带有Amazon S3和TLS设置的Docker Registry 2.0

Question

I'm trying to set up internal docker-registry for our company in our amazon cloud which will store everything in S3 and work with TLS

Here are steps I did:
1) Created new bot account in Amazon
2) Create and assign new policy to that bot:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "arn:aws:s3:::*"
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::docker-repo-storage",
            "arn:aws:s3:::docker-repo-storage/*"
        ]
    }
]
}

3) Created bucket with the same name as per policy " docker-repo-storage "
4) Installed docker:

curl -sSL https://get.docker.com/ | sh

5) Download in " /etc/docker/certs/ " our corporate wildchar certificate and key
6) Created config file in " /etc/docker/config/config.yml "

version: 0.1
log:
  level: debug
  fields:
    service: registry
storage:
  s3:
    accesskey: <my_key_which_i_hide>
    secretkey: <my_secret_key_which_i_hide>
    region: eu-central-1
    bucket: docker-repo-storage
    encrypt: true
    secure: true
    v4auth: true
http:
   addr: <my_domain_which_I_hide>:5000
tls:
  certificate: /etc/docker/certs/wcard.<my_cert>.crt
  key: /etc/docker/certs/wcard.<my_key>.key

7) Register domain in amazon "Route 53" against IP of machine where i installed docker
8) Running docker with the fallowing parameters:

docker run -d -p 5000:5000 --restart=always --name <my_custom_name> -v 'pwd'/config.yml:/etc/docker/config/config.yml registry:2

as per description in official documentation

It runs successfully, so I perform the fallowing test:

docker pull ubuntu && docker tag ubuntu localhost:5000/mytestimg
docker push localhost:5000/mytestimg

Go to S3 bucket - and its empty, image wasn't uploaded to the S3 storage, instead it store it locally on EC2 instance VM

I set up another node with docket and try to pull " mytestimg " from that repo:

docker pull <my_domain>:5000/mytestimg
Using default tag: latest
Error response from daemon: unable to ping registry endpoint https://<my_domain>:5000/v0/
v2 ping attempt failed with error: Get https://<my_domain>:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://<my_domain>:5000/v1/_ping: tls: oversized record received with length 20527

As you see it fail to ping. I removed TLS from config, densest help, I spiked config and run all params from command line:

docker run -d -p 5000:5000 --restart=always --name <custom_name> -e SETTINGS_FLAVOR=s3 -e AWS_BUCKET=docker-repo-storage -e STORAGE_PATH=/registry -e AWS_KEY=<hidden> -e AWS_SECRET=<hidden> -e AWS_REGION=eu-central-1 -e STORAGE_REDIRECT=true -e SEARCH_BACKEND=sqlalchemy -v `pwd`/certs:/etc/docker/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/wcard.<hidden>.crt -e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/wcard.<hidden>.key registry:2

it doesn't work, nor like this:

docker run -d -p 5000:5000 --restart=always --name <custom_name> -e SETTINGS_FLAVOR=s3 -e AWS_BUCKET=docker-repo-storage -e STORAGE_PATH=/registry -e AWS_KEY=<hidden> -e AWS_SECRET=<hidden> -e AWS_REGION=eu-central-1 -e STORAGE_REDIRECT=true -e SEARCH_BACKEND=sqlalchemy registry:2

What am i doing wrong? why its ignoring S3 and not uploading it there? why I cant connect from another machine and ping v0, v1, v2 fails?

Please help

Answer 1

I had the same issue while creating my own private repository.

When i exported the DOCKER_OPTS environment variable both in the docker host and the connecting node the issue got resolved.

example DOCKER_OPTS=--insecure-registry=xx.xxx.xxx.xxx:5000