This repository has been archived by the owner. It is now read-only.

please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments #1005

Open
arnos opened this Issue May 22, 2015 · 24 comments

Comments

Projects
None yet
@arnos

arnos commented May 22, 2015

The docker instructions simply don't work.

Ubunutu 15.04, docker version 1.6.1

I've modified the docker service file

$ sudo vim /etc/init.d/docker
 # added --insecure-registry 172.27.25.59:5000 to the docker opts
DOCKER_OPTS=--insecure-registry 172.27.25.59:5000

restarted the service to no avail (sudo service docker restart)

I've followed the instructions for deploying the 2.0 registry with a TLS enabled https://docs.docker.com/registry/deploying/

and copied the generated crt file to /etc/docker/certs.d/172.27.25.59:5000/ca.crt and still I get the same error spit

 $ docker push 172.27.25.59:5000/nginx
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://172.27.25.59:5000/v1/_ping: dial tcp 172.27.25.59:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.27.25.59:5000/ca.crt

And yet when you docker push localhost:5000/nginx it works like a charm (with TLS or without)

This is extremely frustrating to setup as the default instructions for the docker registry don't use TLS.

@eaoliver

This comment has been minimized.

Show comment
Hide comment
@eaoliver

eaoliver May 22, 2015

I'm seeing this problem with the latest Docker registry image. It seems to have broken overnight.

eaoliver commented May 22, 2015

I'm seeing this problem with the latest Docker registry image. It seems to have broken overnight.

@dmp42

This comment has been minimized.

Show comment
Hide comment
@dmp42

dmp42 May 22, 2015

Member

@arnos can you copy the output of:

  • curl -i https://localhost:5000/v2
  • curl -i https://172.27.25.59:5000/v2

Can you also copy the output of your docker daemon logs (preferably ran in debug mode: -D)

Thanks.

Member

dmp42 commented May 22, 2015

@arnos can you copy the output of:

  • curl -i https://localhost:5000/v2
  • curl -i https://172.27.25.59:5000/v2

Can you also copy the output of your docker daemon logs (preferably ran in debug mode: -D)

Thanks.

@dmp42

This comment has been minimized.

Show comment
Hide comment
@dmp42

dmp42 May 22, 2015

Member

@eaoliver are you referring to the image registry:2? or registry:latest?

Member

dmp42 commented May 22, 2015

@eaoliver are you referring to the image registry:2? or registry:latest?

@dmp42 dmp42 added the question label May 22, 2015

@eaoliver

This comment has been minimized.

Show comment
Hide comment
@eaoliver

eaoliver May 22, 2015

@dmp42 I have tested both registry:2.0.1 and registry:latest.

eaoliver commented May 22, 2015

@dmp42 I have tested both registry:2.0.1 and registry:latest.

@dmp42

This comment has been minimized.

Show comment
Hide comment
@dmp42

dmp42 May 22, 2015

Member

@eaoliver registry:latest is still pointing to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in https://github.com/docker/distribution

@eaoliver can you clarify what's wrong in your case?

@arnos problem is that his registry is probably not listening on the public interface (dial tcp 172.27.25.59:5000: connection refused)

Yours might very well be different, but I have no way to know without logs.

Member

dmp42 commented May 22, 2015

@eaoliver registry:latest is still pointing to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in https://github.com/docker/distribution

@eaoliver can you clarify what's wrong in your case?

@arnos problem is that his registry is probably not listening on the public interface (dial tcp 172.27.25.59:5000: connection refused)

Yours might very well be different, but I have no way to know without logs.

@arnos

This comment has been minimized.

Show comment
Hide comment
@arnos

arnos May 22, 2015

I'll test it out on monday
On 22 May 2015 6:49 pm, "Olivier Gambier" notifications@github.com wrote:

@eaoliver https://github.com/eaoliver registry:latest is still pointing
to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in
https://github.com/docker/distribution

@eaoliver https://github.com/eaoliver can you clarify what's wrong in
your case?

@arnos https://github.com/arnos problem is that his registry is
probably not listening on the public interface (dial tcp 172.27.25.59:5000:
connection refused)

Yours might very well be different, but I have no way to know without logs.


