Remote communication with private docker registry issues - docker

I have set up the registry server as below:
docker run -d --name p_registry -e SETTINGS_FLAVOUR=local -e STORAGE_PATH=/reg_storage -v /data/private-registry/storage:/reg_storage -p 5000:5000 registry
So, now I can push to this registry locally using
docker push localhost:5000/hello:tag1
But when I tried to push it from another machine, to this registry, it bails out:
docker push 1.2.3.4:5000/hello:tag1
Error: Invalid registry endpoint https://1.2.3.4:5000/v1/: Get https://1.2.3.4:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 1.2.3.4:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/1.2.3.4:5000/ca.crt
Now, after that I tried various other options:
Edit /etc/sysconfig/docker
other_args=--insecure-registry=1.2.3.4:5000
And then restarted docker using "service docker restart". This didn't work either. Every time, I tried to push, it gave me the invalid registry endpoint.
I even tried doing as below:
vi /etc/default/docker
DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=1.2.3.4:5000"
even the one above gives the endpoint error.
Can somebody help here ?
Ref: Remote access to a private docker-registry

DOCKER_OPTS="--insecure-registry 1.2.3.4:5000" should work

sudo service docker stop
sudo docker -d --insecure-registry 1.2.3.4:5000
This worked for me . Please try it and let us know.

Related

need to get the images from docker to run in kubernetes error certificate signed by unknown authority

am trying to run a kubernetes cluster in my local machine.I have Installed kubectl,docker toolbox,minikube and virtual box .
Before docker build:
minikube docker env
Did a docker build and am trying to push the docker image in local registry:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
after which am trying to push the image to local repo
docker tag d3ecb4966f24 X.X.X.X:2376/image
docker push X.X.X.X:2376/image
Error : x509: certificate signed by unknown authority
You got two options:
Bring the registry up with a valid certificate (recommended for production)
Add your registry as insecure in your docker daemons (not recommended for production) :
Dont do this in production, make it secure
Add the following to daemon.json
{
"insecure-registries" : ["X.X.X.X:2376"]
}
Restart docker daemon

Docker behing transparent proxy and intermediate cert

OS: Centos 7.6.1810
Docker Version: Server Version: 18.09.5
Issue:
My company uses a transparent proxy with an intermediate cert to navigate. I was able to install the cert following doc: https://docs.docker.com/ee/dtr/user/access-dtr/ and these steps:
# Download the DTR CA certificate
sudo curl -k https://<dtr-domain-name>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
sudo update-ca-trust
# Restart the Docker daemon
sudo /bin/systemctl restart docker.service
Curl and Wget are working well, but docker run is not:
bash $ docker run -it cheers
Unable to find image 'cheers:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure.
See 'docker run --help'.
I've tried adding the registry as insecure in daemon.json but it was unsuccessfully.
Has anyone run into the same problem?
I think i figured out what’s going on:
Docker client offers only TLS_ECDHE_* ciphers but .docker.io (behind my corporate proxy) offers only TLS_RSA ciphers.
Without proxy, docker.io offers both types of ciphers.
Now, next challenge: make docker offer TLS_RSA or make my proxy support TLS_ECDHE.
I have no idea how to do either :frowning:

docker (behind a proxy) pull from azure container registry works but from registry-1.docker.io, it gives certificate signed by unknown authority error

In ubuntu 18.04 VM
I am behind a proxy, I've set up docker configuration with the same proxy.
I created an azure container registry and when trying to docker pull from the registry it works.
But when trying to:
$docker run node:6
I get the error:
"docker: Error response from daemon: Get https://registry-1.docker.io/v2/: x509: certificate signed by unknown authority."
I've added the registry to /etc/docker/daemon.json:
{
"insecure-registries": ["registry-1.docker.io","myazureContainerRegistry.azurecr.io"]
}
By doing the above step, "$docker run myazureContainerRegistry.azurecr.io/myimage:tag" works but "$docker run node:6" still gives the certificate error.
I've added the certificate for "*.docker.io" to /etc/docker/certs.d/docker.io and also to /usr/local/share/ca-certificate (sudo apt update-ca-certificates), still it doesn't work.
I've also tried to:
$curl -k https://registry-1.docker.io/
$wget https://registry-1.docker.io/ --no-check-certificate
Both of these steps work but with docker (to run/pull node:6 ) I still get the certificate error.
The output of "$docker --version" is: "Docker version 18.09.2"
This is how my ~/.docker/config.json looks like:
config.json
I expect "docker run node:6" to pull the image successfully but it actually gives the error
For your issue, first of all, you need to have the certificate in the ~/.docker/config.json. Then you can pull the image from the registry without login. Then you can execute the command without pulling the image before. for you, the command like this:
docker run registry-1.docker.io/node:6
In my side, the config.json will like this:
And I can execute the command like this:
The URI of registry in the docker hub is https://index.docker.io/v1/charlesjunqiang.
Update
If you use the certificate file to authenticate the Docker registry. Then you should do some steps to authenticate the Docker registry in the client machine.
One:
Add the certificate file in the directory /usr/local/share/ca-certificates/docker-dev-cert/ with the name yourname.crt. Then execute the commands:
sudo update-ca-certificates
sudo service docker restart
Secord:
Create a directory in the directory /etc/docker/certs.d with the same name as the registry, for example, myregistry.azurecr.io. Then add the certificate file in it with the name yourname.cert. Also, you should add the file as .key that automatic created when you create the certificate file.
Then you can log in the registry and run the command docker run registry-1.docker.io/node:6 as you want.
There are screenshots of the result in my side.

