Docker: private registry access
Question
I'm trying to push an image to my docker private repository:
docker pull busybox
docker tag busybox living-registry.com:5000/busybox
docker push living-registry.com:5000/busybox
Docker tells me:
The push refers to a repository [living-registry.com:5000/busybox] Get https://living-registry.com:5000/v1/_ping : read tcp 195.83.122.16:39714->195.83.122.16:5000: read: connection reset by peer
These commands are being performed on a CoreOS.
In another machine, I've started my registry using this command:
docker run -d -p 5000:5000 --restart=always --name registry \
-v /root/docker-registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /root/docker-registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-v /root/docker-registry/data:/var/lib/registry \
registry:2
Everything seems to be right:
# netstat -tupln | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 3160/docker-proxy
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27e79f6a504c registry:2 "/bin/registry serve " About an hour ago Restarting (2) 36 minutes ago 0.0.0.0:5000->5000/tcp registry
So, when I'm trying to log in:
[root@jenkins certs]# docker login living-registry.com:5000
Username: xxxx
Password: xxxx
Error response from daemon: Get https://living-registry.com:5000/v1/users/ : read tcp 195.83.122.16:39756->195.83.122.16:5000: read: connection reset by peer
Any ideas?
EDIT
I've already added the certificate ( ca.crt ) in /etc/ssl/certs and in /etc/docker/certs.d/xxxx:5000/ .
From this CoreOS instance, I'm trying to perform that:
$ docker login https://xxxx:5000 Username: xxx Password: Email: xxx@mail.com And it tells me:
Error response from daemon: invalid registry endpoint https://xxxx:5000/v0/ : unable to ping registry endpoint https://xxxx:5000/v0/ v2 ping attempt failed with error: Get https://xxxx:5000/v2/ : EOF v1 ping attempt failed with error: Get https://xxxx:5000/v1/_ping : EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry xxxx:5000to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/xxxx:5000/ca.crt
I've also tried to get the connection directly with openssl :
openssl s_client -connect x.x.x.x:5000
The output is:
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
1 answers
solution1
0 2016-07-06 23:04:25
For self-signed certificates, the crt must be copied into
/etc/docker/cert.d/hostname:port/ca.crt
cf : https://docs.docker.com/engine/security/certificates/
I create certificates :
openssl req -x509 -nodes -days 3650d -newkey rsa:2048 -keyout /root/docker-registry/certs/registry.key -out /root/docker-registry/certs/registry.crt -days 3650d
cp /root/docker-registry/certs/registry.crt /etc/docker/cert.d/x.x.x.x:5000/ca.crt
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.