Reply to this email directly or view it on GitHub
#1005 (comment)
.

arnos commented May 22, 2015

I'll test it out on monday
On 22 May 2015 6:49 pm, "Olivier Gambier" notifications@github.com wrote:

@eaoliver https://github.com/eaoliver registry:latest is still pointing
to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in
https://github.com/docker/distribution

@eaoliver https://github.com/eaoliver can you clarify what's wrong in
your case?

@arnos https://github.com/arnos problem is that his registry is
probably not listening on the public interface (dial tcp 172.27.25.59:5000:
connection refused)

Yours might very well be different, but I have no way to know without logs.


Reply to this email directly or view it on GitHub
#1005 (comment)
.

@XiaokunHou

This comment has been minimized.

Show comment
Hide comment
@XiaokunHou

XiaokunHou May 27, 2015

I added DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=10.27.19.230:5000" to /etc/default/docker file. All works well.
You are using a wrong file. init.d folder is used for service.

XiaokunHou commented May 27, 2015

I added DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=10.27.19.230:5000" to /etc/default/docker file. All works well.
You are using a wrong file. init.d folder is used for service.

@arnos

This comment has been minimized.

Show comment
Hide comment
@arnos

arnos Jun 1, 2015

Sorry crazy week last week

starting from a clean vmdocker

I've followed @XiaokunHou advice but I am still getting the same error when running "docker run -d -p 5000:5000 registry:latest"

still getting the same error it's as if it's not even trying to ping the http port and just goes for https

FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://172.27.25.59:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.27.25.59:5000/ca.crt

and yes curl -1 http://172.27.25.59:5000/v1/_ping works fine and produces the expected result

HTTP/1.1 200 OK
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:35:05 GMT
Connection: keep-alive
X-Docker-Registry-Config: dev
Expires: -1
X-Docker-Registry-Standalone: True
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 1540

{"host": ["Linux", "57b42740ea63", "3.19.0-16-generic", "#16-Ubuntu SMP Thu Apr 30 16:09:58 UTC 2015", "x86_64", "x86_64"], "launch": ["/usr/local/bin/gunicorn", "--access-logfile", "-", "--error-logfile", "-", "--max-requests", "100", "-k", "gevent", "--graceful-timeout", "3600", "-t", "3600", "-w", "4", "-b", "0.0.0.0:5000", "--reload", "docker_registry.wsgi:application"], "versions": {"M2Crypto.m2xmlrpclib": "0.22", "SocketServer": "0.4", "argparse": "1.1", "backports.lzma": "0.0.3", "blinker": "1.3", "cPickle": "1.71", "cgi": "2.6", "ctypes": "1.1.0", "decimal": "1.70", "distutils": "2.7.6", "docker_registry.app": "0.9.1", "docker_registry.core": "2.0.3", "docker_registry.server": "0.9.1", "email": "4.0.3", "flask": "0.10.1", "gevent": "1.0.1", "greenlet": "0.4.7", "gunicorn": "19.1.1", "gunicorn.arbiter": "19.1.1", "gunicorn.config": "19.1.1", "gunicorn.six": "1.2.0", "jinja2": "2.7.3", "json": "2.0.9", "logging": "0.5.1.2", "parser": "0.5", "pickle": "$Revision: 72223 $", "platform": "1.0.7", "pyexpat": "2.7.6", "python": "2.7.6 (default, Mar 22 2014, 22:59:56) \n[GCC 4.8.2]", "re": "2.2.1", "redis": "2.10.3", "requests": "2.3.0", "requests.packages.chardet": "2.2.1", "requests.packages.urllib3": "dev", "requests.packages.urllib3.packages.six": "1.2.0", "requests.utils": "2.3.0", "simplejson": "3.6.2", "sqlalchemy": "0.9.4", "tarfile": "$Revision: 85213 $", "urllib": "1.17", "urllib2": "2.7", "werkzeug": "0.10.4", "xml.parsers.expat": "$Revision: 17640 $", "xmlrpclib": "1.0.1", "yaml": "3.11", "zlib": "1.0"}}

