Using private registry hosted on docker

Question

I'm hosting my own docker-registry in a docker container. It's fronted by nginx running in a separate container to add basic auth. Checking the _ping routes I can see that nginx is routing appropriately. When calling docker login from boot2docker (on Mac OSX) I get this error:

FATA[0003] Error response from daemon: Invalid registry endpoint https://www.example.com:8080/v1/: Get https://www.example.com:8080/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry www.example.com:8080 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/www.example.com:8080/ca.crt

Which is odd - because it's a valid CA SSL cert. I've tried adding --insecure-registry in EXTRA-ARGS as per these instructions: https://github.com/boot2docker/boot2docker#insecure-registry but initially the 'profile' file doesn't exist it. If I create it, and add

EXTRA_ARGS="--insecure-registry www.example.com:8080"

I see no improvement. I wanted to isolate the example and so tried docker login from an ubuntu VM (not boot2docker). Now I get a different error:

Error response from daemon: 

The docker registry is run directly from the public hub, e.g.

docker run -d -p 5000:5000 registry

(Note that nginx routes from 8080 to 5000). Any help and/or resources to help debug this would be much appreciated.

UPDATE

I was looking to a guide to help comprehensively solve this problem. Specifically:

• Create a private registry
• Secure the registry with basic Auth
• Use the registry from boot2docker

I have created the registry and tested locally, it works. I have secured the registry with nginx adding basic auth.

The trouble is now actually using the registry from two types of client:

1) Non boot2docker client. One of the answers below helped with this. I added --insecure-registry flag to options in /etc/default/docker and now I can talk to my remote docker registry. However, this isn't compatible with auth as docker login gets an error:

2015/01/15 21:33:57 HTTP code 401, Docker will not send auth headers over HTTP.

So, if I want to use auth I'll need to use HTTPS. I already have this server serving over HTTPS but that doesn't work if I set --insecure-registry. There appears to be a certificate trust issue, which I'm confident I can solve on non-boot2docker but..

2) For a boot2docker client, I can't get --insecure-registry to work or certificates to be trusted?

UPDATE 2

Following this stack exchange question I managed to add the ca to my ubuntu VM and I can now use from non boot2docker client. However, there is still a lot of odd behavior.

Even though my current user is a member of the docker group (so I don't have to use sudo) I now have to use sudo or I get the following error when trying to login or pull from my private registry

user@ubuntu:~$ docker login example.com:8080
WARNING: open /home/parallels/.dockercfg: permission denied

parallels@ubuntu:~$ docker pull example.com:8080/hw:1
WARNING: open /home/parallels/.dockercfg: permission denied

And when running containers pulled from my private registry for the first time, I have to specify them by image ID - not their name.

Answer 1

1. Register an SSL key from https://letsencrypt.org/ If you need more instructions, refer this link.

2. Enable SSL for nginx. Attention to SSL part in the code below, after register SSL key, you have fullchain.pem, privkey.pem, dhparam.pem using it for nginx to enable SSL.

`

server {
    listen 443;
    server_name docker.mydomain.com;

    # SSL
    ssl on;
    ssl_certificate /etc/nginx/conf.d/fullchain.pem;
    ssl_certificate_key /etc/nginx/conf.d/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/conf.d/dhparam.pem;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;


    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    location /v2/ {
        # Do not allow connections from docker 1.5 and earlier
        # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
            return 404;
        }

        # To add basic authentication to v2 use auth_basic setting plus add_header
        auth_basic "registry.localhost";
        auth_basic_user_file /etc/nginx/conf.d/registry.password;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        proxy_pass                          http://docker-registry;
        proxy_set_header  Host              $http_host;   # required for docker client's sake
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_read_timeout                  900;
    }
}

It resolves my problem, hopes it help you.

Answer 2

Run the following command:

boot2docker ssh "echo $'EXTRA_ARGS=\"--insecure-registry <YOUR INSECURE HOST>\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"

Answer 3

For ubuntu, please modify file /etc/default/docker

DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=10.27.19.230:5000"

For rehl, please modify file /etc/sysconfig/docker

other_args="--insecure-registry 10.27.19.230:5000"

Answer 4

Edit the docker file

sudo vim /etc/default/docker

Add the DOCKER_OPTS

DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=www.example.com:8080"

Restarting the docker service

sudo service docker restart

Answer 5

As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry. For boot2docker, this is a bit more complicated than usual. See: https://github.com/boot2docker/boot2docker#insecure-registry

The relevant commands are:

$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart

If you want to add SSL certificates to the boot2docker instance, it's going to be something similar (boot2docker ssh followed by sudo).

Answer 6

Docker version > 1.3.1 communicates over HTTPS by default when connecting to docker registry

If you are using Nginx to proxy_pass to port 5000 where docker registry is listening you will need to terminate docker client's SSL connection to docker registry at webserver/LB (Nginx in this case). To verify if Nginx is terminating SSL connection well use cURL https://www.example.com:8081/something where 8081 is another port set up for testing SSL cert.

If you don't care if your docker client connects to the registry over HTTP and not HTTPS, add

OPTIONS="--insecure-registry www.example.com:8080"

in /etc/sysconfig/docker (or equivalent in other distros) and restart docker service.

Hope it helps.

Answer 7

Try running the daemon with the args:

docker -d --insecure-registry="www.example.com:8080"

instead of setting EXTRA_ARGS