How to download a image from default docker registry? - docker

I'm trying to download a container image from default registry with the command:
docker run -d --name=nginx -p 80:80 nginx:alpine
The output is:
Unable to find image 'nginx:alpine' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority.
See 'docker run --help'.
I already configured the proxy with cntlm. I'm behind a corporate firewall with Deep Inspection Package (DIP, man in the middle)
Could I define the default registry (https://registry-1.docker.io/v2/) like a insecure registry? How? There are another solution?
I already try the options:
--insecure-registry=registry-1.docker.io:5000
--insecure-registry=registry-1.docker.io
--insecure-registry='*'
--insecure-registry=https://registry-1.docker.io/v2/

Problem resolved.
My SO is mint (based in ubuntu xenial) and docker version 17.06.0-ce
To resolve I needed do put the root certificate from my company's firewall to my linux ca-certificates (reference 1 - https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate). Obs.: Proxy already configured using cntlm (reference 2 - http://cntlm.sourceforge.net/) (reference 3 - https://docs.docker.com/engine/admin/systemd/)
First I exported the certicate installed in my browser, google chrome. From chrome a choose configuration->advanced->privacy and security->manage certificates->trusted root certificate authorities, so I selected the authority, in my case something like mycompany.com. After, I choose export->advance, select X.509 base64 format (*.cer). The correct format is very important. I saved the file ~/certificate.crt.
Create a extra directory:
sudo mkdir /usr/share/ca-certificates/extra
copy the certificate to extra dir:
sudo cp ~/certificate.crt /usr/share/ca-certificates/extra
update ca-certificates config:
sudo dpkg-reconfigure ca-certificates
restart docker:
sudo systemctl daemon-reload
sudo systemctl restart docker
Now docker can download images from default registry.

Related

Docker behing transparent proxy and intermediate cert

OS: Centos 7.6.1810
Docker Version: Server Version: 18.09.5
Issue:
My company uses a transparent proxy with an intermediate cert to navigate. I was able to install the cert following doc: https://docs.docker.com/ee/dtr/user/access-dtr/ and these steps:
# Download the DTR CA certificate
sudo curl -k https://<dtr-domain-name>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
sudo update-ca-trust
# Restart the Docker daemon
sudo /bin/systemctl restart docker.service
Curl and Wget are working well, but docker run is not:
bash $ docker run -it cheers
Unable to find image 'cheers:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure.
See 'docker run --help'.
I've tried adding the registry as insecure in daemon.json but it was unsuccessfully.
Has anyone run into the same problem?
I think i figured out what’s going on:
Docker client offers only TLS_ECDHE_* ciphers but .docker.io (behind my corporate proxy) offers only TLS_RSA ciphers.
Without proxy, docker.io offers both types of ciphers.
Now, next challenge: make docker offer TLS_RSA or make my proxy support TLS_ECDHE.
I have no idea how to do either :frowning:

docker (behind a proxy) pull from azure container registry works but from registry-1.docker.io, it gives certificate signed by unknown authority error

In ubuntu 18.04 VM
I am behind a proxy, I've set up docker configuration with the same proxy.
I created an azure container registry and when trying to docker pull from the registry it works.
But when trying to:
$docker run node:6
I get the error:
"docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority."
I've added the registry to /etc/docker/daemon.json:
{
"insecure-registries": ["registry-1.docker.io","myazureContainerRegistry.azurecr.io"]
}
By doing the above step, "$docker run myazureContainerRegistry.azurecr.io/myimage:tag" works but "$docker run node:6" still gives the certificate error.
I've added the certificate for "*.docker.io" to /etc/docker/certs.d/docker.io and also to /usr/local/share/ca-certificate (sudo apt update-ca-certificates), still it doesn't work.
I've also tried to:
$curl -k https://registry-1.docker.io/
$wget https://registry-1.docker.io/ --no-check-certificate
Both of these steps work but with docker (to run/pull node:6 ) I still get the certificate error.
The output of "$docker --version" is: "Docker version 18.09.2"
This is how my ~/.docker/config.json looks like:
config.json
I expect "docker run node:6" to pull the image successfully but it actually gives the error
For your issue, first of all, you need to have the certificate in the ~/.docker/config.json. Then you can pull the image from the registry without login. Then you can execute the command without pulling the image before. for you, the command like this:
docker run registry-1.docker.io/node:6
In my side, the config.json will like this:
And I can execute the command like this:
The URI of registry in the docker hub is https://index.docker.io/v1/charlesjunqiang.
Update
If you use the certificate file to authenticate the Docker registry. Then you should do some steps to authenticate the Docker registry in the client machine.
One:
Add the certificate file in the directory /usr/local/share/ca-certificates/docker-dev-cert/ with the name yourname.crt. Then execute the commands:
sudo update-ca-certificates
sudo service docker restart
Secord:
Create a directory in the directory /etc/docker/certs.d with the same name as the registry, for example, myregistry.azurecr.io. Then add the certificate file in it with the name yourname.cert. Also, you should add the file as .key that automatic created when you create the certificate file.
Then you can log in the registry and run the command docker run registry-1.docker.io/node:6 as you want.
There are screenshots of the result in my side.

