From c405f3717a35a50c4fabeb98ecbdd2badcb84b12 Mon Sep 17 00:00:00 2001 From: Olivier Gambier Date: Sun, 31 May 2015 20:09:15 -0700 Subject: [PATCH] Minor fixes Signed-off-by: Olivier Gambier --- docs/deploying.md | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/docs/deploying.md b/docs/deploying.md index 434607fc9..46d9ce4c4 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -1,13 +1,12 @@ - # Deploying a registry server -You obviously need to [install Docker](https://docs.docker.com/installation/) (remember you need Docker version 1.6.0 or newer). +You obviously need to [install Docker](https://docs.docker.com/installation/) (remember you need **Docker version 1.6.0 or newer**). ## Getting started in 2 lines @@ -25,32 +24,29 @@ That's it. You can now tag an image and push it: - $ docker tag ubuntu localhost:5000/batman/ubuntu + $ docker pull ubuntu && docker tag ubuntu localhost:5000/batman/ubuntu $ docker push localhost:5000/batman/ubuntu -Then pull it: +Then pull it back: $ docker pull localhost:5000/batman/ubuntu ## Making your Registry available -Now that your registry works on localhost, you probably want to make it available as well to other hosts. +Now that your registry works on `localhost`, you probably want to make it available as well to other hosts. Let assume your registry is accessible via the domain name `myregistrydomain.com` (still on port `5000`). If you try to `docker pull myregistrydomain.com:5000/batman/ubuntu`, you will see the following error message: ``` -FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get -https://nonregistry:5000/v1/_ping: dial tcp: lookup nonregistry: no such host. If -this private registry supports only HTTP or HTTPS with an unknown CA certificate, -please add `--insecure-registry nonregistry:5000` to the daemon's arguments. In -the case of HTTPS, if you have access to the registry's CA certificate, no need -for the flag; simply place the CA certificate at /etc/docker/certs.d/nonregistry:5000/ca.crt +FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry myregistrydomain.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt ``` -You basically have three different options to comply with docker security requirements here. +If trying to reach a non `localhost` registry, Docker requires that you secure it using https, or make it explicit that you want to run an insecure registry. + +You basically have three different options to comply with that security requirement here. ### 1. buy a SSL certificate for your domain @@ -87,7 +83,7 @@ docker run -d -p 5000:5000 \ This basically tells Docker to entirely disregard security for your registry. -1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain:5000"` (or add that to existing `DOCKER_OPTS`) +1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"` (or add that to existing `DOCKER_OPTS`). Restart docker. 2. restart your Docker daemon: on ubuntu, this is usually `service docker stop && service docker start` **Pros:** @@ -113,7 +109,7 @@ Be sure to use the name `myregistrydomain.com` as a CN. Now go to solution 1 above and stop and restart your registry. -Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` +Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` (don't forget to restart docker after doing so). **Pros:**