Closed jamshid closed 8 years ago
Are you sure you were previously able to use authentication over plain http? cc @shin- on this but I'm pretty sure auth+plain-http never was supported.
Hi, I can confirm this, as I've just run into the exact same problem.
Prior to upgrading to 1.5, I had EXTRA_ARGS="--insecure-registry 192.168.2.5:5000" in /etc/sysconfig/docker and this worked. Post the upgrade I get the same FATA[00040] Error.
I changed the entry to -> EXTRA_ARGS="--insecure-registry http://192.168.2.5:5000" in /etc/sysconfig/docker, restarted and its working again.
I'm running this on Cent OS 6.5
Push is failing....
cc @tibor @dmcgowan
Same here.
Hi,
I am on Docker 1.5 running on CoreOS -- and I am NOT experiencing this problem, another one, yes, but not this one.
I am launching docker with: ExecStart=/usr/lib/coreos/dockerd --daemon --insecure-registry=10.254.0.100:5000 --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
(no http://) and I am able to connect to my registry without any certificate errors - perhaps the fact I'm using the = sign changes something..? Haven't reviewed the code to know.
Same issue here.
Same issue here.
ping @tiborvass Is there documentation about that and/or info about whether the syntax changed?
@dmp42 not that I know of. I must say I didn't know people could use the prefix, I thought it was only the hostname. I'll look into it.
I have the same issue, if I have the extra arguments:
--insecure-registry hostname.goes.here:5000
--insecure-registry http://hostname.goes.here:5000
it fails. If I change to:
--insecure-registry=hostname.goes.here:5000
It works.
Same problem here on my boot2docker after changing /var/lib/boot2docker/profile
EXTRA_ARGS="--insecure-registry=http://:5000"
i can login... but I can't push and docker.log prints :
time="2015-04-09T21:07:02Z" level="debug" msg="Calling POST /images/{name:.*}/push"
time="2015-04-09T21:07:02Z" level="info" msg="POST /v1.17/images/:5000/helloworld/push?tag="
time="2015-04-09T21:07:02Z" level="info" msg="+job push(:5000/helloworld)"
time="2015-04-09T21:07:02Z" level="info" msg="+job resolve_repository(:5000/helloworld)"
time="2015-04-09T21:07:02Z" level="info" msg="-job resolve_repository(:5000/helloworld) = OK (0)"
time="2015-04-09T21:07:02Z" level="debug" msg="pinging registry endpoint https://:5000/v0/"
time="2015-04-09T21:07:02Z" level="debug" msg="attempting v2 ping for registry endpoint https://:5000/v2/"
time="2015-04-09T21:07:02Z" level="debug" msg="hostDir: /etc/docker/certs.d/:5000"
time="2015-04-09T21:07:02Z" level="debug" msg="attempting v1 ping for registry endpoint https://:5000/v1/"
time="2015-04-09T21:07:02Z" level="debug" msg="hostDir: /etc/docker/certs.d/:5000"
invalid registry endpoint https://:5000/v0/: unable to ping registry endpoint https://:5000/v0/
v2 ping attempt failed with error: Get https://:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registime="2015-04-09T21:07:02Z" level="info" msg="-job push(:5000/helloworld) = ERR (1)"
time="2015-04-09T21:07:02Z" level="error" msg="Handler for POST /images/{name:.*}/push returned error: v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527. If this prtime="2015-04-09T21:07:02Z" level="error" msg="HTTP Error: statusCode=500 v1 ping attempt failed with error: Get https://:5000/v1/_ping: tls: oversized record received with length 20527.
It really seems that docker daemon doesn't consider http protocol on push command. Log files doesn't print any attempt to connect to server using http. All tries are on https.
...
This issue has gotten very confusing, let me clarify what should be expected based on Docker 1.5.
docker login http://registryname
will only work if insecure registry is set as --insecure-registry http://registryname
. However even though login works in this case (a value is set in config), http://registryname
is never a valid argument for --insecure-registry
since it only expects registry names as would be seen in an image name. Subsequent actions to registryname/image
will not be treated as insecure. The correct use in this scenario is docker login registryname
name paired with --insecure-registry registryname
. Then registryname/image
will actually be treated as insecure and you will see http is attempted only after an https connection is failed to be established.
Now as @dmp42 mentioned, all this is rather pointless since Docker will never send your credentials over http, you must use https if you want to use basic auth. You should see a message in the daemon logs or console that looks like "Docker will not send auth headers over HTTP" if an action is attempted on a registry which uses http and returns 401. Insecure can be used to respect self signed certificates though, this is the recommended solution.
The case of including =
or not doesn't seem to be an issue in my testing, not sure what is going on there.
If the behavior I described is not desired or causing your problems, I would suggest opening up an issue or proposal on the engine to change it. Sending credentials over http has already been discussed at length but here is an example of such an issue https://github.com/docker/docker/issues/9570.
