How to get remote access to a private docker-registry?

I’m trying to setup a private docker registry using the image taken from:
https://github.com/docker/docker-registry

Just by running:
docker run -p 5000:5000 registry

  • Live migration of a jboss/wildfly container with CRIU failed
  • docker build is very slow even with simple commands
  • docker license &vm replacement
  • Develop guide with docker images
  • Sci-kit SVC: random_state producing different results on mac and my docker image
  • docker metrics reside in different location for different environment or versions
  • I can pull/push from/to this repository only from localhost, but if i try to access it from another machine (using a private address on the same LAN) it fails with an error message:

    *2014/11/03 09:49:04 Error: Invalid registry endpoint https ://10.0.0.26:5000/v1/': 
    Get https:// 10.0.0.26:5000/v1/_ping: Forbidden. If this private 
    registry supports only HTTP or HTTPS with an unknown CA certificate,
    please add `--insecure-registry 10.0.0.26:5000` to the daemon's 
    arguments. In the case of HTTPS, if you have access to the registry's
    CA certificate, no need for the flag; simply place the CA certificate 
    at /etc/docker/certs.d/10.0.0.26:5000/ca.crt*
    

    What drives me crazy is that I can access it successfully using:
    curl 10.0.0.26:5000
    and/or curl 10.0.0.26:5000/v1/search

    I also don’t understand where and how I should pass the --insecure-registry flag.

  • Why does Docker “ancestry” API command not work?
  • Access rules between two Docker networks
  • Using network_mode='host' in docker-compose break run: host type networking can't be used with links
  • GKE kuberentes uploading yaml file with docker image error
  • Attempting to access USB device from Docker in Windows
  • Is there a straight way to get html response from a unix socket in Go (like curl does)?
  • 14 Solutions collect form web for “How to get remote access to a private docker-registry?”

    OK – I found the solution to this – after a day of digging.

    For docker below 1.12.1:

    It turns out that the new client version refuses to work with a private registry without SSL.

    To fix this – the daemon on the client machine should be launched with the insecure flag:

    Just type:

    sudo service docker stop # to stop the service
    

    and then

    sudo docker -d --insecure-registry 10.0.0.26:5000
    

    (replace the 10.0.0.26 with your own ip address).

    I would expect the docker guys to add this option to the pull/push command line…

    Edit – altenantively – you can add the flag to DOCKER_OPTS env variable inside /etc/default/docker…
    and then sudo service docker restart

    Edit again – It seems that the docker guys are on it – and a fix will come soon:
    https://github.com/docker/docker/pull/8935

    For docker 1.12.1:

    Please follow below the answer of vikas027 (valid for centos)

    Edit the config file “/etc/default/docker”

    sudo vi /etc/default/docker

    add the line at the end of file

    DOCKER_OPTS=”$DOCKER_OPTS –insecure-registry=192.168.2.170:5000″

    (replace the 192.168.2.170 with your own ip address)

    and restart docker service

    sudo service docker restart

    This is what worked for me on CentOS 7.2 and Docker 1.12.1 (latest as on date). My private registry v2 was running on 192.168.1.88:5000, change it accordingly. This also works if you have multiple registries, just keep on adding --insecure-registry IP:Port

    $ sudo vim /usr/lib/systemd/system/docker.service
    #ExecStart=/usr/bin/dockerd 
    ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.88:5000
    $
    $ sudo systemctl stop docker
    $ sudo systemctl daemon-reload
    $ systemctl start docker
    

    Ok. Here is how I got it to work. If you see this error in docker 1.3.2 or above, do this

    go to /etc/sysconfig/docker

    other_args="--insecure-registry 10.0.0.26:5000"
    

    and run

    sudo service docker restart

    I found the following to be very useful as it discusses how the Docker service itself is configured. https://docs.docker.com/articles/systemd/

    Along with this article on the systemctl command https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

    I used the following series of commands in a Centos 7 based container with a registry image obtained by “docker pull registry:2.1.1”

    sudo mkdir -p /etc/systemd/system/docker.service.d
    cd /etc/systemd/system/docker.service.d
    sudo touch override.conf
    sudo nano override.conf
    

    And inside the override.conf added the following.

    [Service]
    ExecStart=
    ExecStart=/usr/bin/docker -d -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry 10.2.3.4:5000
    

    Note the first, blank, ExecStart= clears anything that is already in place so be sure to add anything from the /usr/lib/systemd/system/docker.service ExecStart= statement that you wish to retain.

    If you don’t specify the -d(daemon) option you’ll get a “Please specify only one -H” error.

    After issuing the following series of commands I can see my overrides in place.

    sudo systemctl stop docker
    sudo systemctl daemon-reload
    sudo systemctl start docker
    sudo systemctl status docker
    
    docker.service - Docker Application Container Engine
       Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)
      Drop-In: /etc/systemd/system/docker.service.d
               └─override.conf
       Active: active (running) since Thu 2015-09-17 13:37:34 AEST; 7s ago
         Docs: https://docs.docker.com
     Main PID: 5697 (docker)
       CGroup: /system.slice/docker.service
               └─5697 /usr/bin/docker -d -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry 10.2.3.4:5000
    

    NOTE: The information provided by Loaded: and Drop-In: lines in the status message, the are useful for checking what’s happening with a pre-existing docker daemon to work.

