docker-archive / docker-registry

This is **DEPRECATED**! Please go to https://github.com/docker/distribution
Apache License 2.0
2.88k stars 879 forks source link

Must use "http" prefix (--insecure-registry http://example.com:5000) with docker 1.5? #936

Closed jamshid closed 8 years ago

jamshid commented 9 years ago

I tried setting EXTRA_ARGS="--insecure-registry 192.168.2.5:5000" in /var/lib/boot2docker/profile but could not get past the below error until I made it --insecure-registry http://192.168.2.5:5000. The error message does not indicate http:// is required and I think this worked in docker 1.4.1.

$ docker login -u ${USER} -p secret -e ${USER}@example.com http://192.168.2.5:5000
FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://192.168.2.5:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 192.168.2.5:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.2.5:5000/ca.crt 

But although that allowed docker login to work, I still get the same error on docker push:

$ docker tag s3ql 192.168.2.5:5000/s3ql
$ docker push 192.168.2.5:5000/s3ql
FATA[0004] Error: v1 ping attempt failed with error: Get https://192.168.2.5:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 192.168.2.5:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.2.5:5000/ca.crt 

Do private docker registries really have to be https now?

dmp42 commented 9 years ago

Are you sure you were previously able to use authentication over plain http? cc @shin- on this but I'm pretty sure auth+plain-http never was supported.

ghost commented 9 years ago

Hi, I can confirm this, as I've just run into the exact same problem.

Prior to upgrading to 1.5, I had EXTRA_ARGS="--insecure-registry 192.168.2.5:5000" in /etc/sysconfig/docker and this worked. Post the upgrade I get the same FATA[00040] Error.

I changed the entry to -> EXTRA_ARGS="--insecure-registry http://192.168.2.5:5000" in /etc/sysconfig/docker, restarted and its working again.

I'm running this on Cent OS 6.5

Push is failing....

dmp42 commented 9 years ago

cc @tibor @dmcgowan

l1x commented 9 years ago

Same here.

ForbiddenEra commented 9 years ago

Hi,

I am on Docker 1.5 running on CoreOS -- and I am NOT experiencing this problem, another one, yes, but not this one.

I am launching docker with: ExecStart=/usr/lib/coreos/dockerd --daemon --insecure-registry=10.254.0.100:5000 --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ

(no http://) and I am able to connect to my registry without any certificate errors - perhaps the fact I'm using the = sign changes something..? Haven't reviewed the code to know.

olibob commented 9 years ago

Same issue here.

cgp commented 9 years ago

Same issue here.

dmp42 commented 9 years ago

ping @tiborvass Is there documentation about that and/or info about whether the syntax changed?

tiborvass commented 9 years ago

@dmp42 not that I know of. I must say I didn't know people could use the prefix, I thought it was only the hostname. I'll look into it.

shawn-sterling commented 9 years ago

I have the same issue, if I have the extra arguments:

--insecure-registry hostname.goes.here:5000
--insecure-registry http://hostname.goes.here:5000

it fails. If I change to:

--insecure-registry=hostname.goes.here:5000

It works.

pilerou commented 9 years ago

Same problem here on my boot2docker after changing /var/lib/boot2docker/profile

EXTRA_ARGS="--insecure-registry=http://:5000"

i can login... but I can't push and docker.log prints :


