artifactory as docker registry - docker

I tried to set up artifactory as docker registry as shown in this video: http://www.jfrog.com/video/artifactory-docker-integration/
However, I don't have SSL installed in artifactory so I'm using the --insecure-registry flag. (as shown in error in docker build publish plugin and Remote access to a private docker-registry)
Anyway, I don't know how to figure out the artifactory as docker registry url so I can do this:
curl -k -uusername:password "http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-images"
This page, http://www.jfrog.com/confluence/display/RTF/Docker+Repositories, shows at the bottom that something called a reverse proxy might be needed? Is this true and if so how do I install such a thing?

The reason behind requiring a reverse proxy in front of Artifactory is related to a Docker client limitation - you cannot use a context path when providing the registry path, e.g sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-images is not valid.The Docker client assumes you are working with one big registry for all images, while Artifactory allows you to manage multiple registries (repositories) on the same server.
To overcome this issue you should setup a reverse proxy which will allow the Docker client to send requests to the root context and forward those requests to the correct repository path in Artifactory. For example, forwarding requests from sdpvvrwm812.ib.tor.company.com:8888/ to sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-images
The Artifactory documentation contains configuration examples for NginX, Apache and HAProxy.
Notice that there are different configurations for Docker registry API v1 and v2.
After setting up the reverse proxy, the Docker client should use the proxy in order to access Artifactory.
If you are using the --insecure-registry flag there is no need to configure an SSL certificate. With older versions of Docker, before this flag was introduced (Docker 1.3.2) it was a mandatory requirement.

Related

How to setup Nexus OSS in order to use docker proxy credentials

I've purchased a Docker account and setup my Docker proxy using Nexus OSS as following :
Repositories -> Create a Docker Proxy -> Select Use Docker Hub (Remote Storage : https://registry-1.docker.io) -> with Authentication Enabled (providing username/password of Docker)
And inside my client I configured it to use my Nexus as registry mirror using following command :
systemctl edit docker
then added:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --registery-mirror=https://myprivatenexus.com
Yet when I'm trying to use "docker pull" inside my client I'll get the annoying "Docker Hub Pull Limits" error.
Is it possible to use my Docker account inside Nexus or should I try something else?
We used Nexus at work in a similar setting. Your nexus configuration looks like ours. For me the client mirror configuration looks strange. If I access a nexus repository without any configured connectors the I have to configure on client side the whole context path.
After your screenshot: https://YOUR_SERVER/repository/DockerHub
If you would connect a dedicated repository connector e.g. http/8088, then you could configure your client with
http://YOUR_SERVER:8088
The documentation from sonatype describes the same:
A configured context-path for the user interface does not affect the repository connector URLs used by Docker. E.g. if your repository manager instance is configured to be available at http://localhost:8081/nexus instead of the default root context http://localhost:8081/, the URLs for your Docker repositories will still only use the configured port for the repository and omit the context path in the URL. This is a side-effect of the the fact that Docker does not support context paths in the registry API.

Can't push docker built image to SSL artifactory

Having trouble to push docker to internal Artifactory (6.11.1).
We have Artifactory installed on port 443 with Docker setting Repository Path.
If I login to using artifactory.local.int, pull an image tag it and push it back it works
docker push artifactory.local/repo/image-name
but when I build an image my self or pull directly from docker hub and try to push
docker will try to connect to port 80 and timeout because Artifactory isn't listening to this port.
I also tried to tag an image with the port I get:
docker push artifactory.local:443/repo/image-name
error parsing HTTP 400 response body: invalid character 'B' looking for the beginning of value: "Bad Request\r\nThis combination of host and port requires TLS.\r\n"
Am I missing some port or TLS configuration? why am I able to push pulled images back to artifactory but new images aren't working?
Try:
docker push https://artifactory.local/repo/image-name
You might need to login first:
docker login https://artifactory.local/repo/
In your example the docker client tries accessing Artifactory over port 443, but using http protocol instead of https protocol.
Before you push any image to Artifactory, you have to tag it and for more details click on "Set Me Up button" in Artifactory and select the docker repository it will provide detailed steps.
Docker access method also matters, Artifactory uses 3 methods
1. Repository path
2. Subdomain
3. Port method
You have to perform the steps based on this method which you can setup in HTTP settings in Artifactory.
You can not use HTTPS with Repository Path and without a reverse proxy for Docker - Artifactory integration. If you would like to keep using Repository Path you will need to configure HTTP, and if you want HTTPS you can use either Port method or SubDomain (SubDomain is more recommended).

Unable to login to private docker registry from Jenkins

I am trying to use Jenkins to build and push docker images to private registry. However, while trying docker login command, I am getting this error:
http: server gave HTTP response to HTTPS client
I know that this might be happening because the private registry is not added as an insecure registry. But, how I can resolve this in CI pipeline?
Jenkins is set up on a Kubernetes cluster and I am trying to automate the deployment of an application on the cluster.
This has nothing to do with the Jenkins CI pipeline or Kubernetes. Jenkins will not be able to push your images until configure follow either of the below steps
You have two options here
1) Configure your docker client to use the secure registry over HTTPS. This will include setting up self signed certificates or getting certificates from your local certificate authority.
2) Second solution is to use your registry over an unencrypted HTTP connection.
So if you are running docker on kubernetes. You will have to configure the daemon.json file in /etc/docker/daemon.json.
PS: This file might not exist. You will have to create it.
Then add in the below content. Make sure you change the url to match your docker registry
{
"insecure-registries" : ["myregistrydomain.com:5000"]
}
Then restart docker using systemctl restart docker or etc/init.d/docker restart depending on the version of linux distro installed on your cluster
Let me know if you have any questions

Does docker client support context path for registry?

Sonatype Nexus documentation indicates that you can push to a docker registry without a HTTP connector as per this guide.
It states the following:
Nexus would be listening at a non-https connector such as the default
8081. Docker repositories are added into Nexus as normal but would NOT be configured with any connector port values.
And the example shows:
The reverse proxy would direct docker push commands received at
https://project.example.com:8086 to
http://locahost:8081/repository/docker-hosted-project
I'm failing to understand how http://locahost:8081/repository/docker-
hosted-project resolves to a registry. I can't test this directly on the Nexus server since the docker client does not support context paths.
How is this supposed to work?

How to Configure Nexus Sonatype docker image for inbound SSL?

I installed NexusOSS using docker-nexus on AWS, to use it as a docker private repository. After installation, I realized that docker private repo is enabled only if its inbound SSL is configured. Per documentation it can be done in two ways. I am trying to see how embedded jetty can be enabled for SSL.
I used an nginx reverse proxy in front of nexus to get SSL connections to docker repo. I am running nexus and nginx in docker containers. I have a hosted and proxy docker repo and a group docker repo including the hosted and proxy one. The HTTP port for the group repo is 5000 (which is used to access all docker registry via nginx.conf)
Here is my approach with steps in README.md:
https://github.com/akailash/nginx_nexus

Resources