Docker don't run with proxy [duplicate]

This question already has answers here:
x509: certificate signed by unknown authority - both with docker and with github
(3 answers)
Closed 4 years ago.
i need your help,
My docker don't run on my enterprise, I do not know what to do
kaue default # docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
9bb5a5d4561a: Pulling fs layer
docker: error pulling image configuration: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/e3/e38bc07ac18ee64e6d59cf2eafcdddf9cec2364dfe129fe0af75f1b0194e0c96/data?verify=1528483070-KGbywXnskgTKu5B9AuTdFPQdYjs%3D: x509: certificate signed by unknown authority.
See 'docker run --help'
.
I have a Windows 7, and Authenticated proxy in my job...
Set the proxy in your environment before running the docker run command...
set HTTPS_PROXY=http://user:password#proxy_name_or_ip:proxy_port
For example
set HTTPS_PROXY=http://myusername:Password1#proxy.local:8080
For docker on windows, follow these steps to configure the proxy variables:
In powershell perform the following for HTTP_PROXY and HTTPS_PROXY:
[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://username:password#proxy:port/", [EnvironmentVariableTarget]::Machine)
Once the variables are set, restart the service with powershell:
Restart-Service docker
Edit: For Linux native installs of Docker using systemd, follow these steps to configure your proxy:
Create a systemd drop-in directory for the docker service:
$ sudo mkdir -p /etc/systemd/system/docker.service.d
Create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"
Or, if you are behind an HTTPS proxy server, create a file called /etc/systemd/system/docker.service.d/https-proxy.conf that adds the HTTPS_PROXY environment variable:
[Service]
Environment="HTTPS_PROXY=https://proxy.example.com:443/"
If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
Or, if you are behind an HTTPS proxy server:
[Service]
Environment="HTTPS_PROXY=https://proxy.example.com:443/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
Flush changes:
$ sudo systemctl daemon-reload
Restart Docker:
$ sudo systemctl restart docker
Verify that the configuration has been loaded:
$ systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/
Or, if you are behind an HTTPS proxy server:
$ systemctl show --property=Environment docker
Environment=HTTPS_PROXY=https://proxy.example.com:443/
For special characters in your password, you can use unicode to encode the characters:
If your original password was: F#o:o!B#ar$
The unicode equivalent would be: F%40o%3Ao%21B%23ar%24

Private Docker Registry Not Connectible to Shell & Web Management UI?