I guess one scenario is using corporate LDAP with Docker. I need to disable all the authentication in Docker, and let all the operations fall through and use a different layer that deals with AAA. I had a little fun with that but setting --insecure-registry on ALL nodes solved the problem. This guy wanted something similar: http://stackoverflow.com/questions/29172678/connecting-docker-container-to-corporate-ldap-server-through-ssl
I'm running in to this issue as well. Is it necessary that --insecure-registry
be passed to the daemon at start time? Or can you pass it to the command itself? For example:
docker --insecure-registry registry.host:5000 pull registry.host:5000/image
I can't get the above command to work. Any ideas?
On Ubuntu 14.10, I used "... --insecure-registry 192.168.100.1:5000" and it worked.
On Ubuntu 14.04.2 LTS (trusty) using DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=192.168.100.1:5000" solved the problem.
Docker version and build are the same:
$ docker -v
Docker version 1.6.0, build 4749651
This information was helpful with same issue in Windows boot2docker.
debian with docker 1.6.2 -- working for me is -->
BOTH server hosting registry and node trying to push to it:
DOCKER_OPTS="--insecure-registry=192.168.122.92:5000"
[root@docker ~]# rpm -qa | grep docker docker-1.7.1-115.el7.x86_64
[root@docker ~]# docker --insecure-registry=ldap.kartikv.com.com:5001 login https://ldap.kartikv.com:5001
Username: testuser
Password:
Email:
Error response from daemon: invalid registry endpoint https://ldap.kartikv.com:5001/v0/: unable to ping registry endpoint https://ldap.kartikv.com:5001/v0/
v2 ping attempt failed with error: Get https://ldap.kartikv.com:5001/v2/: dial tcp 192.168.1.195:5001: connection refused
v1 ping attempt failed with error: Get https://ldap.kartikv.com:5001/v1/_ping: dial tcp 192.168.1.195:5001: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry ldap.kartikv.com:5001
to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/ldap.kartikv.com:5001/ca.crt
Please help
Trust the certificate at the os level.
That worked! Thank you for your invaluable advise. Is there a way to get a web page describing all the images in the private registry? I followed this to create the private registry: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
I am facing the same issue as @pilerou . Is there a fix?
Here are some instructions to install docker private registry in a container:
[root@docker registry]# cat >/etc/yum.repos.d/docker.repo <<-EOF [dockerrepo] name=Docker Repository baseurl=https://yum.dockerproject.org/repo/main/centos/7 enabled=1 gpgcheck=1 gpgkey=https://yum.dockerproject.org/gpg EOF
yum install docker-engine systemctl enable docker.service systemctl start docker.service docker run -d -p 5000:5000 --name kartiksregistry registry:2 docker ps docker pull busybox docker images docker tag busybox localhost:5000/kartiksbusybox docker images docker push localhost:5000/kartiksbusybox docker ps docker stop kartiksregistry && docker rm kartiksregistry [root@docker ~]# cat /etc/sysconfig/docker
#
other_args=""
DOCKER_OPTS="--insecure-registry=localhost:5000" [root@docker ~]# systemctl restart docker docker images mkdir /root/registry cd /root/registry [root@docker registry]# cat docker-registry.sh
docker run -d -p 5000:5000 \ -v /registry:/var/lib/registry \ --restart=on-failure \ --name docker-registry-v2 \ registry:2 [root@docker registry]# [root@docker registry]# cat docker-registry-web.sh
docker run -d -p 8080:8080 \ -e REGISTRY_HOST=172.17.42.1 \ -e REGISTRY_PORT=5000 \ -e REGISTRY_AUTH="ZkpyOTVLZmhDaQ==" \ --restart=on-failure \ --name docker-registry-web \ hyper/docker-registry-web [root@docker registry]#
another method using docker compose yum install epel-release yum install -y python-pip pip install -U docker-compose docker stop $(docker ps -q) docker rm $(docker ps -aq) [root@docker registry]# cat docker-registry.yml registry: restart: always image: registry:2 ports:
web: restart: always image: hyper/docker-registry-web ports:
On Wed, Nov 4, 2015 at 4:12 PM, Shriram Sharma notifications@github.com wrote:
I am facing the same issue as @pilerou https://github.com/pilerou . Is there a fix?
— Reply to this email directly or view it on GitHub https://github.com/docker/docker-registry/issues/936#issuecomment-153885621 .
People, this here "docker-registry" is deprecated - if you are using registry:2
(and you should) please ask for support on forums or irc (#docker-distribution).
If you have actual bugs, please report them to https://github.com/docker/distribution
Also, there is comprehensive documentation including getting started in two lines over here: http://docs.docker.com/registry/deploying/
Closing this since this ticket is getting really messy.
I tried setting
EXTRA_ARGS="--insecure-registry 192.168.2.5:5000"
in/var/lib/boot2docker/profile
but could not get past the below error until I made it--insecure-registry http://192.168.2.5:5000
. The error message does not indicatehttp://
is required and I think this worked in docker 1.4.1.But although that allowed
docker login
to work, I still get the same error ondocker push
:Do private docker registries really have to be
https
now?