running either curl -i https://localhost:5000/v2 or curl -i https://172.27.25.59:5000/v2 produces an error

curl: (35) Unknown SSL protocol error in connection to localhost:5000

the logs of the registry

[2015-06-01 13:25:48 +0000] [1] [INFO] Starting gunicorn 19.1.1
[2015-06-01 13:25:48 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
[2015-06-01 13:25:48 +0000] [1] [INFO] Using worker: gevent
[2015-06-01 13:25:48 +0000] [14] [INFO] Booting worker with pid: 14
[2015-06-01 13:25:48 +0000] [15] [INFO] Booting worker with pid: 15
[2015-06-01 13:25:48 +0000] [18] [INFO] Booting worker with pid: 18
[2015-06-01 13:25:48 +0000] [19] [INFO] Booting worker with pid: 19
01/Jun/2015:13:25:48 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:48 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
172.17.42.1 - - [01/Jun/2015:13:26:36 +0000] "GET / HTTP/1.1" 200 28 "-" "curl/7.38.0"
172.17.42.1 - - [01/Jun/2015:13:26:52 +0000] "GET /v2 HTTP/1.1" 404 233 "-" "curl/7.38.0"
172.27.25.59 - - [01/Jun/2015:13:29:47 +0000] "GET /v1/_ping HTTP/1.1" 200 1540 "-" "curl/7.38.0"

running curl -i http://localhost:5000/v2 or curl -i http://172.27.25.59:5000/v2 produces a 404

HTTP/1.1 404 NOT FOUND
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:34:13 GMT
Connection: keep-alive
Content-Type: text/html
Content-Length: 233

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>

arnos commented Jun 1, 2015

Sorry crazy week last week

starting from a clean vmdocker

I've followed @XiaokunHou advice but I am still getting the same error when running "docker run -d -p 5000:5000 registry:latest"

still getting the same error it's as if it's not even trying to ping the http port and just goes for https

FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://172.27.25.59:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.27.25.59:5000/ca.crt

and yes curl -1 http://172.27.25.59:5000/v1/_ping works fine and produces the expected result

HTTP/1.1 200 OK
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:35:05 GMT
Connection: keep-alive
X-Docker-Registry-Config: dev
Expires: -1
X-Docker-Registry-Standalone: True
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 1540

{"host": ["Linux", "57b42740ea63", "3.19.0-16-generic", "#16-Ubuntu SMP Thu Apr 30 16:09:58 UTC 2015", "x86_64", "x86_64"], "launch": ["/usr/local/bin/gunicorn", "--access-logfile", "-", "--error-logfile", "-", "--max-requests", "100", "-k", "gevent", "--graceful-timeout", "3600", "-t", "3600", "-w", "4", "-b", "0.0.0.0:5000", "--reload", "docker_registry.wsgi:application"], "versions": {"M2Crypto.m2xmlrpclib": "0.22", "SocketServer": "0.4", "argparse": "1.1", "backports.lzma": "0.0.3", "blinker": "1.3", "cPickle": "1.71", "cgi": "2.6", "ctypes": "1.1.0", "decimal": "1.70", "distutils": "2.7.6", "docker_registry.app": "0.9.1", "docker_registry.core": "2.0.3", "docker_registry.server": "0.9.1", "email": "4.0.3", "flask": "0.10.1", "gevent": "1.0.1", "greenlet": "0.4.7", "gunicorn": "19.1.1", "gunicorn.arbiter": "19.1.1", "gunicorn.config": "19.1.1", "gunicorn.six": "1.2.0", "jinja2": "2.7.3", "json": "2.0.9", "logging": "0.5.1.2", "parser": "0.5", "pickle": "$Revision: 72223 $", "platform": "1.0.7", "pyexpat": "2.7.6", "python": "2.7.6 (default, Mar 22 2014, 22:59:56) \n[GCC 4.8.2]", "re": "2.2.1", "redis": "2.10.3", "requests": "2.3.0", "requests.packages.chardet": "2.2.1", "requests.packages.urllib3": "dev", "requests.packages.urllib3.packages.six": "1.2.0", "requests.utils": "2.3.0", "simplejson": "3.6.2", "sqlalchemy": "0.9.4", "tarfile": "$Revision: 85213 $", "urllib": "1.17", "urllib2": "2.7", "werkzeug": "0.10.4", "xml.parsers.expat": "$Revision: 17640 $", "xmlrpclib": "1.0.1", "yaml": "3.11", "zlib": "1.0"}}