Background:
To setup a private docker registry server at path c:\dkrreg on localhost on Windows 10 (x64) system, installed with Docker for Windows, have successfully tried following commands:
docker run --detach --publish 1005:5000 --name docker-registry --volume /c/dkrreg:/var/lib/registry registry:2
docker pull hello-world:latest
docker tag hello-world:latest localhost:1005/hello-world:latest
docker push localhost:1005/hello-world:latest
docker pull localhost:1005/hello-world:latest
Push and Pull from localhost:1005/hello-world:latest via command line succeeds too.
Issue:
If i use my IP address via docker pull 192.168.43.239:1005/hello-world:latest it gives following error in command shell:
Error response from daemon: Get https://192.168.43.239:1005/v1/_ping: http: server gave HTTP response to HTTPS client
When using 3rd party Docker UI Manager via docker run --detach portainer:latest it also shows error to connect as:
2017/04/19 14:30:24 http: proxy error: dial tcp [::1]:1005: getsockopt: connection refused
Tried other stuff also. How can I connect my private registry server that is localhost:1005 from LAN using any Docker Management UI tool ?
At last find solution to this which was tricky
Generated CA private key and certificate as ca-cert-mycompany.pem and ca-cert-key-companyname.pem. And configured docker-compose.yml to save both files as :ro in these locations: /usr/local/share/ca-certificates, /etc/ssl/certs/, /etc/docker/certs.d/mysite.com. But I also tried only copying certificate to /usr/local/share/ca-certificates was enough as docker will ignore duplicate CA certificates. This extra copying is because at many placed docker fellow recommended the same. I did not executed command: update-ca-certificates this time in registry container but was doing earlier as against what is suggested by many.
Defined in docker-compose.yml: random number as REGISTRY_HTTP_SECRET, and server's chained certificate (CA certificate appended to end of it) to REGISTRY_HTTP_TLS_CERTIFICATE amd server's public key to REGISTRY_HTTP_TLS_KEY. Had disabled HTTP authentication. Especially used some naming for file names as found with other certificates in container folder as mysite.com_server-chained-certificate.crt instead of just certificate.crt.
V-Imp: pushed certificate to trusted root in windows using command certutil.exe -addstore root .\Keys\ca-certificate.crt followed with restarting Docker for Windows from taskbar icon and then creating container using docker-compose up -d. This is most important step without this nothing worked.
Now can perform docker pull mysite.com:1005/my-repo:my-tag.
You need to specify to your Docker daemon that your registry is insecure: https://docs.docker.com/registry/insecure/
Based on your OS/system, you need to change the configuration of the daemon to specify the registry address (format IP:PORT, use 192.168.43.239:1005 rather than localhost:1005).
Once you have done that, you should be able to execute the following:
docker pull 192.168.43.239:1005/hello-world:latest
You should also be able to access it via Portainer using 192.168.43.239:1005 in the registry field.
If you want to access your registry using localhost:1005 inside Portainer, you can try to run it inside the host network.
docker run --detach --net host portainer:latest

Push\Pull docker images to Artifactory

I'm trying to push docker images to artifactory as part of a CI jenkins job.
I have an Artifactory installed with url art:8080
I installed Docker on Win2016 and built my dockerfile.
Now I stuck in how to push the output image of the dockerfile.
I tried:
<!-- language: lang-none -->
docker tag microsoft/windowsservercore art:8080/imageID:latest
docker push art:8080/docker-local:latest
but I get an error stating:
Get https://art:8080/v2/: dial tcp: lookup artifactory: getaddrinfow: No such host is known.
Where is the https getting from?
How do I push to the correct local docker repo in my artifactory?
Docker requires you to use https. What I do (I use Nexus not Artifactory) is setup a reverse proxy using nginx. Here is the doc for that - https://www.jfrog.com/confluence/display/RTF/Configuring+a+Reverse+Proxy
Alternatively, you can set Docker to not require https (though not recommended)
Since you're asking how to pull, these steps worked for an enterprise artifactory where Certificate CA are not trusted outside the organization
$ sudo mkdir -p /etc/docker/certs.d/docker-<artifactory-resolverhost>
$ sudo cp /tmp/ca.crt /etc/docker/certs.d/docker-<artifactory-resolverhost>
$ sudo chown root:docker /etc/docker/certs.d/docker-<artifactory-resolverhost>/ca.crt
$ sudo chmod 740 /etc/docker/certs.d/docker-<artifactory-resolverhost>/ca.crt
Where ca.crt is the base-64 chain of CA trusted certificates and is the resolver hostname of the repository. For ex. repo.jfrog.org if you were using the public repository. To confirm you can do a ping against "artifactory-resolverhost" to make sure is reachable from your network
Then you should be able to pull an image with your user belonging to docker group for ex.
docker pull docker-<artifactory-resolverhost>/<repository-name>/rhel7-tomcat:8.0.18_4
You can then view the downloaded image with below command
docker images

Resources