Closed Smithx10 closed 6 years ago
It looks like you are running a docker registry over HTTP (and not HTTPS).
Docker provides a HTTP fallback, which is something Triton does not do (and I don't think Triton has ever supported regular HTTP pull, but perhaps @trentm can confirm that).
The Triton _docker_registryinsecure flag is used to allow unverified SSL connections (i.e. if you were using a self signed cert).
Todd's understanding is mine as well: Triton's docker has never supported pull/push from/to a 'http' Docker registry. IIRC the docker client doesn't let you specify a scheme for a given registry hostname. I.e.:
docker pull foo.example.com/myimage # works
docker pull http://foo.example.com/myimage # does not work
So... without a scheme, Triton always infers https.
@twhiteman
You are correct. Found the documentation that verifies what docker_registry_insecure does.
docker_registry_insecure | Boolean | Set to true to allow access to Docker registries with self-signed certificates. Warning: this shouldn't be used in production.. |
---|
@trentm Would it make sense, or be possible to maybe specify a certain port that triton will allow http / insecure-registries for testing?
For Example any registry with the port "1337" is considered an allowed insecure registry?
docker push foo.example.com:1337/myimage.
This may be not be worth it in the end, and people should just use https.
Thanks for the feedback.
@Smithx10 I don't think I'd like to add support for pull from http to the product. I don't think there should be a magic port number either. If you need this for testing, I'd suggest that you monkey patch the appropriate places in sdc-docker and sdc-imgapi code to infer scheme="http"
for a hardcoded domain. However, that's not very helpful because I don't know exactly where in the code you'd need to do that.
@trentm Sounds good. I'll just use https :)
I'm attempting to push an image to an insecure registry and received the following error:
I set the following while looking for a way to allow insecure registries.
Natively in docker you can add an insecure registry by doing the following:
I'd imagine the configuration of such a setting would have to available to the public / client and not set within sapi.