Docker Insecure registry , ubuntu 14.0.4 trusty , request canceled time out awaiting headers

i created a registry using below command -
docker run -d -p 5000:5000 --restart=always --name registry registry
if i use command
Docker pull localhost:5000/…
everything works
but if i use
Docker pull ipaddress:5000/…
everything fails
i tried editing /etc/default/docker file with DOCKER_OPTS that made docker service to crash
i added /etc/docker/daemon.json file with insecure registry entries but even that i get below error on docker pull/push -
request canceled time out awaiting headers
i am stuck here need help
i was able to fix the issue , it was due to missing no_proxy which when i added for my ipaddress it started working.
You need to declare the registry as an insecure registry by editing the deamon.json file. By default, when connecting to a registry on localhost there is no need to have TLS certificates configured.
However, when you try to connect to remote registry and it is insecure, you need to add an insecure registry line for the remote registry.

Private Docker Registry Not Connectible to Shell & Web Management UI?

Background:
To setup a private docker registry server at path c:\dkrreg on localhost on Windows 10 (x64) system, installed with Docker for Windows, have successfully tried following commands:
docker run --detach --publish 1005:5000 --name docker-registry --volume /c/dkrreg:/var/lib/registry registry:2
docker pull hello-world:latest
docker tag hello-world:latest localhost:1005/hello-world:latest
docker push localhost:1005/hello-world:latest
docker pull localhost:1005/hello-world:latest
Push and Pull from localhost:1005/hello-world:latest via command line succeeds too.
Issue:
If i use my IP address via docker pull 192.168.43.239:1005/hello-world:latest it gives following error in command shell:
Error response from daemon: Get https://192.168.43.239:1005/v1/_ping: http: server gave HTTP response to HTTPS client
When using 3rd party Docker UI Manager via docker run --detach portainer:latest it also shows error to connect as:
2017/04/19 14:30:24 http: proxy error: dial tcp [::1]:1005: getsockopt: connection refused
Tried other stuff also. How can I connect my private registry server that is localhost:1005 from LAN using any Docker Management UI tool ?
At last find solution to this which was tricky
Generated CA private key and certificate as ca-cert-mycompany.pem and ca-cert-key-companyname.pem. And configured docker-compose.yml to save both files as :ro in these locations: /usr/local/share/ca-certificates, /etc/ssl/certs/, /etc/docker/certs.d/mysite.com. But I also tried only copying certificate to /usr/local/share/ca-certificates was enough as docker will ignore duplicate CA certificates. This extra copying is because at many placed docker fellow recommended the same. I did not executed command: update-ca-certificates this time in registry container but was doing earlier as against what is suggested by many.
Defined in docker-compose.yml: random number as REGISTRY_HTTP_SECRET, and server's chained certificate (CA certificate appended to end of it) to REGISTRY_HTTP_TLS_CERTIFICATE amd server's public key to REGISTRY_HTTP_TLS_KEY. Had disabled HTTP authentication. Especially used some naming for file names as found with other certificates in container folder as mysite.com_server-chained-certificate.crt instead of just certificate.crt.
V-Imp: pushed certificate to trusted root in windows using command certutil.exe -addstore root .\Keys\ca-certificate.crt followed with restarting Docker for Windows from taskbar icon and then creating container using docker-compose up -d. This is most important step without this nothing worked.
Now can perform docker pull mysite.com:1005/my-repo:my-tag.
You need to specify to your Docker daemon that your registry is insecure: https://docs.docker.com/registry/insecure/
Based on your OS/system, you need to change the configuration of the daemon to specify the registry address (format IP:PORT, use 192.168.43.239:1005 rather than localhost:1005).
Once you have done that, you should be able to execute the following:
docker pull 192.168.43.239:1005/hello-world:latest
You should also be able to access it via Portainer using 192.168.43.239:1005 in the registry field.
If you want to access your registry using localhost:1005 inside Portainer, you can try to run it inside the host network.
docker run --detach --net host portainer:latest

Resources