Stephen S
opened 4 years ago
-
Previous Value Current Value Local registry access: allow insecure mode
Local docker registry access: allow insecure mode
-
Here is More general context on the subject.
-
OneDev simply runs specified commands on specified docker image. Tune the image to make docker client accepting insecure connections is currently outside of OneDev's scope.
-
Not sure that depends on the image -- and in this case I am using a Server Shell Executor that does not rely on any image, so that's on OneDev instead. The solution is to add
"insecure-registries":["{registry_IP_address}:5000"]in thedaemon.jsonfile. -
In future versions, OneDev may add built-in steps to build/push docker images (instead of requiring user to write shell commands to do that), this will be take care of. But that is a different topic.
-
So what you mean is that currently there is no solution to that (very common and annoying) issue except by using a Docker Executor and do docker-in-docker build? That is very very tricky, as you know...
-
Name Previous Value Current Value Priority
Normal
Major
-
Name Previous Value Current Value Type
Support Request
Improvement
-
But if the Server Shell Executor can be accessed in any way from a console (eg. in Portainer, under the OneDev stack), I can take care of that myself
-
I need to set up a local docker registry to test out this. So you are running OneDev itself inside docker?
-
Yes I do, more precisely: Proxmox <- LXC Container <- Docker <- OneDev
-
Hi Robin, if it can help, here is the
docker-compose.ymlI used to setup my registry and its interface -- works great:version: '2.0' services: registry: image: registry:2 container_name: reg volumes: - '{registry_volume}:/var/lib/registry' restart: unless-stopped labels: - 'com.centurylinklabs.watchtower.enable=true' ports: - 5000:5000 networks: - registry-ui-net ui: image: joxit/docker-registry-ui:latest container_name: reg-gui restart: unless-stopped ports: - 5011:80 environment: - REGISTRY_TITLE=Registry - SINGLE_REGISTRY=true - NGINX_PROXY_PASS_URL=http://192.168.1.46:5000 - DELETE_IMAGES=true depends_on: - registry networks: - registry-ui-net labels: - 'com.centurylinklabs.watchtower.enable=true' networks: registry-ui-net: -
This turns out to be pretty easy:
Just edit
/etc/docker/daemon.jsonof the host machine running OneDev to add the insecure registries. This works as OneDev container runs with the option-v /var/run/docker.sock:/var/run/docker/sockto delegate docker related operations to host.Further if you are running a job with
server docker executor, OneDev will again use that option to avoid the docker-in-docker trouble, and the docker operations inside the job container will be routed back to host machine as well.To summarize, this setup will work both for
server shell executorandserver docker executor. I'd recommend toserver docker executorif possible for environment isolation purpose, and it does not have the docker-in-docker issue due to using host docker facility. -
THANK YOU, I really appreciate the responsiveness of your support!
-
Previous Value Current Value Open
Closed
-
Also added a tutorial for this:
https://code.onedev.io/projects/162/blob/main/pages/insecure-docker-registry.md
| Type |
Improvement
|
| Priority |
Major
|
| Assignee |
I expected this error would show up when I tried to connect to our local self-hosted registry:
http: server gave HTTP response to HTTPS clientCould you implement an "insecure" mode, just like Drone does (read here) or let me know how to handle the error.