I have my own docker registry secured with a selfsigned certificate.
On other servers, I'm able to login on the registry and pull/push images from it. So that seems to work fine.
But when I want to create an app from the image using OpenShift it does not seem te work:
oc new-app ec2-xxx:5000/test/image1
error: can't look up Docker image "ec2-xx/test/image1": Internal error occurred: Get https://ec2-xxx:5000/v2/: x509: certificate signed by unknown authority
error: no match for "ec2-xxx:5000/test/image1"
What could be the issue?
I'm able to login in the registry and pull the image manual.
Try adding "--insecure-registry" to new-app command
oc new-app ec2-xxx:5000/test/image1 --insecure-registry
Related
When I try to sign a docker image in GCR or GAR I use:
docker trust sign name:label
But I get this error: Error: error contacting notary server: unknown: Project 'project:XXX' not found or deleted
Anyone have found a way in order to work with signed docker images and Google Cloud?
I have created some images in the Gitlab Container Registry. I am unable to pull them using docker on my local system. The login command succeeds but when I type the following command:
docker pull reg-gitlab-project.company.com/services/palimited/integrationservices/springbootproject/springbootproject:latest
I am getting the following error
Error response from daemon: Head "https://reg-gitlab-project.company.com/v2/services/palimited/integrationservices/springbootproject/springbootproject/manifests/latest": denied: access forbidden
I am unable to figure out why this error is occuring? Can anyone guide me.
You need to authenticate with the container registry at reg-gitlab-project.company.com before issuing a docker pull command.
See, GitLab Docs: Authenticate with the Container Registry.
The documentation says I have to use jfrog.io and not jfrog.com. I also tried to login into jfrog.com, which did not work.
So it looks like acme.jfrog.io/acme is the right way to access my Docker registry.
Note: Also the hostname was missing in the description. I was only able to upload when specifying the full name, and setting the registry as insecure in my Docker configuration.
Is this a known issue? Or limitation of the free offering?
sudo docker login jfrog.io/acme
Username: admin
Password:
Error response from daemon: Get https://jfrog.io/v2/: x509: certificate is valid for jfrog.com, *.jfrog.com, not jfrog.io
Indeed, you should be using my-account.jfrog.io and not my-account.jfrog.com.
The docker login command which you are running is wrong. It is missing your account name (as a sub domain), so instead of calling jfrog.io you should be calling my-account.jfrog.io (for example daniel.jfrog.io)
The reason for getting the certificate error is that when trying to perform docker login directly to jfrog.io (without the subdomain) docker is trying to access an invalid URL - jfrog.io/v2. As a result it is being redirected to an 403 error page on jfrog.com which does not match the jfrog.io certificate.
To test your docker repository please follow the following steps:
Login to your repository with docker login command. Make sure to use your account name instead of my-account. Please notice that you do not need the repository name for the login command.
docker login my-account.jfrog.io
Pull the hello-world image from the Dockerhub
docker pull hello-world
Tag the hello-world image so it can be pushed to your repository (assuming it is a local repository and you have the permissions to push an image). Make sure to use your account name and repo name
docker tag hello-world my-account.jfrog.io/my-repo/hello-world
Push the tagged image to your repository
docker push my-account.jfrog.io/my-repo/hello-world
I am using minikube to develop my Kubernetes application. I have a private azure registry where my images are saved. Whenever I start the app, k8s start to pull an image. It throws the following error
Failed to pull image "myregistry.azurecr.io/myapp:mytag": rpc error: code = Unknown desc = Error response from daemon: Get https://myregistry.azurecr.io/v2/myapp/manifests/mytag: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I am configuring my minikube using this documentation. where first, I log-in to acr using below command,
az acr login --name myregistry.azurecr.io --expose-token
And after using the token provided by the above command, I log-in to my private docker-registry by the below command in minikube ssh.
docker login myregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000
After that as per mention in the document, I copy the .docker/config.json to /var/lib/kubelet/config.json in minikube ssh. Still I am facing above error.
If I manually pull the image using the docker pull command, it works. I tried with imagepullsecret also and it is working. But from the above method, getting an authentication error. Do I have missing any step here? Can you please help me?
Thanks...
It seems all the steps are right. Maybe you can check if you really copy the config file to all the minikube nodes. In default, the command minikube ssh connect the control plane. You can check if the nodes' IP addresses is right when you copy the config file to them.
But in my opinion, it's not a good way to use the way like this. It's better and more convenient to use the imagePullSecret and service account.
In ubuntu 18.04 VM
I am behind a proxy, I've set up docker configuration with the same proxy.
I created an azure container registry and when trying to docker pull from the registry it works.
But when trying to:
$docker run node:6
I get the error:
"docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority."
I've added the registry to /etc/docker/daemon.json:
{
"insecure-registries": ["registry-1.docker.io","myazureContainerRegistry.azurecr.io"]
}
By doing the above step, "$docker run myazureContainerRegistry.azurecr.io/myimage:tag" works but "$docker run node:6" still gives the certificate error.
I've added the certificate for "*.docker.io" to /etc/docker/certs.d/docker.io and also to /usr/local/share/ca-certificate (sudo apt update-ca-certificates), still it doesn't work.
I've also tried to:
$curl -k https://registry-1.docker.io/
$wget https://registry-1.docker.io/ --no-check-certificate
Both of these steps work but with docker (to run/pull node:6 ) I still get the certificate error.
The output of "$docker --version" is: "Docker version 18.09.2"
This is how my ~/.docker/config.json looks like:
config.json
I expect "docker run node:6" to pull the image successfully but it actually gives the error
For your issue, first of all, you need to have the certificate in the ~/.docker/config.json. Then you can pull the image from the registry without login. Then you can execute the command without pulling the image before. for you, the command like this:
docker run registry-1.docker.io/node:6
In my side, the config.json will like this:
And I can execute the command like this:
The URI of registry in the docker hub is https://index.docker.io/v1/charlesjunqiang.
Update
If you use the certificate file to authenticate the Docker registry. Then you should do some steps to authenticate the Docker registry in the client machine.
One:
Add the certificate file in the directory /usr/local/share/ca-certificates/docker-dev-cert/ with the name yourname.crt. Then execute the commands:
sudo update-ca-certificates
sudo service docker restart
Secord:
Create a directory in the directory /etc/docker/certs.d with the same name as the registry, for example, myregistry.azurecr.io. Then add the certificate file in it with the name yourname.cert. Also, you should add the file as .key that automatic created when you create the certificate file.
Then you can log in the registry and run the command docker run registry-1.docker.io/node:6 as you want.
There are screenshots of the result in my side.