allow insecure registry in host provisioned with docker-machine - docker

Is there anyway to configure --allow-insecure-ssl for docker's deamon created with docker-machine.
commands:
docker-machine create --driver virtualbox dev
eval "$(docker-machine env dev)"
docker run myregistry:5000/busybox:latest echo 'hello world'
output:
Unable to find image 'myregistry:5000/busybox:latest' locally
2015/06/04 16:54:17 Error: v1 ping attempt failed with error: Get
https://myregistry:5000/v1/_ping: EOF. If this private
registry supports only HTTP or HTTPS with an unknown CA certificate,
please add `--insecure-registry myregistry:5000` to the
daemon's arguments. In the case of HTTPS, if you have access to the
registry's CA certificate, no need for the flag; simply place the CA
certificate at /etc/docker/certs.d/myregistry:5000/ca.crt

If you are running docker-machine version v0.2 stable, you can't set docker option in light way. But in next version v0.3 this problem was resolved with the creation parameters.
At this moment this feature it's on RC1,then you can use a version v0.3.0-RC-1 or wait for delivery the next stable version v0.3.0(tentatively Jun.16).
Then use parameter --engine-insecure-registry to set --allow-insecure-ssl for docker's daemon, for example:
docker-machine create --driver virtualbox --engine-insecure-registry myregistry:5000 dev
After that you can execute:
docker run myregistry:5000/busybox:latest echo 'hello world'
Additionally you can read about it on project doc.

If you want to add insecure registries to a docker-machine that is already created you can update the profile in the running docker VM.
Steps
SSH into your local docker VM.
note: if 'default' is not the name of your docker machine then substitute 'default' with your docker machine name
$ docker-machine ssh {machineName}
Open Docker profile
$ sudo vi /var/lib/boot2docker/profile
Add this line to the bottom of the profile file. If EXTRA_ARGS already exists, add the insecure registry flag to the EXTRA_ARGS. Substitute in the path[s] to your registries.
EXTRA_ARGS="
--insecure-registry myserver.pathTo.registry1:5000
--insecure-registry myserver.pathTo.registry2:5000
--insecure-registry myserver.pathTo.registry3:5000
"
Save the profile changes and 'exit' out of the docker-machine bash back to your machine. Then Restart Docker VM substituting in your docker-machine name
$ docker-machine restart {machineName}
Pull or push something from your registry to ensure it works
My Setup
docker-machine version : 0.6.0, build e27fb87
docker-machine driver : virtualbox

In case you want to add another registry once your docker-machine has already been created you will have to edit the configuration file:
vim ~/.docker/machine/machines/dev/config.json
Explained here: https://akrambenaissi.com/2015/11/17/addingediting-insecure-registry-to-docker-machine-afterwards/

env :
docker daemon :1.12.3
docker client :1.12.2
docker api :1.24
docker-machine :0.8.2
Before create machine
you can use the args to set one or multi insecure registry and registry mirrors .eg:
one registry
docker-machine create -d virtualbox --engine-insecure-registry hostname:5000 --engine-registry-mirror http://hostname:5000 n1
multi registrys
docker-machine create -d virtualbox --engine-insecure-registry hostname:5000 --engine-insecure-registry hostname:5001 --engine-registry-mirror http://hostname:5000 n1
After create the machine
you can edit the /var/lib/boot2docker/profile to add the registrys and mirrors
docker-machine ssh [machine-name]
vi /var/lib/boot2docker/profile
add the registry and mirrors to the EXTRA_ARGS
EXTRA_ARGS='
--label provider=virtualbox
--insecure-registry hostname:5000
--insecure-registry hostname:5001
--registry-mirror http://hostname:5000
--registry-mirror http://hostname:5001
now you need to restart the machine and check it
docker-machine restart [machine-name]
docker info
this method doesn`t work after create the machine
edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}

edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}

Related

dockerd --max-concurrent-downloads 1 command not found [duplicate]

