Docker Community Forums

Share and learn in the Docker community.

Docker registry unreachable


(Takacsbence) #1

I’ve set up my self-signed docker registry but cannot access from docker.

Everything seems to be fine until I want to ‘docker pull’:

[root@sbox-01 ~]# nc controller 5000 -v
Connection to controller 5000 port [tcp/commplex-main] succeeded!
^C
[root@sbox-01 ~]# curl -i --cacert /etc/docker/certs.d/controller:5000/ca.crt controller:5000/v2
HTTP/1.0 200 OK
Date: Tue, 27 Oct 2015 05:58:50 GMT
X-Cache: MISS from xxx.local
X-Cache-Lookup: MISS from xxx.local:3128
Via: 0.9 xxx.local:3128 (squid/2.7.STABLE6)

[root@sbox-01 ~]# docker pull controller:5000/tomcat7-jre7
Error response from daemon: invalid registry endpoint https ://controller:5000/v0/: unable to ping registry endpoint https ://controller:5000/v0/
v2 ping attempt failed with error: Get https ://controller:5000/v2/: x509: certificate is valid for controller.statlogics.local, not controller
v1 ping attempt failed with error: Get https ://controller:5000/v1/_ping:
x509: certificate is valid for controller.statlogics.local, not
controller. If this private registry supports only HTTP or HTTPS with an
unknown CA certificate, please add --insecure-registry controller:5000 to the daemon’s arguments. In the case of HTTPS, if you
have access to the registry’s CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/controller:5000/ca.crt

I’m running the repository from docker container. The issue is the same on the repository’s host machine:

[root@controller ~]# docker ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS NAMES
ef1f00a5e8b5 registry:2 "/bin/registry /etc/ 15 hours ago Up 15
hours 0.0.0.0:5000->5000/tcp registry
[root@controller ~]# curl -i --cacert /opt/docker-images/certs/domain.crt controller:5000/v2
HTTP/1.0 200 OK
Date: Tue, 27 Oct 2015 06:15:42 GMT
X-Cache: MISS from xxx.local
X-Cache-Lookup: MISS from xxx.local:3128
Via: 0.9 xxx.local:3128 (squid/2.7.STABLE6)
[root@controller ~]# docker pull controller:5000/tomcat7-jre7
Error response from daemon: invalid registry endpoint https ://controller:5000/v0/: unable to ping registry endpoint https ://controller:5000/v0/
v2 ping attempt failed with error: Get https ://controller:5000/v2/: Forbidden
v1 ping attempt failed with error: Get https ://controller:5000/v1/_ping:
Forbidden. If this private registry supports only HTTP or HTTPS with an
unknown CA certificate, please add --insecure-registry controller:5000 to the daemon’s arguments. In the case of HTTPS, if you
have access to the registry’s CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/controller:5000/ca.crt

So the REST v2 interface is accessible for curl but not accessible from
within docker. Neither from the registry host nor from any other docker host.

Both machines are Docker 1.7.1 on Centos 6.

Any Idea?
SElinux settings?
iptables?
May I try ‘yum install docker-registry’?


(Takacsbence) #2

I started the registry with this command:

docker run -d -p 5000:5000 --restart=always --name registry -v /opt/docker-images/certs:/certs:ro -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2