running either curl -i https://localhost:5000/v2 or curl -i https://172.27.25.59:5000/v2 produces an error

curl: (35) Unknown SSL protocol error in connection to localhost:5000

the logs of the registry

[2015-06-01 13:25:48 +0000] [1] [INFO] Starting gunicorn 19.1.1
[2015-06-01 13:25:48 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
[2015-06-01 13:25:48 +0000] [1] [INFO] Using worker: gevent
[2015-06-01 13:25:48 +0000] [14] [INFO] Booting worker with pid: 14
[2015-06-01 13:25:48 +0000] [15] [INFO] Booting worker with pid: 15
[2015-06-01 13:25:48 +0000] [18] [INFO] Booting worker with pid: 18
[2015-06-01 13:25:48 +0000] [19] [INFO] Booting worker with pid: 19
01/Jun/2015:13:25:48 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:48 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
172.17.42.1 - - [01/Jun/2015:13:26:36 +0000] "GET / HTTP/1.1" 200 28 "-" "curl/7.38.0"
172.17.42.1 - - [01/Jun/2015:13:26:52 +0000] "GET /v2 HTTP/1.1" 404 233 "-" "curl/7.38.0"
172.27.25.59 - - [01/Jun/2015:13:29:47 +0000] "GET /v1/_ping HTTP/1.1" 200 1540 "-" "curl/7.38.0"

running curl -i http://localhost:5000/v2 or curl -i http://172.27.25.59:5000/v2 produces a 404

HTTP/1.1 404 NOT FOUND
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:34:13 GMT
Connection: keep-alive
Content-Type: text/html
Content-Length: 233

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>
@arnos

This comment has been minimized.

Show comment
Hide comment
@arnos

arnos Jun 1, 2015

I tried various changes in the /etc/defaults/docker file as well

it doesn't seem to work with either of
--insecure-registry http://172.27.25.59:5000
--insecure-registry=172.27.25.59:5000
--insecure-registry 172.27.25.59:5000

arnos commented Jun 1, 2015

I tried various changes in the /etc/defaults/docker file as well

it doesn't seem to work with either of
--insecure-registry http://172.27.25.59:5000
--insecure-registry=172.27.25.59:5000
--insecure-registry 172.27.25.59:5000

@XiaokunHou

This comment has been minimized.

Show comment
Hide comment
@XiaokunHou

XiaokunHou Jun 1, 2015

you should add these lines in client docker machine, rather than the registry host machine. Add it and restart service.
http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338

XiaokunHou commented Jun 1, 2015

you should add these lines in client docker machine, rather than the registry host machine. Add it and restart service.
http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338

@arnos

This comment has been minimized.

Show comment
Hide comment
@arnos

arnos Jun 1, 2015

right now the host and client are one and the same.

On Mon, Jun 1, 2015 at 11:03 AM, XiaokunHou notifications@github.com
wrote:

you should add these lines in client docker machine, rather than the
registry host machine.

http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338


Reply to this email directly or view it on GitHub
#1005 (comment)
.

arnos commented Jun 1, 2015

right now the host and client are one and the same.

On Mon, Jun 1, 2015 at 11:03 AM, XiaokunHou notifications@github.com
wrote:

you should add these lines in client docker machine, rather than the
registry host machine.

http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338


Reply to this email directly or view it on GitHub
#1005 (comment)
.

@dotNetDR

This comment has been minimized.

