How to configure as insecure a registry running in a container?

nicolasduminil · October 7, 2021, 3:04pm

Hi,
I’m running a docker registry in a container, using the registry:latest image. I need to configure this registry as insecure. Since I’m using Ubuntu 20.04 LTS, I have to modify the file /etc/docker/daemon.json such that to read as follows:

{
  "insecure-registries" : ["<my-registry-ip>:5000"]
}

where my-registry-ip is the IP address of the docker container running the registry, as displayed by the docker inspect command.

But this IP address is ephemeral. It is allocated during a maven build process using the docker-compose-maven-plugin plugin, like below:

version: "2.4"
  networks:
   demo-network:
     driver: bridge
services:
  registry:
    image: registry:latest
    networks:
      demo-network:
        aliases:
          - registry
    hostname: registry
    container_name: registry
    ports:
      - "5000:5000"

Running that, the IP address would be something like 172.18.0.x, where “x” is different across different builds.
So, how could I manage this case ?
Many thanks in advance.

Kind regards,
Nicolas

nicolasduminil · October 12, 2021, 2:05pm

Hi, is anybody concerned by this issue ?

meyay · October 13, 2021, 6:18am

Relying on the container ip is typicaly a sign that you try to do something that is supposed to be solved in a different way. You already publish port 5000, you will want to use the host ip, instead of the container ip.

nicolasduminil · October 13, 2021, 10:37am

Saying that something has to be solved in a different way doesn’t make much sense as long as you don’t mention in which way. Not sure whether you’ve understood the issue I’m facing but using another IP address then the one of the container doesn’t make sense neither as long as that’s the IP address of the container I need.

meyay · October 13, 2021, 6:46pm

Just to be sure: you did unstand what I suggested regarding the port mapping and thought it thru and concluded that it doesn’t make sense for your situation?

I am looking from the perspective of what you need to archive what you want… which is at the core a reliable ip to add as insecure registry. Maybee you know something I missed in the last 7 years using docker. Who knows?!

Good luck in archiving what your want!

nicolasduminil · October 14, 2021, 8:43am

You’re talking too much for someone who doesn’t have anything to propose. Please refrein from replying as far as you don’t provide any solution such that to let other persons, who understand the issue, to contribute.

matthiasradde · October 14, 2021, 1:05pm

Hey Nicolas,

please come down. Metin was providing a solution for your question.

And Metin is right: connecting directly to container’s IP-addresses is not a good idea - they may change every time you (re-)start this container. Instead map the needed port to your host-computer and use the host-computer’s ip-address instead.

Let me pack it in some more descriptive words (but the ingredients still stay the same):
You are already mapping container’s port 5000 to your host’s port 5000 - which is good.
Why do you try to directly connect to the container’s IP-address when you can use your host’s IP-address instead?
So configure your host’s ip-address as insecure registry and access this ip-address every time you push to or pull from your registry. You even can use 127.0.0.1:5000 to connect from your host to the registry’s container port :5000.

Best regards
Matthias

nicolasduminil · October 14, 2021, 2:20pm

Hey Matthias,
I don’t need to calm down as I’m already very calm.
If you and Metin read again my post, this time carrefuly, you’ll see the following:
"But this IP address is ephemeral. It is allocated during a maven build process using the docker-compose-maven-plugin plugin …"
So there is no need to explain to me at what point using an ephemeral IP address is a bad idea since this is exactly the point of the post and the object of the question: how to avoid to hardcode an IP address in a config file ?
You think that using the host IP, i.e. 127.0.0.1, would be the solution.
First, I would like to mention that Metin’s post didn’t say that but was talking about ports mapping, not IP addresses. And just mapping the TCP port 5000 to another one won’t change anything as far as the IP address is the same.
Second, you’re saying that I could replace any IP address of any Docker container running on the same host by the host’s IP address. While it is true that any IP address of any Docker contaner running on the host is mapped to the host’s IP address, doing that it would allow any Docker container running on the host to access to the given private registry, which isn’t at all what I’m trying to achieve.
What I’m trying to achieve is to allow one Docker container, among all the Docker containers running on the host, to access the registry. Hence, I need to mention this Docker container’s IP address in the config file and not the host’s one.
In any case, I think that my post was clear. And the solution is probably not to statically configure the Docker daemon in the daemon.json file but to start the k8s cluster, in which all the containers run, with the --insecure-registry argument and to give it as a value the registry’s IP address, dynamically extracted on the behalf of the Docker plugin for maven.
Metin replied to my post but without really providing a real answer, hence my reaction.
Kind reagards,
Nicolas

meyay · October 14, 2021, 7:19pm

You realy put joy in the life of volunteers with your tone! The tone of your reaction is wrong in so many ways…