i finally managed to get Artifactory 5.1 running as a docker Registry with nginx in front as Reverse Proxy using the subdomain method with a wildcard SSL certificate.
I have the predefinded set of docker repositories configured:
docker-local - repo
docker-remote - remote-repo
docker - virtual repo
I'm able to login with docker cli and i also can push and pull images to and from docker. as mentioned in JFrog Docs.
I think my "docker-remote" doesn't work - it stays at 0 byte with 0 artifacts in it.
If i pull something that isn't in my local repo i would have guessed that it is pulled from docker.io and cached in docker-remote but it seems its simply pulled from docker.io - thats it.
Do i have to configure something? Did i miss something or do i have to configure Replication ?
Any suggestions ?
To configure your Docker CLI to use Artifactory as its registry, follow the instructions here. Make sure to perform the steps listed under "Configuring Your Docker Client".
There are a couple of things you can do to check whether you docker CLI is using Artifactory as its registry:
Use the docker info command to see what registry is configured
Look at the Artifactory request and access logs and look for requests from the Docker CLI
Images fetched from docker.io should be present in the remote repository
Make sure the images you are pulling are not stored in the local Docker cache
Related
I was wondering is it possible to use cached docker images in gitlab registry for gitlab-ci?
for example, I want to use node:16.3.0-alpine docker image, can I cache it in my gitlab registry and pull it from that and speed up my gitlab ci instead of pulling it from docker hub?
Yes, GitLab's dependency proxy features allow you to configure GitLab as a "pull through cache". This is also beneficial for working around rate limits of upstream sources like dockerhub.
It should be faster in most cases to use the dependency proxy, but not necessarily so. It's possible that dockerhub can be more performant than a small self-hosted server, for example. GitLab runners are also remote with respect to the registry and not necessarily any "closer" to the GitLab registry than any other registry over the internet. So, keep that in mind.
As a side note, the absolute fastest way to retrieve cached images is to self-host your GitLab runners and hold images directly on the host. That way, when jobs start, if the image already exists on the host, the job will start immediately because it does not need to pull the image (depending on your pull configuration). (that is, assuming you're using images in the image: declaration for your job)
I'm using a corporate Gitlab instance where for some reason the Dependency Proxy feature has been disabled. The other option you have is to create a new Docker image on your local machine, then push it into the Container Registry of your personal Gitlab project.
# First create a one-line Dockerfile containing "FROM node:16.3.0-alpine"
docker pull node:16.3.0-alpine
docker build . -t registry.example.com/group/project/image
docker login registry.example.com -u <username> -p <token>
docker push registry.example.com/group/project/image
where the image tag should be constructed based on the example given on your project's private Container Registry page.
Now in your CI job, you just change image: node:16.3.0-alpine to image: registry.example.com/group/project/image. You may have to run the docker login command (using a deploy token for credentials, see Settings -> Repository) in the before_script section -- I think maybe newer versions of Gitlab will have the runner authenticate to the private Container Registry using system credentials, but that could vary depending on how it's configured.
I am trying to pull docker image from Nexus repo without using the registry mirror in the command line and it is throwing an error. If I use the registry mirror in the pull it is succeeding but the image name is not I would like.
