I feel pondering hard Questions leads to more knowledge than just seeking answers. Here I'll try to strike a balance between then Questions I've had and the potentially correct Solutions to match.

Thursday, November 6, 2014

Setting up an Insecure Docker Registry

Running anything in an insecure mode is always dangerous. However, if the goal is to simply test something out or run in a secured environment, it can be useful.  Thus was my use case to learn about using the Docker Registry and for speed of not bothering with SSL Certificates, run it in an insecure mode.  

I'm not going to cover working with Docker in general, just setting up an insecure registry, head over to the documentation first and to learn more.  I'm just going to journal this problem so hopefully no one has to waste time figuring it out.

There are many, numerous, blog posts about setting up Docker's Registry(properly), and most go over setting up some sort of authentication(recommend). However if the risky insecure route is fine, there's a slight hicup I found which was rather opaque to solve.

So let's follow the basics of getting a localized Docker Registry running.

  1. Pull the registry image from docker hub
    • docker pull registry
  2. Run  the container with local environment(quieter output than default dev)
    • docker run -d -p 5000:5000 --name registry registry 
    • A docker ps should now show it running
    • You can check if it's running but hitting localhost:5000/ on your web browser, which should return:
      • "docker-registry server (dev) (v0.8.1)"
  3. Push an image to the repo prefixed with the registries address.  Try a basic `ubuntu` image to the registry on your local machine: localhost:5000
    1. One quick aside, the way Docker will switch from using the default DockerHub api is to prefix the image name with the new registry address.  So tag the basic 'ubuntu' image with 'localhost:5000/ubuntu'.
      • docker tag ubuntu localhost:5000/ubuntu   
      • docker images   to verify it worked
    2. Then push the tagged image
      • docker push localhost:5000/ubuntu
And here comes the error...

Error response from daemon: Invalid registry endpoint https://localhost:5000/v1/: Get https://localhost:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry localhost:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/localhost:5000/ca.crt

I though this was running in an open dev mode?

There are multiple environments which the registry can run under with varying settings, they can be seen in the provided config file.  However after digging through blogs, I eventually stumbled across this Github issue which flipped the light switch.

The error comes from the Docker daemon running in the normal mode which by default requires HTTPS for communicating with Registry APIs.  The 'daemon' is the the local machine's and not the registry's server (should have been drinking more coffee).  


Shut down your docker daemon.  On debian based distros: 

  • sudo service docker stop

Run the docker daemon with the insecure flags:  

  • sudo docker -d --insecure-registry localhost:5000

Start the `registry` container since it was stopped when the old daemon shutdown. 

  • docker start registry

>>>>>>>>>>>>sudo docker push localhost:5000/ubuntu
The push refers to a repository [localhost:5000/ubuntu] (len: 1)
Sending image list
Pushing repository localhost:5000/ubuntu (1 tags)
511136ea3c5a: Image successfully pushed
d497ad3926c8: Image successfully pushed
ccb62158e970: Image successfully pushed
e791be0477f2: Image successfully pushed
3680052c0f5c: Image successfully pushed
22093c35d77b: Image successfully pushed
5506de2b643b: Image successfully pushed
Pushing tag for rev [5506de2b643b] on {http://localhost:5000/v1/repositories/ubuntu/tags/latest}

Now you can mess with an unsecured registry!

Hopefully this post might save people some time figuring out what is wrong. 


No comments:

Post a Comment