Show comment
Hide comment
@dotNetDR

dotNetDR Jul 3, 2015

In my CentOS Linux release 7.1.1503 (Core)
The following configuration is working.

file: /lib/systemd/system/docker.service text:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d $other_args -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

check here >> EnvironmentFile=-/etc/sysconfig/docker
check here >> ExecStart=/usr/bin/docker -d $other_args -H fd://


file: /etc/sysconfig/docker text:

# /etc/sysconfig/docker
#
# Other arguments to pass to the docker daemon process
# These will be parsed by the sysv initscript and appended
# to the arguments list passed to docker -d

other_args="--insecure-registry yoururl"

set registry address >> other_args="--insecure-registry yoururl"


# systemctl start docker


# docker version
Client version: 1.7.0
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 0baf609
OS/Arch (client): linux/amd64
Server version: 1.7.0
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 0baf609
OS/Arch (server): linux/amd64

dotNetDR commented Jul 3, 2015

In my CentOS Linux release 7.1.1503 (Core)
The following configuration is working.

file: /lib/systemd/system/docker.service text:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d $other_args -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

check here >> EnvironmentFile=-/etc/sysconfig/docker
check here >> ExecStart=/usr/bin/docker -d $other_args -H fd://


file: /etc/sysconfig/docker text:

# /etc/sysconfig/docker
#
# Other arguments to pass to the docker daemon process
# These will be parsed by the sysv initscript and appended
# to the arguments list passed to docker -d

other_args="--insecure-registry yoururl"

set registry address >> other_args="--insecure-registry yoururl"


# systemctl start docker


# docker version
Client version: 1.7.0
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 0baf609
OS/Arch (client): linux/amd64
Server version: 1.7.0
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 0baf609
OS/Arch (server): linux/amd64
@wharsojo

This comment has been minimized.

Show comment
Hide comment
@wharsojo

wharsojo Sep 27, 2015

here's the steps I do using docker-machine to run docker private registry:

 ~$ docker-machine create dev -d virtualbox
 ~$ docker-machine ssh dev
 docker@dev:~$

add host-name in "/etc/host":

 docker@dev:~$ sudo vi /etc/hosts 
 127.0.0.1 localhub

update profile env. variable "EXTRA_ARGS" in "/var/lib/boot2docker/profile" add "--insecure-registry localhub:5000"

 docker@dev:~$ sudo vi /var/lib/boot2docker/profile
 EXTRA_ARGS='
 --label provider=virtualbox
 --insecure-registry localhub:5000
 '

create folder to host the images:

 docker@dev:~$ sudo mkdir /mnt/sda1/registry
 docker@dev:~$ sudo chown docker:staff /mnt/sda1/registry
 docker@dev:~$ exit

exit and back to my mac console & run private registry:

 ~$ docker run -p 5000:5000 -v /mnt/sda1/registry:/tmp/registry -e GUNICORN_OPTS='["--preload"]' --restart=always --name=registry registry

open another iterm, pull "hello-world", create another tag "localhub:5000/hello-world" and push it to private registry:

 ~$ docker pull hello-world
 ~$ docker tag hello-world localhub:5000/hello-world
 ~$ docker push localhub:5000/hello-world

try to use hello-world from private registry:

 ~$ docker run localhub:5000/hello-world

screenshot (gif-animation):
docker-private-registry

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000

it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"

wharsojo commented Sep 27, 2015

here's the steps I do using docker-machine to run docker private registry:

 ~$ docker-machine create dev -d virtualbox
 ~$ docker-machine ssh dev
 docker@dev:~$

add host-name in "/etc/host":

 docker@dev:~$ sudo vi /etc/hosts 
 127.0.0.1 localhub

update profile env. variable "EXTRA_ARGS" in "/var/lib/boot2docker/profile" add "--insecure-registry localhub:5000"

 docker@dev:~$ sudo vi /var/lib/boot2docker/profile
 EXTRA_ARGS='
 --label provider=virtualbox
 --insecure-registry localhub:5000
 '

create folder to host the images:

 docker@dev:~$ sudo mkdir /mnt/sda1/registry
 docker@dev:~$ sudo chown docker:staff /mnt/sda1/registry
 docker@dev:~$ exit

exit and back to my mac console & run private registry:

 ~$ docker run -p 5000:5000 -v /mnt/sda1/registry:/tmp/registry -e GUNICORN_OPTS='["--preload"]' --restart=always --name=registry registry

open another iterm, pull "hello-world", create another tag "localhub:5000/hello-world" and push it to private registry:

 ~$ docker pull hello-world
 ~$ docker tag hello-world localhub:5000/hello-world
 ~$ docker push localhub:5000/hello-world

try to use hello-world from private registry:

 ~$ docker run localhub:5000/hello-world

screenshot (gif-animation):
docker-private-registry

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000

it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"
@ZYNCMA

This comment has been minimized.