I'm working with a poor internet connection and trying to pull and run a image.
I wanted to download one layer at a time and per documentation tried adding a flat --max-concurrent-downloads like so:
docker run --rm -p 8787:8787 -e PASSWORD=blah --max-concurrent-downloads=1 rocker/verse
But this gives an error:
unknown flag: --max-concurrent-downloads See 'docker run --help'.
I tried typing docker run --help and interestingly did not see the option --max-concurrent-downloads.
I'm using Docker Toolbox since I'm on a old Mac.
Over here under l there's an option for --max-concurrent-downloads however this doesn't appear on my terminal when typing docker run --help
How can I change the default of downloading 3 layers at a time to just one?
From the official documentation: (https://docs.docker.com/engine/reference/commandline/pull/#concurrent-downloads)
You can pass --max-concurrent-downloads during a pull operation.
You can set --max-concurrent-downloads with the dockerd command.
If you're using the docker Desktop GUI for Mac or Windows:
You can edit the .json file directly in docker engine settings:
This setting needs to be passed to dockerd when starting the daemon, not to the docker client CLI. The dockerd process is running inside of a VM with docker-machine (and other docker desktop environments).
With docker-machine that is used in toolbox, you typically pass the engine flags on the docker-machine create command line, e.g.
docker-machine create --engine-opt max-concurrent-downloads=1
Once you have a created machine, you can follow the steps from these answers to modify the config of an already running machine, mainly:
SSH into your local docker VM.
note: if 'default' is not the name of your docker machine then substitute 'default' with your docker machine name $
docker-machine ssh default
Open Docker profile $ sudo vi /var/lib/boot2docker/profile
Then in that profile, you would add your --engine-opt max-concurrent-downloads=1.
Newer versions of docker desktop (along with any Linux install) make this much easier with a configuration menu daemon -> advanced where you can specify your daemon.json entries like:
{
"max-concurrent-downloads": 1
}

Can I pass --max-concurrent-downloads as a flag?

I'm working with a poor internet connection and trying to pull and run a image.
I wanted to download one layer at a time and per documentation tried adding a flat --max-concurrent-downloads like so:
docker run --rm -p 8787:8787 -e PASSWORD=blah --max-concurrent-downloads=1 rocker/verse
But this gives an error:
unknown flag: --max-concurrent-downloads See 'docker run --help'.
I tried typing docker run --help and interestingly did not see the option --max-concurrent-downloads.
I'm using Docker Toolbox since I'm on a old Mac.
Over here under l there's an option for --max-concurrent-downloads however this doesn't appear on my terminal when typing docker run --help
How can I change the default of downloading 3 layers at a time to just one?
From the official documentation: (https://docs.docker.com/engine/reference/commandline/pull/#concurrent-downloads)
You can pass --max-concurrent-downloads during a pull operation.
You can set --max-concurrent-downloads with the dockerd command.
If you're using the docker Desktop GUI for Mac or Windows:
You can edit the .json file directly in docker engine settings:
This setting needs to be passed to dockerd when starting the daemon, not to the docker client CLI. The dockerd process is running inside of a VM with docker-machine (and other docker desktop environments).
With docker-machine that is used in toolbox, you typically pass the engine flags on the docker-machine create command line, e.g.
docker-machine create --engine-opt max-concurrent-downloads=1
Once you have a created machine, you can follow the steps from these answers to modify the config of an already running machine, mainly:
SSH into your local docker VM.
note: if 'default' is not the name of your docker machine then substitute 'default' with your docker machine name $
docker-machine ssh default
Open Docker profile $ sudo vi /var/lib/boot2docker/profile
Then in that profile, you would add your --engine-opt max-concurrent-downloads=1.
Newer versions of docker desktop (along with any Linux install) make this much easier with a configuration menu daemon -> advanced where you can specify your daemon.json entries like:
{
"max-concurrent-downloads": 1
}

