Docker Private Registry: ping attempt failed

I’m trying to set up my private Docker Registry and I’m following the official documentation.
I have installed Docker and I’m able to run my registry on my server. But I want my registry to be more widely available.
My docker-server with the private registry is installed on an AWS-instance.

docker run -d -p 5000:5000 --restart=always --name registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

I’m able to ping this instance by:

ping ec2-xx-xx-xx-xx.xx-west/east-1.compute.amazonaws.com

But pushing is not possible:

The push refers to a repository [ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/ubuntu] (len: 1)
unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: dial tcp 10.x.x.x:5000: i/o timeout
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.amazonaws.com:5000/v1/_ping: dial tcp 10.0.x.x:5000: i/o timeout

How do I have to make my registry accessible for other aws-instances?

1 Like

I am also getting similar error when trying to push docker images to registry. The registry hangs for sometime with the same error and after trying to push multiple times, push gets successful. Is it something to do with registry version? Any suggestions to replicate the errors or overcome these errors is highly appreciated

Do you have port 5000 open in your AWS security group? I’d expect a network timeout without port 5000 opened.

1 Like

It’s open for UDP. Is that enough?

The Docker Registry communicates over tcp, not udp. It is an https service.

I’ve changed it, but still the same error

It was late, the error changed after changing the port:
unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: dial tcp 10.0.x.x:5000: connection refused
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v1/_ping: dial tcp 10.0.x.x:5000: connection refused

I followed this: https://github.com/docker/distribution/blob/master/docs/insecure.md#using-self-signed-certificates
I’ve created my certificates. My registry can find them but not read them:
indent preformatted text by 4 spacesI already tried chmod 777 and chown:

time="2015-12-08T09:30:55Z" level=fatal msg="open /certs/domain.crt: permission denied"

and

unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: dial tcp      10.0.x.x:5000: no route to host
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v1/_ping: dial tcp 10.0.x.x:5000: no route to host

The issue you’re likely having is that you need to associate a common name / string with your self-signed certs. i.e. my.registry.common.name

Once you associate this common name, you need to map the private ip of your host to that common name in your /etc/hosts file:

e.g.
10.0.0.45 my.registry.common.name

Once you’ve done this, create a directory associated with your common name…

e.g.
mkdir /etc/docker/certs.d/my.registry.common.name:5000

then place your .crt file inside of this directory.

This is the directory where Registry looks for your TLS cert.

As for issues with SELinux and Docker not being allowed to read in your /certs directory, try the following:

chcon -Rt svirt_sandbox_file_t ~/certs/
chcon -Rt svirt_sandbox_file_t ~/data/

1 Like

Thanks, this was already a great help. The permission error is gone.
Can I really choose the name my.registry.common.name or do I have to use the name of my EC2 instance:
ec2-xx-xx-xx-xx.us-xxx-1.compute.amazonaws.com

Because now I’m getting:
unable to ping registry endpoint https://ec2-xx-xx-xx-xx.us-xxx-1.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.us-xxx-1.compute.amazonaws.com:5000/v2/: net/http: TLS handshake timeout
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.us-xxx-1.compute.amazonaws.com:5000/v1/_ping: net/http: TLS handshake timeout

Hi Lorenz,

So now instead of pushing / pulling from ec2-xx-xx-xx-xx.us-xxx-1.compute.amazonaws.com:5000, instead you will push / tag / pull as my.registry.common.name:5000.

E.g. docker pull my.registry.common.name:5000/hello-world

Cheers,
Garet

Okay, so I can really choose any name? (what name do I have to give as CNAME when I generate my certificates? Thanks

I’ve done all the steps you said:

  • Created my selfsigned certificates

  • Created my registry

  • Gave the right permissions: registry is running:

    time=“2015-12-14T07:43:23Z” level=warning msg=“No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.” go.version=go1.5.2 instance.id=85b9c6ec-5e74-47d6-ad52-784c59bb7d1c version=v2.2.1
    time=“2015-12-14T07:43:23Z” level=info msg=“redis not configured” go.version=go1.5.2 instance.id=85b9c6ec-5e74-47d6-ad52-784c59bb7d1c version=v2.2.1
    time=“2015-12-14T07:43:23Z” level=info msg=“using inmemory blob descriptor cache” go.version=go1.5.2 instance.id=85b9c6ec-5e74-47d6-ad52-784c59bb7d1c version=v2.2.1
    time=“2015-12-14T07:43:23Z” level=info msg=“Starting upload purge in 56m0s” go.version=go1.5.2 instance.id=85b9c6ec-5e74-47d6-ad52-784c59bb7d1c version=v2.2.1
    time=“2015-12-14T07:43:23Z” level=info msg=“listening on [::]:5000, tls” go.version=go1.5.2 instance.id=85b9c6ec-5e74-47d6-ad52-784c59bb7d1c version=v2.2.1