Show comment
Hide comment
@ZYNCMA

ZYNCMA Sep 28, 2015

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000
it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"

I met the same problem.
Without quotation, parameters took no effect
Simply add quotation fixed the issue.

ZYNCMA commented Sep 28, 2015

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000
it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"

I met the same problem.
Without quotation, parameters took no effect
Simply add quotation fixed the issue.

@ozbillwang

This comment has been minimized.

Show comment
Hide comment
@ozbillwang

ozbillwang Nov 8, 2015

Thanks, @wharsojo

Your solution works with docker toolbox. The only adjust is on this line in /var/lib/boot2docker/profile

--insecure-registry 192.168.99.100:5000

ozbillwang commented Nov 8, 2015

Thanks, @wharsojo

Your solution works with docker toolbox. The only adjust is on this line in /var/lib/boot2docker/profile

--insecure-registry 192.168.99.100:5000
@pengfei-xue

This comment has been minimized.

Show comment
Hide comment
@pengfei-xue

pengfei-xue Dec 3, 2015

this works you SHOULD add this opts at /var/lib/boot2docker/profile

thanks, this really sucks.

pengfei-xue commented Dec 3, 2015

this works you SHOULD add this opts at /var/lib/boot2docker/profile

thanks, this really sucks.

@pengfei-xue

This comment has been minimized.

Show comment
Hide comment
@pengfei-xue

pengfei-xue Dec 3, 2015

@wharsojo thanks

took two more hours for this issue.

pengfei-xue commented Dec 3, 2015

@wharsojo thanks

took two more hours for this issue.

@niclarcipretti

This comment has been minimized.

Show comment
Hide comment
@niclarcipretti

niclarcipretti Dec 15, 2015

Anyone knows how to add --insecure-registry in windows virtualized solution? I don't want to modify my VM files cause whenever I upgrade it, all will be lost. I think this should be parametrized in the init script (start.sh maybe?).

Cheers

niclarcipretti commented Dec 15, 2015

Anyone knows how to add --insecure-registry in windows virtualized solution? I don't want to modify my VM files cause whenever I upgrade it, all will be lost. I think this should be parametrized in the init script (start.sh maybe?).

Cheers

@pengfei-xue

This comment has been minimized.

Show comment
Hide comment
@pengfei-xue

pengfei-xue Jan 4, 2016

@niclarcipretti you can open the virtualbox client , double click the running vm, input your username/password, it should be ok to go.

pengfei-xue commented Jan 4, 2016

@niclarcipretti you can open the virtualbox client , double click the running vm, input your username/password, it should be ok to go.

@raghakk

This comment has been minimized.

Show comment
Hide comment
@raghakk

raghakk May 31, 2016

Setting Local insecure registry in docker along a proxy:

  1. in ubuntu add the following flag --insecure-registry IP:port under DOCKER_OPTS in file /etc/default/docker

1.1) configure no_proxy env variable to bypass local IP/hostname/domainname...as proxy can throw a interactive msg ...like continue and this intermediate msg confuses docker client and finally timesout...[symptom observed: push done will not reach the regisrty service whose port is open at 5000]

1.2) if domainname is configured...then don't forget to update /etc/hosts file if not using DNS.

