Rancher can pull images from private registry - docker

I have create a private registry by harbor.
but when I use rancher to update a container, rancher can not pull images.
before this registry.ziztour.com is normal operation.
Rancher registries:
Error:
Manually pull my private registry image successful:
rancher v1.1.0
docker v1.11.2

Better late than never, but when I had issues pulling from a secure registry I solved the issue by creating/modifying the etc/docker/daemon.json file on the rancher server and all rancher hosts and adding the following.
{
"insecure-registries" : [
"<registry-1-ip>",
"<registry-2-ip>"
]
}
Once you've done this run sudo service docker restart
When you add the ip's leave the http:// or https:// off.
Make sure you do this on all your rancher hosts as well as on the rancher server, otherwise it won't work.

Related

How can I pull a docker image in a Kubernetes cluster from a private registry behind a ssh connection

I’m trying to deploy a docker image on a kubernetes cluster. This cluster is on a server accessible via a ssh connection.
Here is the part of the .yaml I use to pull the image :
spec :
containers :
- name : my_image_name
image : my_private_registry/my_image
my_image is stored in a private registry in another server accessible via a ssh connection (with a proxyjump).
I know how to pull an image from a private registry that is on the same server that the kubernetes cluster. But when it is on another server, I don’t. I'm sure that it is possible to configure kubernetes to make it use the ssh connection, but I didn't find ressources helping me to do that. The others private registry are accessible just by a "docker login" command ?
I’ve found a beginning of solution sending the image using a package named « docker_over_ssh », but it was not really appropriate. I’ve found a solution by pushing the image on dockerhub, but I’m sure that we can do better …
Thank you for your help. I’m sure that it is not complicated, but I’m quite new in kubernetes and docker.
It is quite important to understand, that the docker daemon does not run inside kubernetes. So whatever you provide through kubernetes objects (pods, services...) is usually not accessible from outside.
You could provide a mirror registry for your cluster, so that it is accessible in the usual way.
Another option would be to use ssh port forwarding, if the ssh proxy allows that and use the forwarding host as registry.

Is there a way to use multiple docker registry proxy in cluster?

My fellow mates and I encountered in a situation in which we'd like to have one computer with an internet connection (will be referred as HOST 1) to proxy multiple registries to few computers without internet connection (will be referred as CHILD HOST) but with a direct connection to HOST 1.
Registries Layout
General requirements
We'd like to pull images from dockerhub without any prefix (e.g. docker pull ubuntu and not docker pull localregistry:<someport>/ubuntu)
We'd like the local registry in HOST 1 to cache downloaded images from every registry
We'd like to be able to pull from multiple registries
From docker hub - docker pull ubuntu
From registry1 - docker pull registry1.dns/nameofimage
From registry2 - docker pull registry2.dns/nameofimage
What we have tried so far:
Docker private registry - we installed a docker private registry and added it to registry mirror, the disadvantages are that the private registry can only mirror one registry.
in order to cache & enable CHILD HOSTS to pull also docker hub images, we changed docker HTTP_PROXY to be the private registry, this led that we can only proxy 1 registry at a time.
Sonatype Nexus3 - we created proxy registries for docker-hub, registry1 and registry2. then we grouped them into nexus docker group and added the group registry to docker mirror registry, the disadvantages are that we weren't able to pull images from docker hub with docker pull ubuntu, we had to pull with docker pull <nexus3address>:<docker group port>/ubuntu of course that didn't work for us either.
We had tried to use https://hub.docker.com/r/tiangolo/docker-registry-proxy as well and we encountered the same issues as the above (required prefix for docker pull)
Any ideas?

how to create a Docker local private repository

I created a local docker repository in my server. When I try to push the image into it, there is an error. I need an HTTPS connection. How do I get an HTTPS for my own docker registry?
os: ubuntu 16.x
Docker version: 18.06.1-ce, build e68fc7a
Already Tried:
Adding the below lines into /etc/docker/daemon.json,
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
Expected: I should be able to push and pull images into my own server containing docker registry
To avoid exposing your registry to the wider internet while still being able to pull images from it you can:
Run a local registry on your dev machine, to which you push images
ssh to your server with a reverse tunnel:
ssh -R 5000:localhost:5000 myhost
(listen on port 5000 of the remote machine (-R 5000) and tunnel back to localhost:5000 on the local machine)
Now, on myhost you can docker pull localhost:5000/someImage, but it's actually seamlessly connecting through an encrypted tunnel back to the registry on your dev machine.
You can have a local unsecured registry.
For that, you need to add an exception in your /etc/docker/daemon.json, this way
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
The same link shows how to use a self-signed certificate.
Eventually, using an actual certificate is juste a step further, but you may not need one for development purpose.
EDIT :
You need to restart your daemon after that :
service docker restart

Have docker pull images from an insecure registry inside kubernetes

I want to configure docker inside kubernetes so that it will use http instead of https to pull container from a specific ip.
I can do that locally by adding this line to the docker json config file :
"insecure-registries" : ["mydomain:port"]
I want to make it clear that I it's not about using a private registry, it's about using an insecure one.
How can I do that in kubernetes ?
You need to add your http registry as a insecure-registry (as you mention in your question) to your docker daemon on each kubernetes node (don't forget the workers).

How to set a default registry to pull from in docker machine?

I have docker machine and by default it pulls my images from docker hub.
Now we have our own repo which can serve as a remote proxy to docker hub.
We can pull with docker pull server/repo/image.
Now I want that docker pull image resolves to our registry instead of docker hub. How can I achieve this in docker machine?
Changing the default docker registry is not possible. You can only configure a private registry to act as a mirror for the dockerhub registry as documented in Registry as a pull through cache.
Check moby-33069 issue which has requested this feature.
It can be done if you're using the Red Hat fork of Docker which is in their repo's, CentOS or EPEL not sure.
You use the --add-repository flag.
If I'm not mistaken you can also change the default repo if you build from source.

Resources