time="2015-04-09T21:07:02Z" level="debug" msg="Calling POST /images/{name:.*}/push"
time="2015-04-09T21:07:02Z" level="info" msg="POST /v1.17/images/:5000/helloworld/push?tag="
time="2015-04-09T21:07:02Z" level="info" msg="+job push(:5000/helloworld)"
time="2015-04-09T21:07:02Z" level="info" msg="+job resolve_repository(:5000/helloworld)"
time="2015-04-09T21:07:02Z" level="info" msg="-job resolve_repository(:5000/helloworld) = OK (0)"
time="2015-04-09T21:07:02Z" level="debug" msg="pinging registry endpoint https://:5000/v0/"
time="2015-04-09T21:07:02Z" level="debug" msg="attempting v2 ping for registry endpoint https://:5000/v2/"
time="2015-04-09T21:07:02Z" level="debug" msg="hostDir: /etc/docker/certs.d/:5000"
time="2015-04-09T21:07:02Z" level="debug" msg="attempting v1 ping for registry endpoint https://:5000/v1/"
time="2015-04-09T21:07:02Z" level="debug" msg="hostDir: /etc/docker/certs.d/:5000"
invalid registry endpoint https://:5000/v0/: unable to ping registry endpoint https://:5000/v0/
v2 ping attempt failed with error: Get https://:5000/v2/: tls: oversized record received with length 20527
 v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registime="2015-04-09T21:07:02Z" level="info" msg="-job push(:5000/helloworld) = ERR (1)"
time="2015-04-09T21:07:02Z" level="error" msg="Handler for POST /images/{name:.*}/push returned error:  v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527. If this prtime="2015-04-09T21:07:02Z" level="error" msg="HTTP Error: statusCode=500  v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527. 

It really seems that docker daemon doesn't consider http protocol on push command. Log files doesn't print any attempt to connect to server using http. All tries are on https.

...

dmcgowan commented 9 years ago

This issue has gotten very confusing, let me clarify what should be expected based on Docker 1.5.

docker login http://registryname will only work if insecure registry is set as --insecure-registry http://registryname. However even though login works in this case (a value is set in config), http://registryname is never a valid argument for --insecure-registry since it only expects registry names as would be seen in an image name. Subsequent actions to registryname/image will not be treated as insecure. The correct use in this scenario is docker login registryname name paired with --insecure-registry registryname. Then registryname/image will actually be treated as insecure and you will see http is attempted only after an https connection is failed to be established.

Now as @dmp42 mentioned, all this is rather pointless since Docker will never send your credentials over http, you must use https if you want to use basic auth. You should see a message in the daemon logs or console that looks like "Docker will not send auth headers over HTTP" if an action is attempted on a registry which uses http and returns 401. Insecure can be used to respect self signed certificates though, this is the recommended solution.

The case of including = or not doesn't seem to be an issue in my testing, not sure what is going on there.

If the behavior I described is not desired or causing your problems, I would suggest opening up an issue or proposal on the engine to change it. Sending credentials over http has already been discussed at length but here is an example of such an issue https://github.com/docker/docker/issues/9570.

l1x commented 9 years ago

I guess one scenario is using corporate LDAP with Docker. I need to disable all the authentication in Docker, and let all the operations fall through and use a different layer that deals with AAA. I had a little fun with that but setting --insecure-registry on ALL nodes solved the problem. This guy wanted something similar: http://stackoverflow.com/questions/29172678/connecting-docker-container-to-corporate-ldap-server-through-ssl

jdoliner commented 9 years ago

I'm running in to this issue as well. Is it necessary that --insecure-registry be passed to the daemon at start time? Or can you pass it to the command itself? For example:

docker --insecure-registry registry.host:5000 pull registry.host:5000/image 

I can't get the above command to work. Any ideas?

shakthimaan commented 9 years ago

On Ubuntu 14.10, I used "... --insecure-registry 192.168.100.1:5000" and it worked.

On Ubuntu 14.04.2 LTS (trusty) using DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=192.168.100.1:5000" solved the problem.

Docker version and build are the same:

    $ docker -v
    Docker version 1.6.0, build 4749651
shikhachauhan commented 9 years ago

This information was helpful with same issue in Windows boot2docker.

