not asked for username and password when I pull or push the image to that repository.
How to set username and password for our own docker private registry and how to use them in Dockerfile and docker-compose when we want to use the image from that repository?
How to set username and password for our own docker private registry?
There are couple ways to implement basic auth in DTR. The simplest way is to put the DTR behind a web proxy and use the basic auth mechanism provided by the web proxy.
To enable basic auth in DTR directly? This is how.
Create a password file containing username and password: mkdir auth && docker run --entrypoint htpasswd registry:2 -Bbn your-username your-password > auth/htpasswd.
Stop DTR: docker container stop registry.
Start DTR again with basic authentication, see commands below.
Note: You must configure TLS first for authentication to work.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
How to use them when we want to use the image from that repository?
Before pulling images, you need first to login to the DTR:
docker login your-domain.com:5000
And fill in the username and password from the first step.
I want to setup a private registry behind a nginx server. To do that I configured nginx with a basic auth and started a docker container like this:
docker run -d \
-e STANDALONE=true \
-e INDEX_ENDPOINT=https://docker.example.com \
-e SETTINGS_FLAVOR=local \
-e STORAGE_PATH=/home/example/registry \
-p 5000:5000 \
registry
By doing that, I can login to my registry, push/pull images... But if I stop the container and start it again, everything is lost. I would have expected my registry to be save in /home/example/registry but this is not the case. Can someone tell me what I missed ?
I would have expected my registry to be save in /home/example/registry but this is not the case
it is the case, only the /home/exemple/registry directory is on the docker container file system, not the docker host file system.
If you run your container mounting one of your docker host directory to a volume in the container, it would achieve what you want:
docker run -d \
-e STANDALONE=true \
-e INDEX_ENDPOINT=https://docker.example.com \
-e SETTINGS_FLAVOR=local \
-e STORAGE_PATH=/registry \
-p 5000:5000 \
-v /home/example/registry:/registry \
registry
just make sure that /home/example/registry exists on the docker host side.
I have created my private docker registry running on localhost:5000/v1 but it does not provide authentication, How to have username and password so that only authorized users can push an image to it.
I am also not able to list all the images present in private registry, all document says running below command will list it localhost:5000/v1/search but it gives a blank json response as:
{
"num_results": 0,
"query": "",
"results": []
}
How to resolve this?
Thanks,
Yash
An answer to your first question: You need to use something like nginx in front of the registry to do the actual password authentication. There are example nginx configuration files for pre-1.3.9 nginx and later versions in the Docker Registry Github repo for wrapping the registry with nginx; there is more information on authentication configuration on the nginx wiki.
You can use htpasswd to setup a login with dockers registry image. However, I don't believe they have implemented a search function in this image yet. To create a user, I have the following script:
#!/bin/sh
usage() { echo "$0 user"; exit 1; }
if [ $# -ne 1 ]; then
usage
fi
user=$1
cd `dirname $0`
if [ ! -d "auth" ]; then
mkdir -p auth
fi
chmod 666 auth/htpasswd
docker run --rm -it \
-v `pwd`/auth:/auth \
--entrypoint htpasswd registry:2 -B /auth/htpasswd $user
chmod 444 auth/htpasswd
Then to run the registry, I use the following script (from the same folder):
#!/bin/sh
cd `dirname $0`
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs:ro \
-v `pwd`/auth/htpasswd:/auth/htpasswd:ro \
-v `pwd`/registry:/var/lib/registry \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/host-cert.pem" \
-e "REGISTRY_HTTP_TLS_KEY=/certs/host-key.pem" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/var/lib/registry" \
registry:2
Note that I'm also using TLS certificates in the above under the certs directory. You can create these with openssl commands (same ones used for securing the docker daemon socket).