Docker Community Forums

Share and learn in the Docker community.

Invalid registry endpoint


(Eric5102) #1

I am on a trial of the DTR in AWS. Since it is a trial I don’t have a certificate yet.
When I tried this with a custom private registry I simply added

other_args="--insecure-registry 172.x.x.x"

to /etc/sysconfig/docker. This does not seem to work with the DTR. Based on other posts I also tried to add

DOCKER_OPTS="--insecure-registry 172.x.x.x"

to /etc/default/docker but it does not help either.

This is the detailed error I get when try to login before a push:

Error response from daemon: invalid registry endpoint https://172.x.x.x/v0/: unable to ping registry endpoint https://172.x.x.x/v0/
v2 ping attempt failed with error: Get https://172.x.x.x/v2/: x509: cannot validate certificate for 172.x.x.x because it doesn't contain any IP SANs
 v1 ping attempt failed with error: Get https://172.x.x.x/v1/_ping: x509: cannot validate certificate for 172.x.x.x because it doesn't contain any IP SANs. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.x.x.x` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.x.x.x/ca.crt

Am I missing something or is it a DTR problem?

Thank you

Eric


(Ralph Kincade) #2

can you browse into the 172.x.x.x address with a web browser?


(Eric5102) #3

yes I can and I can log to the DTR admin portal just fine.


(Eric5102) #4

btw, if you ask because of the “unable to ping registry endpoint”, the DTR was installed from an AWS Margetplace image (https://aws.amazon.com/marketplace/pp/B00YD5KSNC/ref=srh_res_product_title?ie=UTF8&sr=0-2&qid=1442341812372) and the default security group it creates opens only 80, 443 and 22


(Eric5102) #5

In case this can help someone else:

a) the Domain name in DTR settings must be set to a fully qualified name
b) In /etc/sysconfig/docker you should have a line like this: OPTIONS="--default-ulimit nofile=1024:4096 --insecure-registry ec2-x-x-x-x.compute-1.amazonaws.com" (replace that dummy address by a fully qualified name, not an ip)
c) restart docker on the client (service docker restart) and check if the service is indeed using the proper flag: ps -ef | grep docker

Tips:

  1. how to check the DTR backend status: https://ec2-x-x-x-x.compute-1.amazonaws.com/load_balancer_status
  2. checking the DTR answer with curl (should get a 401): curl -l -k https://ec2-x-x-x-x.compute-1.amazonaws.com/v2/
  3. If the DTR is configured to use S3 storage but for some reason can’t access it you will see errors in the DTR logs about failing to gather storage metrics. More importantly the storage containers of the DTR will restart constantly (use docker ps to check this). Once fixed, you can restart all the DTR containers with sudo bash -c "$(sudo docker run docker/trusted-registry restart)"