My docker version is:
Docker version 20.10.8, build 3967b7d
My nexus version is
Sonatype Nexus Repository ManagerOSS 3.31.1-01
docker system info:
Insecure Registries:
xxx.xxx.x.xxx:8083
127.0.0.0/8
Registry Mirrors:
http://xxx.xxx.x.xxx:8083/
When I run: sudo docker pull xxx.xxx.x.xxx:8083/mongo:4.2.3, it succeeds and the debug info is:
DEBU[2021-08-17T10:37:19.364681226-04:00] Calling HEAD /_ping
DEBU[2021-08-17T10:37:19.365301100-04:00] Calling POST /v1.41/images/create?fromImage=192.168.9.175%3A8083%2Fmongo&tag=4.2.3
DEBU[2021-08-17T10:37:19.367151579-04:00] Trying to pull xxx.xxx.x.xxx:8083/mongo from https://xxx.xxx.x.xxx:8083 v2
WARN[2021-08-17T10:37:19.374915464-04:00] Error getting v2 registry: Get https://xxx.xxx.x.xxx:8083/v2/: http: server gave HTTP response to HTTPS client
INFO[2021-08-17T10:37:19.374944418-04:00] Attempting next endpoint for pull after error: Get https://xxx.xxx.x.xxx:8083/v2/: http: server gave HTTP response to HTTPS client
DEBU[2021-08-17T10:37:19.374964188-04:00] Trying to pull xxx.xxx.x.xxx:8083/mongo from http://xxx.xxx.x.xxx:8083 v2
DEBU[2021-08-17T10:37:19.398630498-04:00] Fetching manifest from remote digest="sha256:92814bb60dc673bb68b6aca0b24bcb8738d7b2c267b97ce62fa92adc3746a0ea" error="<nil>" remote="192.168.9.175:8083/mongo:4.2.3"
DEBU[2021-08-17T10:37:19.429454057-04:00] Pulling ref from V2 registry: xxx.xxx.x.xxx:8083/mongo:4.2.3
When I run: sudo docker pull mongo:4.2.3 it fails to pull the image from Nexus with an error and pulls from docker.io on the next try. Debug info as below:
DEBU[2021-08-17T10:26:25.078886904-04:00] Calling HEAD /_ping
DEBU[2021-08-17T10:26:25.079306196-04:00] Calling GET /v1.41/info
DEBU[2021-08-17T10:26:25.097994642-04:00] Calling POST /v1.41/images/create?fromImage=mongo&tag=4.2.3
DEBU[2021-08-17T10:26:25.099642151-04:00] Trying to pull mongo from http://xxx.xxx.x.xxx:8083/ v2
INFO[2021-08-17T10:26:25.116000813-04:00] **Attempting next endpoint for pull after error: manifest unknown: manifest unknown**
DEBU[2021-08-17T10:26:25.116039299-04:00] Trying to pull mongo from https://registry-1.docker.io v2
DEBU[2021-08-17T10:26:25.305043063-04:00] Fetching manifest from remote digest="sha256:58b25d51baa11a85b6aedf7c4e05710d12a27ddc2883e2692e7d58527d98bd73" error="<nil>" remote="docker.io/library/mongo:4.2.3"
DEBU[2021-08-17T10:26:25.360955030-04:00] Pulling ref from V2 registry: mongo:4.2.3
DEBU[2021-08-17T10:26:25.361036645-04:00] docker.io/library/mongo:4.2.3 resolved to a manifestList object with 5 entries; looking for a unknown/amd64 match
Issue with Image name:
REPOSITORY TAG IMAGE ID CREATED SIZE
xxx.xxx.x.xxx:8083/mongo 4.2.3 97a9a3e85158 17 months ago 386MB
Any guidance on this would help.
Nexus Docker ( xxx.xxx.x.xxx:8083) is pointed to hosted Type on port 8083 and the mongo:4.2.3 is uploaded into this docker type. We ultimately want to use this in a air gapped system where there is no internet connection.
There are three things going on here:
I am trying to pull docker image from Nexus repo without using the registry mirror in the command line and it is throwing an error. If I use the registry mirror in the pull it is succeeding but the image name is not I would like.
I'm going to recommend changing your likes. :)
If you want to pull from a specific registry, then use that registry in the image name. Trying to refer to your local registry with short names is merging two different image registry namespaces, which means it's trivial to run an image from the wrong namespace and result in a security breach. This was a large issue for other package repositories (see "dependency confusion" attacks) that docker was not susceptible to because they require the registry name as part of the image name (the only exception being Docker Hub). Even RedHat who tried to get options like add-registry and block-registry into the upstream docker engine (and failed, these options only ever appeared in a RedHat specific fork) is now telling users that it was a very bad idea and now their users are exposed to security vulnerabilities they can't easily fix because removing the feature will break lots of user environments.
Next, why doesn't the pull go to your registry? Because your image name doesn't match that of Docker Hub. Official images without a username are actually under the library repository. This is typically hidden from view, but you can do things like docker pull library/alpine or even docker pull docker.io/library/alpine instead of docker pull alpine, and all 3 will be pulling from the same place.
The fix is to run
docker pull xxx.xxx.x.xxx:8083/mongo:4.2.3
docker tag xxx.xxx.x.xxx:8083/mongo:4.2.3 xxx.xxx.x.xxx:8083/library/mongo:4.2.3
docker push xxx.xxx.x.xxx:8083/library/mongo:4.2.3
The last issue I actually can't help you with, it comes from the error message you're seeing when pulling from Hub, which should work:
docker.io/library/mongo:4.2.3 resolved to a manifestList object with 5 entries; looking for a unknown/amd64 match
The unknown/amd64 is unexpected to me, typically that would be linux/amd64 so there is something unexpected with the platform you're running your commands on. If you want to get into debugging that, update your question with docker info. You can try working around that with:
docker pull --platform linux/amd64 mongo:4.2.3
to force the platform, but that still doesn't explain why it doesn't know your current platform.
