Background:
To setup a private docker registry server at path c:\dkrreg on localhost on Windows 10 (x64) system, installed with Docker for Windows, have successfully tried following commands:
docker run --detach --publish 1005:5000 --name docker-registry --volume /c/dkrreg:/var/lib/registry registry:2
docker pull hello-world:latest
docker tag hello-world:latest localhost:1005/hello-world:latest
docker push localhost:1005/hello-world:latest
docker pull localhost:1005/hello-world:latest
Push and Pull from localhost:1005/hello-world:latest via command line succeeds too.
Issue:
If i use my IP address via docker pull 192.168.43.239:1005/hello-world:latest it gives following error in command shell:
Error response from daemon: Get https://192.168.43.239:1005/v1/_ping: http: server gave HTTP response to HTTPS client
When using 3rd party Docker UI Manager via docker run --detach portainer:latest it also shows error to connect as:
2017/04/19 14:30:24 http: proxy error: dial tcp [::1]:1005: getsockopt: connection refused
Tried other stuff also. How can I connect my private registry server that is localhost:1005 from LAN using any Docker Management UI tool ?
At last find solution to this which was tricky
Generated CA private key and certificate as ca-cert-mycompany.pem and ca-cert-key-companyname.pem. And configured docker-compose.yml to save both files as :ro in these locations: /usr/local/share/ca-certificates, /etc/ssl/certs/, /etc/docker/certs.d/mysite.com. But I also tried only copying certificate to /usr/local/share/ca-certificates was enough as docker will ignore duplicate CA certificates. This extra copying is because at many placed docker fellow recommended the same. I did not executed command: update-ca-certificates this time in registry container but was doing earlier as against what is suggested by many.
Defined in docker-compose.yml: random number as REGISTRY_HTTP_SECRET, and server's chained certificate (CA certificate appended to end of it) to REGISTRY_HTTP_TLS_CERTIFICATE amd server's public key to REGISTRY_HTTP_TLS_KEY. Had disabled HTTP authentication. Especially used some naming for file names as found with other certificates in container folder as mysite.com_server-chained-certificate.crt instead of just certificate.crt.
V-Imp: pushed certificate to trusted root in windows using command certutil.exe -addstore root .\Keys\ca-certificate.crt followed with restarting Docker for Windows from taskbar icon and then creating container using docker-compose up -d. This is most important step without this nothing worked.
Now can perform docker pull mysite.com:1005/my-repo:my-tag.
You need to specify to your Docker daemon that your registry is insecure: https://docs.docker.com/registry/insecure/
Based on your OS/system, you need to change the configuration of the daemon to specify the registry address (format IP:PORT, use 192.168.43.239:1005 rather than localhost:1005).
Once you have done that, you should be able to execute the following:
docker pull 192.168.43.239:1005/hello-world:latest
You should also be able to access it via Portainer using 192.168.43.239:1005 in the registry field.
If you want to access your registry using localhost:1005 inside Portainer, you can try to run it inside the host network.
docker run --detach --net host portainer:latest
Related
I tried to run mitmproxy via docker to collect API requests we send from the app to the server. Already set up the process locally and start working on putting it into a docker container.
Firstly I tried to use a standard docker image: https://hub.docker.com/r/mitmproxy/mitmproxy
Run the following command:
docker run --rm -it -p 8282:8080 -p 127.0.0.1:8182:8081
mitmproxy/mitmproxy mitmweb --web-host 0.0.0.0 --web-port 8282
And faced the issue with mitmproxy certificate, while tryining to collect the 'https' traffic, it has not been trusted.
When I tried to write a custom image based on standard one through the docker file, I added a corresponding mitmproxy certificate to the container in there, but it doesn't help for some reasons.
Not Truster sertificate example: https://i.stack.imgur.com/nSWb6.png
Browser view after performing some search: https://i.stack.imgur.com/l9RXV.png
Dockerfile:
https://i.stack.imgur.com/P5qOm.png
I have just run a docker registry by:
$ docker run -d --name registry --restart always -p 5961:5000 registry:2.7.1
Now I can push to it by:
$ docker tag ubuntu:v2 localhost:5961/ubuntu:v2
$ docker push localhost:5961/ubuntu:v2
But not from outside. For example I can not push to it from another machine on the same network by executing:
$ docker tag ubuntu:v2 192.168.1.122:5961/ubuntu:v2
$ docker push 192.168.1.122:5961/ubuntu:v2
The error is:
The push refers to repository [192.168.1.122:5961/ubuntu]
Get https://192.168.1.122:5961/v2/: http: server gave HTTP response to HTTPS client
Why?
Also I don't know how to pull this image (192.168.1.122:5961/ubuntu:v2) from outside world. For example by:
$ docker pull <public-ip>:5961/ubuntu:v2
Note that I can port forward the port 5961 of the machine 192.168.1.122 to the same port of <public-ip>.
