docker push to insecure registry

TritonDataCenter / sdc-docker

Docker Engine for Triton

Mozilla Public License 2.0

182 stars 49 forks source link

docker push to insecure registry #133

Closed Smithx10 closed 6 years ago

Smithx10 commented 6 years ago

I'm attempting to push an image to an insecure registry and received the following error:

bruce.smith@Bruces-MacBook-Pro ~ ❯❯❯ td push d-nexus.inst.smith.tritonhost.com:8080/ovh-engine:test
The push refers to a repository [d-nexus.inst.smith.tritonhost.com:8080/ovh-engine]
Error: write EPROTO 1:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:794:

I set the following while looking for a way to allow insecure registries.

[root@headnode (bs-1) /zones/smith/cert]# sdc-sapi /applications?name=sdc | grep insecure
      "docker_registry_insecure": "true"

Natively in docker you can add an insecure registry by doing the following:

Resolved the issue by adding a file /etc/docker/daemon.json with following content
{
    "insecure-registries" : [ "hostname.cloudapp.net:5000" ]
}

I'd imagine the configuration of such a setting would have to available to the public / client and not set within sapi.

twhiteman commented 6 years ago

It looks like you are running a docker registry over HTTP (and not HTTPS).

Docker provides a HTTP fallback, which is something Triton does not do (and I don't think Triton has ever supported regular HTTP pull, but perhaps @trentm can confirm that).

The Triton _docker_registryinsecure flag is used to allow unverified SSL connections (i.e. if you were using a self signed cert).

trentm commented 6 years ago

Todd's understanding is mine as well: Triton's docker has never supported pull/push from/to a 'http' Docker registry. IIRC the docker client doesn't let you specify a scheme for a given registry hostname. I.e.:

docker pull foo.example.com/myimage   # works
docker pull http://foo.example.com/myimage # does not work

So... without a scheme, Triton always infers https.

Smithx10 commented 6 years ago

@twhiteman

You are correct. Found the documentation that verifies what docker_registry_insecure does.

docker_registry_insecure	Boolean	Set to true to allow access to Docker registries with self-signed certificates. Warning: this shouldn't be used in production..

@trentm Would it make sense, or be possible to maybe specify a certain port that triton will allow http / insecure-registries for testing?

For Example any registry with the port "1337" is considered an allowed insecure registry?

docker push foo.example.com:1337/myimage.

This may be not be worth it in the end, and people should just use https.

Thanks for the feedback.

trentm commented 6 years ago

@Smithx10 I don't think I'd like to add support for pull from http to the product. I don't think there should be a magic port number either. If you need this for testing, I'd suggest that you monkey patch the appropriate places in sdc-docker and sdc-imgapi code to infer scheme="http" for a hardcoded domain. However, that's not very helpful because I don't know exactly where in the code you'd need to do that.

Smithx10 commented 6 years ago

@trentm Sounds good. I'll just use https :)