1.3) in /etc/default/docker set the env variables http_proxy and https_proxy...as it enables to download images from outside company hubs. format http_proxy=http://username:password@proxy:port

  1. restart the docker service...if installed as service, use sudo service docker restart

  2. restart the registry container [sudo docker run -p 5000:5000 registry:2 ]

  3. tag the required image using sudo docker tag imageid IP:port/imagename/tagname ifany

  4. push the image ...sudo docker push ip:port/imagename

  5. If u want to pull the image from another machine say B without TLS/SSL,then in B apply setps 1,1.1 and 2. If these changes are not done in machine B...pull will fail.

raghakk commented May 31, 2016

Setting Local insecure registry in docker along a proxy:

  1. in ubuntu add the following flag --insecure-registry IP:port under DOCKER_OPTS in file /etc/default/docker

1.1) configure no_proxy env variable to bypass local IP/hostname/domainname...as proxy can throw a interactive msg ...like continue and this intermediate msg confuses docker client and finally timesout...[symptom observed: push done will not reach the regisrty service whose port is open at 5000]

1.2) if domainname is configured...then don't forget to update /etc/hosts file if not using DNS.

1.3) in /etc/default/docker set the env variables http_proxy and https_proxy...as it enables to download images from outside company hubs. format http_proxy=http://username:password@proxy:port

  1. restart the docker service...if installed as service, use sudo service docker restart

  2. restart the registry container [sudo docker run -p 5000:5000 registry:2 ]

  3. tag the required image using sudo docker tag imageid IP:port/imagename/tagname ifany

  4. push the image ...sudo docker push ip:port/imagename

  5. If u want to pull the image from another machine say B without TLS/SSL,then in B apply setps 1,1.1 and 2. If these changes are not done in machine B...pull will fail.

@prashantabkari

This comment has been minimized.

Show comment
Hide comment
@prashantabkari

prashantabkari Jan 23, 2017

I am facing the same issue, hence not opening a new issue. Following are the details
Master Node on which the registry is installed

On the file /lib/systemd/system/docker.service

EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/usr/bin/docker-current daemon
--exec-opt native.cgroupdriver=systemd
$OPTIONS
$DOCKER_STORAGE_OPTIONS
$DOCKER_NETWORK_OPTIONS
$ADD_REGISTRY
$BLOCK_REGISTRY
$INSECURE_REGISTRY

the file /etc/sysconfig/docker has following contents

OPTIONS='--selinux-enabled --log-driver=journald'
if [ -z "${DOCKER_CERT_PATH}" ]; then
DOCKER_CERT_PATH=/etc/docker
fi

INSECURE_REGISTRY='--insecure-registry 10.143.219.59:5000'**

When i try to do
docker pull 10.143.219.59:5000/hello-world
It fails.

How to setup an insecure registry?
Also the documentation in https://docs.docker.com/registry/deploying/ doesnt specify where exactly do we need to run these commands? On the registry host or the remote host?

prashantabkari commented Jan 23, 2017

I am facing the same issue, hence not opening a new issue. Following are the details
Master Node on which the registry is installed

On the file /lib/systemd/system/docker.service

EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/usr/bin/docker-current daemon
--exec-opt native.cgroupdriver=systemd
$OPTIONS
$DOCKER_STORAGE_OPTIONS
$DOCKER_NETWORK_OPTIONS
$ADD_REGISTRY
$BLOCK_REGISTRY
$INSECURE_REGISTRY

the file /etc/sysconfig/docker has following contents

OPTIONS='--selinux-enabled --log-driver=journald'
if [ -z "${DOCKER_CERT_PATH}" ]; then
DOCKER_CERT_PATH=/etc/docker
fi

INSECURE_REGISTRY='--insecure-registry 10.143.219.59:5000'**

When i try to do
docker pull 10.143.219.59:5000/hello-world
It fails.

How to setup an insecure registry?
Also the documentation in https://docs.docker.com/registry/deploying/ doesnt specify where exactly do we need to run these commands? On the registry host or the remote host?

@zrml

This comment has been minimized.

Show comment
Hide comment
@zrml

zrml Mar 31, 2017

@prashantabkari those commands are to run on the host supporting the registry you've just spun up.
However I find that they ONLY work if you use "localhost". What I mean is:
-I can only push & pull if I use localhost
-if I use the hostname (fully dsn'd) inside the VPN I cannot push the image to the registry
-if I use the ip address, again it's like the previous issue.