  • Edit the /etc/hosts and add 10.0.0.X private-registry (my internap IP and the name of my registry)

  • Copied my domain.crt to /etc/docker/cert.d/private-registry:5000/domain.crt

Error:

The push refers to a repository [private-registry:5000/ubuntu] (len: 1)
unable to ping registry endpoint https://private-registry:5000/v0/
v2 ping attempt failed with error: Get https://private-registry:5000/v2/: net/http: TLS handshake timeout
 v1 ping attempt failed with error: Get https://private-registry:5000/v1/_ping: net/http: TLS handshake timeout

@gjvoit

I have a registry wich is using selfsigned certificates. OpenShift will
create images for my s2i-projects and those will be stored in the
OpenShift Docker Registry. From there I want to push them manually to my
own registry (which is using selfsigned certificates).

I try to push an image to my registry:
[centos@ip-10-0-0-xx myregistrydomain.com:5000]$ docker push myregistrydomain.com:5000/ubuntu
The push refers to a repository [myregistrydomain.com:5000/ubuntu] (len: 1)
unable to ping registry endpoint https://myregistrydomain.com:5000/v0/
v2 ping attempt failed with error: Get https://myregistrydomain.com:5000/v2/: net/http: TLS handshake timeout
v1 ping attempt failed with error: Get https://myregistrydomain.com:5000/v1/_ping: net/http: TLS handshake timeout

The logs of my registry
time=“2015-12-15T13:44:05Z”
level=warning msg=“No HTTP secret provided - generated random secret.
This may cause problems with uploads if multiple registries are behind a
load-balancer. To provide a shared secret, fill in http.secret in the
configuration file or set the REGISTRY_HTTP_SECRET environment
variable.” go.version=go1.5.2
instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c version=v2.2.1
time=“2015-12-15T13:44:05Z”
level=info msg=“redis not configured” go.version=go1.5.2
instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c version=v2.2.1
time=“2015-12-15T13:44:05Z”
level=info msg=“using inmemory blob descriptor cache”
go.version=go1.5.2 instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c
version=v2.2.1
time=“2015-12-15T13:44:05Z”
level=info msg=“Starting upload purge in 55m0s” go.version=go1.5.2
instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c version=v2.2.1
time=“2015-12-15T13:44:05Z”
level=info msg=“listening on [::]:5000, tls” go.version=go1.5.2
instance.id=a785b46c-6eac-4fff-9d78-0774abd46a8c version=v2.2.1
2015/12/15 13:44:34 http: TLS handshake error from 10.0.0.xx:43442: EOF
2015/12/15 13:44:39 http: TLS handshake error from 10.0.0.xx:43443: EOF
2015/12/15 13:44:49 http: TLS handshake error from 10.0.0.xx:43460: EOF
2015/12/15 13:45:25 http: TLS handshake error from 10.0.0.xx:43479: tls: first record does not look like a TLS handshake
2015/12/15 13:45:58 http: TLS handshake error from 10.0.0.xx:43488: EOF
2015/12/15 13:46:03 http: TLS handshake error from 10.0.0.xx:43491: EOF
2015/12/15 13:46:13 http: TLS handshake error from 10.0.0.xx43496: EOF

Curl:
http:
[centos@ip-10-0-0-xx myregistrydomain.com:5000]$ curl -v myregistrydomain.com:5000

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: myregistrydomain.com:5000
Accept: /

https:
[centos@ip-10-0-0-xx myregistrydomain.com:5000]$ curl -v https://myregistrydomain.com:5000

  • About to connect() to myregistrydomain.com port 5000 (#0)
  • Trying 10.0.0.xx…
  • Connected to myregistrydomain.com (10.0.0.xx) port 5000 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none

No prompt

Ping
[centos@ip-10-0-0-xx myregistrydomain.com:5000]$ ping myregistrydomain.com
PING myregistrydomain.com (10.0.0.xx) 56(84) bytes of data.
64 bytes from myregistrydomain.com (10.0.0.xx): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from myregistrydomain.com (10.0.0.xx): icmp_seq=2 ttl=64 time=0.042 ms

hi friend.
you install the registry which is provied by docker. It is not use ssl. So you should disable the ssl in the client host.
if your client host’s env is centos7.
you should modity the file "/usr/lib/systemd/system/docker.service"
add the option “–insecure-registry=[registry-host]:5000” to disable the ssl between client host and registry host.

So a key thing when you are using Docker registry instance in AWS with an ELB in front of registry server, make sure your ELB Idle Timeout setting is at maximum value if you have several large layers of image to be pushed to registry server. Default value is 60 sec and max possible is 3600 sec.

I have this same issue , however chcon -Rt svirt_sandbox_file_t ~/certs/ doesn’t work for me

i have same confusion with all, only but similar error with “https://***:5000/v1/_ping : forbidden port” came with my case. now yet there is no any valid solution