vbatts/registry
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Minor fixes

Browse source 
Signed-off-by: Olivier Gambier <olivier@docker.com>
This commit is contained in:
Olivier Gambier 2015-05-31 20:09:15 -07:00
parent 56ff32c683
commit c405f3717a
1 changed files with 11 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

26
docs/deploying.md
View file

@ -1,13 +1,12 @@
<!--GITHUB
page_title: Deploying a registry server
page_description: Explains how to deploy a registry server
page_keywords: registry, service, images, repository
page_keywords: registry, service, images, repository, deploy
IGNORES-->
# Deploying a registry server
You obviously need to [install Docker](https://docs.docker.com/installation/) (remember you need Docker version 1.6.0 or newer).
You obviously need to [install Docker](https://docs.docker.com/installation/) (remember you need **Docker version 1.6.0 or newer**).
## Getting started in 2 lines
@ -25,32 +24,29 @@ That's it.
You can now tag an image and push it:
$ docker tag ubuntu localhost:5000/batman/ubuntu
$ docker pull ubuntu && docker tag ubuntu localhost:5000/batman/ubuntu
$ docker push localhost:5000/batman/ubuntu
Then pull it:
Then pull it back:
$ docker pull localhost:5000/batman/ubuntu
## Making your Registry available
Now that your registry works on localhost, you probably want to make it available as well to other hosts.
Now that your registry works on `localhost`, you probably want to make it available as well to other hosts.
Let assume your registry is accessible via the domain name `myregistrydomain.com` (still on port `5000`).
If you try to `docker pull myregistrydomain.com:5000/batman/ubuntu`, you will see the following error message:
```
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get
https://nonregistry:5000/v1/_ping: dial tcp: lookup nonregistry: no such host. If
this private registry supports only HTTP or HTTPS with an unknown CA certificate,
please add `--insecure-registry nonregistry:5000` to the daemon's arguments. In
the case of HTTPS, if you have access to the registry's CA certificate, no need
for the flag; simply place the CA certificate at /etc/docker/certs.d/nonregistry:5000/ca.crt
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry myregistrydomain.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
```
You basically have three different options to comply with docker security requirements here.
If trying to reach a non `localhost` registry, Docker requires that you secure it using https, or make it explicit that you want to run an insecure registry.
You basically have three different options to comply with that security requirement here.
### 1. buy a SSL certificate for your domain
@ -87,7 +83,7 @@ docker run -d -p 5000:5000 \
This basically tells Docker to entirely disregard security for your registry.
1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain:5000"` (or add that to existing `DOCKER_OPTS`)
1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"` (or add that to existing `DOCKER_OPTS`). Restart docker.
2. restart your Docker daemon: on ubuntu, this is usually `service docker stop && service docker start`
**Pros:**
@ -113,7 +109,7 @@ Be sure to use the name `myregistrydomain.com` as a CN.
Now go to solution 1 above and stop and restart your registry.
Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt`
Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` (don't forget to restart docker after doing so).
**Pros:**