How to set TLS Certificates for a machine in docker-machine

What I want to do:
I have dockerd running on one machine with TLS verify set to true. I would like to add this host as a machine in docker-machine
What I have done:
I used the following command to start dockerd:
$ sudo dockerd -D --tls=true --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
On a second machine I sourced the following variables:
export DOCKER_HOST=tcp://172.19.48.247:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/path/to/ssl
and ran docker command succesfully:
$ docker run busybox echo hello
hello
Then I added this host docker-machine:
docker-machine create --driver none --url=tcp://172.19.48.247:2376 dockerhost
Where I am going wrong:
I am getting a x509: certificate signed by unknown authority error now.
$ docker-machine ls
NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS Unknown
dockerhost - none Running tcp://172.19.48.247:2376 Unknown Unable to query docker version: Get https://172.19.48.247:2376/v1.15/version: x509: certificate signed by unknown authority
I tried using the docker-machine config but that doesnt work:
$ docker-machine config dockerhost --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://172.19.48.247:2376
Incorrect Usage.
Usage: docker-machine config [OPTIONS] [arg...]
Print the connection config for machine
Description:
Argument is a machine name.
Options:
--swarm Display the Swarm config instead of the Docker daemon
flag provided but not defined: -tlsverify
By default, the none driver will be configured to use the TLS certs found at ~/.docker/machine. This isn't necessarily what is needed, because you'll run into the error you've run into if your remote Docker host has a certificate signed by something other than the ca.pem that you've got at that location.
I've found a reference to a workaround here that I tested and it definitely seems to work. Here are the steps I followed:
docker-machine create -d none --url tcp://remotedocker.example.com:2376 remotedocker
This creates the following directory:
~/.docker/machine/machines/remotedocker
Inside that directory is a file called config.json. Edit that file, and change every instance of ".docker/machine/certs" to ".docker/machine/machines/remotedocker"
Normally, when you access Docker remotely, it only needs to have access to the ca.pem, cert.pem and key.pem files. As far as I can tell, the other files referenced in config.json will likely not get used by the none driver because regenerate-certs is not implemented by none.
You will need to copy in the ca.pem and key.pem files
At this point, you should be able to run docker-machine config remotedocker, or eval "$(docker-machine env remotedocker)" and use your remote daemon successfully.

How to modify the `--registry-mirror` of a running docker machine?

We can create a docker machine with --registry-mirror, e.g.:
docker-machine create -d virtualbox --engine-registry-mirror http://111222.m.daocloud.io mymachine
We will find the mirror url is in the boot2docker if we logged into the machine:
$ docker-machine ssh mymachine
$ cat /mnt/sda1/var/lib/boot2docker/profile
EXTRA_ARGS='
--label provider=virtualbox
--registry-mirror http://111222.m.daocloud.io
'
CACERT=/var/lib/boot2docker/ca.pem
DOCKER_HOST='-H tcp://0.0.0.0:2376'
DOCKER_STORAGE=aufs
DOCKER_TLS=auto
SERVERKEY=/var/lib/boot2docker/server-key.pem
SERVERCERT=/var/lib/boot2docker/server.pem
And it will use this mirror when pulling images.
But how to change the mirror after the machine is created?
I tried to midify this boot2docker/profile file, but it seems not take effect. How to do it?
After modifying boot2docker/profile, you need to restart the daemon (or the VM).
A command like docker-machine ssh mymachine sudo /etc/init.d/docker restart ought to be enough, but if not, just restart the VM (docker-machine restart mymachine) and your change should take.

Docker daemon config file on boot2docker / docker-machine / Docker Toolbox

Where can I find docker daemon config file on boot2docker machine?
According to this topic: Dockerfile: Docker build can't download packages: centos->yum, debian/ubuntu->apt-get behind intranet
I want to set '--dns' in DOCKER_OPTS, but I can't find this config file either at /etc/default or anywhere else.
Inside boot2docker (boot2docker ssh) / docker-machine (docker-machine ssh default) , open or create the file /var/lib/boot2docker/profile and add the following line:
EXTRA_ARGS="--dns 192.168.1.145"
Also works for:
EXTRA_ARGS="--insecure-registry myinternaldocker"
After the change you need to restart the docker daemon:
sudo /etc/init.d/docker restart
Or leave boot2docker / docker-machine and restart the entire virtual machine:
boot2docker restart
# for docker machine
docker-machine restart default
Information taken from: https://groups.google.com/d/msg/docker-user/04pAX57WQ7g/_LI-z8iknxYJ
If you are using a mac you have to go to a fresh terminal and run:
boot2docker ssh
This will open a new terminal, from there you have to edit or create a file
sudo vi /var/lib/boot2docker/profile
and add the DNS that you would like to add, for example:
DOCKER_OPTS="-dns 8.8.8.8 -dns 8.8.4.4"
After that you need to restart boot2docker. Here I had some issues at the beginning so I close everything and run in a terminal:
boot2docker down
boot2docker up
you can also use:
boot2docker restart
I had to do it twice. After that I started again using the normal boot2docker icon and everything worked.
If you want to script things, you can do these steps on one ugly line:
boot2docker ssh 'sudo sh -c "echo \"EXTRA_ARGS=\\\"--dns 1.2.3.4\\\"\" > /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"'

Resources