1 Regarding local network:
Your docker registry is insecure and is using HTTP, not HTTPS. So you need to define an insecure registry for the client daemon, by updating the /etc/docker/daemon.json file like so:
{
"insecure-registries" : ["192.168.1.122:5961"]
}
See: docs
2 Regarding pulling the image from the outside world:
It should work the way you described it docker pull <public-ip>:5961/ubuntu:v2 (as long as all clients defines the registry as insecure if it is)
But please DO NOT use an insecure registry open to the outside world, and unless you want everyone in the world to be able to pull your images, add some authentication mechanism in front of your registry service
i created a registry using below command -
docker run -d -p 5000:5000 --restart=always --name registry registry
if i use command
Docker pull localhost:5000/…
everything works
but if i use
Docker pull ipaddress:5000/…
everything fails
i tried editing /etc/default/docker file with DOCKER_OPTS that made docker service to crash
i added /etc/docker/daemon.json file with insecure registry entries but even that i get below error on docker pull/push -
request canceled time out awaiting headers
i am stuck here need help
i was able to fix the issue , it was due to missing no_proxy which when i added for my ipaddress it started working.
You need to declare the registry as an insecure registry by editing the deamon.json file. By default, when connecting to a registry on localhost there is no need to have TLS certificates configured.
However, when you try to connect to remote registry and it is insecure, you need to add an insecure registry line for the remote registry.
All,
I am using DCOS and the associated Jenkins.
My company is having a proxy for any external traffic.
Jenkins is running properly and can access the internal network as well as any external network.
I can get jobs to curl a URL on internet if I set the HTTP proxy. I can pass this proxy to mesosphere/jenkins-dind:0.3.1 container as environment variable however, I can't run any docker pull or docker run while being in docker in docker mode.
I managed to reproduce the issue on one of the agent box.
sudo docker run hello-world
Hello from Docker!
This works!!
However, sudo docker run --privileged mesosphere/jenkins-dind:0.3.1 wrapper.sh "docker run hello-world" will fail with
docker: Error while pulling image: Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate is valid for FG3K6C3A13800607, not index.docker.io.
This is typically showing that the docker daemon is not having access to the proxy.
Do you know how to ensure that the dind is getting access to the proxy settings?
Antoine
This error can also manifest itself if the Docker daemon is unauthenticated against your registry but it looks like you're running against the public image, so that's not likely to be the problem.
You could try creating a new Parameter to the Jenkins node (see the instructions here for an example for how to set an environment variable called DOCKER_EXTRA_OPTS: https://docs.mesosphere.com/1.8/usage/service-guides/jenkins/advanced-configuration/).
In this case, we want to do the same (with Name env) but with the contents of Value set to something like HTTP_PROXY=http://proxy.example.com:80/.
I need some tips on setting up a 'remote private Docker registry'.
README.md on Docker-Registry mainly focus on private registry running on the same host, does not specify how other machines can access it remotely (or maybe too complex to understand).
So far I found these threads:
Docker: Issue with pulling from a private registry from another server
(Still an open thread, no solution offered. Further discussion on Github gives hint on proxy, but how does that work?)
Create a remote private registry
(Maybe closest to what I'm looking for, but what command do I need to access the registry from other machines?)
How to use your own registry (Again, this focuses on running registry on the same host. It did mention running on port 443 or 80 for other machines to access, but need more detail!)
Running out of clues, any input very appreciated!
I was able to set up a remote private registry by referring to this:
Remote access to a private docker-registry
Steps:
On registry host, run docker run -p 5000:5000 registry
On client host, start Docker service by docker -d --insecure-registry 10.11.12.0:5000 (replace 10.11.12.0 with your own registry ip, and you might want to daemonize the process so it'll continue running after shell closes.)
Edit: Alternatively, you can edit Docker's init script (/etc/sysconfig/docker for RHEL/CentOS, /var/lib/docker for Ubuntu/Debian). Add this line other_args="--insecure-registry 10.11.12.0:5000", then do a service docker restart. This is a recommended method as it daemonizes the Docker process.
Now, try if it works:
In client, download a busybox image docker pull busybox
Give it a new tag docker tag busybox 10.11.12.0:5000/busybox
Push it to registry docker push 10.11.12.0:5000/busybox
Verify the push docker search 10.11.12.0:5000/busybox
Remove all images and pull it from your registry docker rmi busybox 10.11.12.0:5000:busybox docker pull 10.11.12.0:5000:busybox
Run docker images should have the image you just pulled from your own remote private registry.
I use private registry in the next way:
It has FQDN: docker.mycompany.com
All images which I create have name: docker.mycompany.com/image1, docker.mycompany.com/image2, etc
After that all is working seamlessly:
Push image to registry:
docker push docker.mycompany.com/image1
Pull and run image:
docker run docker.mycompany.com/image2