The errors hints at the fact that my client uses https which I have not told it to nor is it setup as such.

`$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
7520415ce762: Pull complete
Digest: sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
Status: Downloaded newer image for busybox:latest

$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB
busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB
registry 2 047218491f8c 3 weeks ago 33.2 MB
jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker tag busybox ub1604rel1:5000/me:1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB
busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB
ub1604rel1:5000/me 1 00f017a8c2a6 3 weeks ago 1.11 MB
registry 2 047218491f8c 3 weeks ago 33.2 MB
jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker push ub1604rel1:5000/me:1
The push refers to a repository [ub1604rel1:5000/me]
Get https://ub1604rel1:5000/v1/_ping: http: server gave HTTP response to HTTPS client`

Please note -again, that IF I do the above steps with "localhost" vs the hostname or the ip address it works.

zrml commented Mar 31, 2017

@prashantabkari those commands are to run on the host supporting the registry you've just spun up.
However I find that they ONLY work if you use "localhost". What I mean is:
-I can only push & pull if I use localhost
-if I use the hostname (fully dsn'd) inside the VPN I cannot push the image to the registry
-if I use the ip address, again it's like the previous issue.

The errors hints at the fact that my client uses https which I have not told it to nor is it setup as such.

`$ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
7520415ce762: Pull complete
Digest: sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
Status: Downloaded newer image for busybox:latest

$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB
busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB
registry 2 047218491f8c 3 weeks ago 33.2 MB
jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker tag busybox ub1604rel1:5000/me:1
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB
busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB
ub1604rel1:5000/me 1 00f017a8c2a6 3 weeks ago 1.11 MB
registry 2 047218491f8c 3 weeks ago 33.2 MB
jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker push ub1604rel1:5000/me:1
The push refers to a repository [ub1604rel1:5000/me]
Get https://ub1604rel1:5000/v1/_ping: http: server gave HTTP response to HTTPS client`

Please note -again, that IF I do the above steps with "localhost" vs the hostname or the ip address it works.

@d4rkd0s

This comment has been minimized.

Show comment
Hide comment
@d4rkd0s

d4rkd0s Aug 29, 2018

I am on Fedora 28 and the solution I found was changing /etc/sysconfig/docker:

OPTIONS='--selinux-enabled --log-driver=journald --live-restore'

to

OPTIONS='--selinux-enabled --log-driver=journald --live-restore --insecure-registry 172.30.0.0/16'

replace 172.16.0.0/16 with whatever you are trying to add as insecure.

Keep in mind other solutions reference DOCKER_OPTS which is no longer used, as least by how systemctl spins up my docker. I've installed with dnf install docker, and my /lib/systemd/system/docker.service contained the following:

ExecStart=/usr/bin/dockerd-current \
          --add-runtime oci=/usr/libexec/docker/docker-runc-current \
          --default-runtime=oci \
          --authorization-plugin=rhel-push-plugin \
          --containerd /run/containerd.sock \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          $REGISTRIES

Where you can see its OPTIONS that you'll want to change/add in your /etc/sysconfig/docker file instead of DOCKER_OPTS

d4rkd0s commented Aug 29, 2018

I am on Fedora 28 and the solution I found was changing /etc/sysconfig/docker:

OPTIONS='--selinux-enabled --log-driver=journald --live-restore'

to

OPTIONS='--selinux-enabled --log-driver=journald --live-restore --insecure-registry 172.30.0.0/16'

replace 172.16.0.0/16 with whatever you are trying to add as insecure.

Keep in mind other solutions reference DOCKER_OPTS which is no longer used, as least by how systemctl spins up my docker. I've installed with dnf install docker, and my /lib/systemd/system/docker.service contained the following:

ExecStart=/usr/bin/dockerd-current \
          --add-runtime oci=/usr/libexec/docker/docker-runc-current \
          --default-runtime=oci \
          --authorization-plugin=rhel-push-plugin \
          --containerd /run/containerd.sock \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          $REGISTRIES

Where you can see its OPTIONS that you'll want to change/add in your /etc/sysconfig/docker file instead of DOCKER_OPTS

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.