    NOTE: Also have a look in the Loaded: docker.service file for an EnvironmentFile= for further clues.

    use the following command replacing {YOUR_REGISTRY} with your registry

    boot2docker ssh "echo $'EXTRA_ARGS=\"--insecure-registry {YOUR_REGISTRY}\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"
    

    edit docker.service file, add –insecure-registry x.x.x.x after -d flag, restart docker

    this is the only thing that worked for me, the DOCKER_OPTS didn’t have any effect

    Docker 1.12.1

    For CentOS 7.2

    /usr/lib/systemd/system/docker.service
    #ExecStart=/usr/bin/dockerd
    ExecStart=/usr/bin/dockerd --insecure-registry my-docker-registry.com:5000
    

    For ubuntu 16.04

    /lib/systemd/system/docker.service
    #ExecStart=/usr/bin/dockerd -H fd://
    ExecStart=/usr/bin/dockerd --insecure-registry my-docker-registry.com:5000 -H fd://
    
    sudo systemctl stop docker
    sudo systemctl daemon-reload
    sudo systemctl start docker
    

    It seems the –insecure-registry option may be used both with and without the “=” between it and the registry ID.

    I found that docker client version and registry docker version has to match up, else you would run into connectivity issues, despite having everything in place.

    This is based on the answer from vikas027 on Centos 7 and Docker 1.12

    Since I am behind a proxy my full solution was …

    /etc/systemd/system/docker.service.d/http-proxy.conf

    [Service]
    
    Environment="FTP_PROXY={{MY_PROXY}}"
    Environment="ftp_proxy={{MY_PROXY}}"
    
    Environment="HTTPS_PROXY={{MY_PROXY}}"
    Environment="https_proxy={{MY_PROXY}}"
    
    Environment="HTTP_PROXY={{MY_PROXY}}"
    Environment="http_proxy={{MY_PROXY}}"
    
    Environment="NO_PROXY=localhost,127.0.0.1,{{MY_INSECURE_REGISTRY_IP}}"
    Environment="no_proxy=localhost,127.0.0.1,{{MY_INSECURE_REGISTRY_IP}}"
    

    /usr/lib/systemd/system/docker.service

    ExecStart=/usr/bin/dockerd --insecure-registry {{MY_INSECURE_REGISTRY_IP}}:5000
    

    and dont forget to restart 🙂

    sudo systemctl daemon-reload; sudo systemctl restart docker;
    

    Setting Local insecure registry in docker along with proxy:

    1) in ubuntu add the following flag –insecure-registry IP:port under DOCKER_OPTS in file /etc/default/docker

    1.1) configure no_proxy env variable to bypass local IP/hostname/domainname…as proxy can throw a interactive msg …like continue
    and this intermediate msg confuses docker client and finally timesout…

    1.2) if domainname is configured…then don’t forget to update /etc/hosts file if not using DNS.

    1.3) in /etc/default/docker set the env variables http_proxy and https_proxy…as it enables to download images from outside company hubs.
    format http_proxy=http://username:password@proxy:port

    2) restart the docker service…if installed as service, use sudo service docker restart

    3) restart the registry container [sudo docker run -p 5000:5000 registry:2 ]

    4) tag the required image using sudo docker tag imageid IP:port/imagename/tagname ifany

    5) push the image …sudo docker push ip:port/imagename

    6) If u want to pull the image from another machine say B without TLS/SSL,then
    in B apply setps 1,1.1 and 2.
    If these changes are not done in machine B…pull will fail.

    Ubuntu 16.04

    Create (does not exist) file /etc/systemd/system/docker.service.d/registry.conf with contents:

    [Service]
    #You need the below or you 'ExecStart=' or you will get and error 'Service has more than one ExecStart= setting, which is only allowed'
    ExecStart=
    ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 10.20.30.40:5000
    

    then

    sudo systemctl stop docker
    sudo systemctl daemon-reload
    sudo systemctl start docker
    

    The following has been tested with:

    ubuntu@ubuntu-xenial:~$ docker -v
    Docker version 17.05.0-ce, build 89658be
    

    I tried all of above mentioned answers, but none of these worked for me.

    I was following these instructions in order to make it work

    openssl req \
      -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
      -x509 -days 365 -out certs/domain.crt
    

    and

    Linux: Copy the domain.crt file to
    /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker
    host. You do not need to restart Docker.
    

    and other issues occurred that were solved as follows:

    Issue 1

    Error response from daemon: Get https://10.20.30.40:8001/v1/users/: x509: cannot validate certificate for 10.20.30.40 because it doesn't contain any IP SANs
    

    solution

    host mapping in /etc/hosts:

    10.20.30.40 somehost
    

    Issue 2

    Error response from daemon: Get https://somehost:8001/v1/users/: x509: certificate is valid for , not somehost
    

    solution

    rerun the openssl command

    $ openssl req \
      -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
      -x509 -days 365 -out certs/domain.crt
    

    press enter at every step except at:

    Common Name (e.g. server FQDN or YOUR name) []:
    

    and type the fqdn of the registry, i.e. somehost

    Be sure to use the name myregistrydomain.com as a CN.

    logging in to the registry succeeds now

    Issue 3

    Error response from daemon: Get https://somehost:8001/v1/users/: x509: certificate signed by unknown authority

    solution

    sudo mkdir -p /etc/docker/certs.d/somehost:8001/
    sudo cp certs/domain.crt /etc/docker/certs.d/somehost:8001/ca.crt
    

    To save you hassle, why don’t you just use the FREE private docker registry service provided by gitlab – works great

    https://about.gitlab.com/2016/05/23/gitlab-container-registry/

    Their registry is secure so you won’t have any issues

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.