Tallisado commented 9 years ago

debian with docker 1.6.2 -- working for me is -->

BOTH server hosting registry and node trying to push to it:
DOCKER_OPTS="--insecure-registry=192.168.122.92:5000"
kvashishta commented 9 years ago

[root@docker ~]# rpm -qa | grep docker docker-1.7.1-115.el7.x86_64

[root@docker ~]# docker --insecure-registry=ldap.kartikv.com.com:5001 login https://ldap.kartikv.com:5001 Username: testuser Password: Email: Error response from daemon: invalid registry endpoint https://ldap.kartikv.com:5001/v0/: unable to ping registry endpoint https://ldap.kartikv.com:5001/v0/ v2 ping attempt failed with error: Get https://ldap.kartikv.com:5001/v2/: dial tcp 192.168.1.195:5001: connection refused v1 ping attempt failed with error: Get https://ldap.kartikv.com:5001/v1/_ping: dial tcp 192.168.1.195:5001: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry ldap.kartikv.com:5001 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ldap.kartikv.com:5001/ca.crt

Please help

dmp42 commented 9 years ago

Trust the certificate at the os level.

kvashishta commented 9 years ago

That worked! Thank you for your invaluable advise. Is there a way to get a web page describing all the images in the private registry? I followed this to create the private registry: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04

shriramsharma commented 8 years ago

I am facing the same issue as @pilerou . Is there a fix?

kvashishta commented 8 years ago

Here are some instructions to install docker private registry in a container:

[root@docker registry]# cat >/etc/yum.repos.d/docker.repo <<-EOF [dockerrepo] name=Docker Repository baseurl=https://yum.dockerproject.org/repo/main/centos/7 enabled=1 gpgcheck=1 gpgkey=https://yum.dockerproject.org/gpg EOF

yum install docker-engine systemctl enable docker.service systemctl start docker.service docker run -d -p 5000:5000 --name kartiksregistry registry:2 docker ps docker pull busybox docker images docker tag busybox localhost:5000/kartiksbusybox docker images docker push localhost:5000/kartiksbusybox docker ps docker stop kartiksregistry && docker rm kartiksregistry [root@docker ~]# cat /etc/sysconfig/docker

/etc/sysconfig/docker

#

Other arguments to pass to the docker daemon process

These will be parsed by the sysv initscript and appended

to the arguments list passed to docker daemon

other_args=""

DOCKER_OPTS="--insecure-registry=localhost:5000" [root@docker ~]# systemctl restart docker docker images mkdir /root/registry cd /root/registry [root@docker registry]# cat docker-registry.sh

!/bin/bash

docker run -d -p 5000:5000 \ -v /registry:/var/lib/registry \ --restart=on-failure \ --name docker-registry-v2 \ registry:2 [root@docker registry]# [root@docker registry]# cat docker-registry-web.sh

!/bin/bash

docker run -d -p 8080:8080 \ -e REGISTRY_HOST=172.17.42.1 \ -e REGISTRY_PORT=5000 \ -e REGISTRY_AUTH="ZkpyOTVLZmhDaQ==" \ --restart=on-failure \ --name docker-registry-web \ hyper/docker-registry-web [root@docker registry]#

another method using docker compose yum install epel-release yum install -y python-pip pip install -U docker-compose docker stop $(docker ps -q) docker rm $(docker ps -aq) [root@docker registry]# cat docker-registry.yml registry: restart: always image: registry:2 ports:

web: restart: always image: hyper/docker-registry-web ports:

On Wed, Nov 4, 2015 at 4:12 PM, Shriram Sharma notifications@github.com wrote:

I am facing the same issue as @pilerou https://github.com/pilerou . Is there a fix?

— Reply to this email directly or view it on GitHub https://github.com/docker/docker-registry/issues/936#issuecomment-153885621 .

dmp42 commented 8 years ago

People, this here "docker-registry" is deprecated - if you are using registry:2 (and you should) please ask for support on forums or irc (#docker-distribution).

If you have actual bugs, please report them to https://github.com/docker/distribution

Also, there is comprehensive documentation including getting started in two lines over here: http://docs.docker.com/registry/deploying/

Closing this since this ticket is getting really messy.