I guess you are trying to set your nexus docker repository to be the default one for the machine in the sealed network.
that needs changing because of the following from docker documentation:
Tag an image for a private repository
To push an image to a private registry and not the central Docker registry you must tag it with the registry hostname and port (if needed).
$ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
with more upfront configuration and upkeep but no changes requiered for the client machines
Is if you have a DNS server in your network you could point docker.io to your nexus host ip address and put a proxy to intercept the communication and redirect and adapt the requests as they were to the nexus docker registry
Hopes this solves your pickle :)
Update 1:
It could be that you need to also change /etc/containers/registries.conf like specified here to only or also specify your nexus docker registry.
Update 2:
Before letting Gopi give up entirely, I would suggest using Podman as an alternative to Docker. Podman is a daemon-less container engine that works by forking processes to handle each running container. It seamlessly works with docker images thanks to the OCI standard, and on top of that, the only change when using it is replacing the docker command prefix with podman since all the commands are exactly the same. Podman was created by RedHat so by default it searches RedHat repos and you can add your own too as shown in this article that I mentioned before.
I've attempted to pull two images from two different projects registries (gitlab container registry). All that in a docker-compose.yml file.
How can I configure my gitlab-ci.yml or configure variables (whatever works) in order to pull my images properly without any access problems ?
I have found a solution using docker login with a deploy token to have read-only access to my project registry. The problem is that works if I had only one image to pull : How to build, push and pull multiple docker containers with gitlab ci?
You can use docker login multiple times before running docker-compose, one for each registry, and they will stack.
thanks to #CCH, just complete by :
In my case I push in registry server with tag v3.0
and my docker-compose.yml try to pull on production server with tag v3
so I run :
docker tag registry.server.tdl/my-username/my-project/my-registry-name:v3.0 registry.server.tdl/my-username/my-project/my-registry-name:v3
to add tag used in my docker-compose.yml
My actual requirement is pull docker image from GitHub and build a docker image in ec2 instance and push that image to ecr. So, am just trying to clear my first step by asking help to pull image from git, very new to all this.
Let's walk through each step you're asking about in your requirements:
Pull from GitHub - You won't pull a docker image from here, however you may pull a Dockerfile from here, which would be used to build an image. The command to do this would be just like cloning any other repository: git clone <repository url>
Build the image on ec2 - First you will need to have docker installed on the ec2 instance. Assuming you're running Ubuntu on your ec2 instance, follow the good instructions on Docker's page (https://docs.docker.com/install/linux/docker-ce/ubuntu/) miror. Once docker is installed, navigate to the directory that has your Dockerfile in it (cloned from git) and type docker build . --tag mytag
Push the image to ecr - To do this, you need to have the amazon CLI installed on your box, and you need an ACCESS_KEY_ID and SECRET_ACCESS_KEY from AWS IAM. Once you have these, configure your connection by storing them as environment variables, or by typing aws configure and entering them. Once your credentials are configured, log into ECR by typing aws ecr get-login --no-include-email, and then copy/pasting the command it gives you. (you can also put ` around it to skip the copying step). This will allow you to push to ecr using docker push.
To clarify some of the points:
Github: It is a web-based hosting service for version control using git. So you can not pull docker image from Github.
To build a Docker image, you need Dockerfile. So you can fork the GitHub project which has this Dockerfile.
Then to build it on ec2, you can check out the project containing Dockerfile on ec2 server and build it using:
https://docs.docker.com/engine/reference/commandline/build/
and then you can push it to any registry using:
https://docs.docker.com/engine/reference/commandline/push/
I am unable to pull docker images from artifactory on openshift origin.
But i am able to pull same images from server using docker pull.
Error :
Internal error occurred: Get https://artifactory.mycompany.net/v2/: Bad Gateway?
Note: I have enabled proxy and gave no proxy to my org servers in openshift master config file.
I have also added artifactory docker repo as insecure registry in docker configuration
--
Thanks
Open shift don't take wildcard entry in noproxy. So by providing full name in no_proxy got fixed