Artifactory docker - pulling my hair out

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Artifactory docker - pulling my hair out

gevans
Hello,

Here is my situation, I have a server running artifactory (Version 4.2.1), we'll call it "artifactory.company.com" and a local repo was created as 'docker-snapshot-local'.

I have another server (CentOS 6.7) running docker and I have installed nginx reverse proxy on it, call it "docker.company.com"

If, on the docker machine, I do a wget to htp://localhost:8081/artifactory/docker-snapshot-local I get the expected output

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head><title>Index of docker-snapshot-local/</title>
</head>
<body>
<h1>Index of docker-snapshot-local/</h1>
<pre>Name  Last modified      Size</pre><hr/>
<pre>No items found.
</pre>
<hr/><address style="font-size:small;">Artifactory/4.2.1 Server at localhost Port 8081</address></body></html>

if I try 'docker login' such as `docker login -u my_username docker.mycompany.com:5000`

I get this back

Error response from daemon: invalid registry endpoint https://artifactory.mycompany.com:5000/v0/: unable to ping registry endpoint https://artifactory.mycompany.com:5000/v0/
v2 ping attempt failed with error: Get https://artifactory.mycompany.com:5000/v2/: dial tcp 10.10.231.114:5000: getsockopt: connection refused
 v1 ping attempt failed with error: Get https://artifactory.mycompany.com:5000/v1/_ping: dial tcp 10.10.231.114:5000: getsockopt: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry artifactory.mycompany.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/artifactory.mycompany.com:5000/ca.crt

I have added --insecure-registry to the docker_opts at /etc/default/docker as follows
$ cat /etc/default/docker
DOCKER_OPTS="--insecure-registry localhost:8081"

but it still seems to want to only use https, and I have also done systemctl daemon-reload and then stopped and restarted docker and I get an invalid registry endpoint error

Error response from daemon: invalid registry endpoint "http://docker.mycompany.com:5000/v0/". HTTPS attempt: unable to ping registry endpoint https://docker.mycompany.com:5000/v0/
v2 ping attempt failed with error: Get https://docker.mycompany.com:5000/v2/: dial tcp [::1]:5000: getsockopt: connection refused
 v1 ping attempt failed with error: Get https://docker.mycompany.com:5000/v1/_ping: dial tcp [::1]:5000: getsockopt: connection refused. HTTP attempt: unable to ping registry endpoint http://docker.mycompany.com:5000/v0/
v2 ping attempt failed with error: Get http://docker.mycompany.com:5000/v2/: dial tcp [::1]:5000: getsockopt: connection refused
 v1 ping attempt failed with error: Get http://docker.mycompany.com:5000/v1/_ping: dial tcp [::1]:5000: getsockopt: connection refused

The nginx config I am using is like this. I am probably missing something dumb, but I am at a loss as to what I am doing. Any help appreciated. (Comments removed for brevity)

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    server {
        listen       8081;
        #listen      80  default_server;
        #listen       [::]:80 default_server;
        server_name  _;
        if ($http_x_forwarded_proto = '') {
            set $http_x_forwarded_proto  $scheme;
        }
        
        rewrite ^/$ /artifactory/webapp redirect;
        rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp redirect;

        location /artifactory/ {
                proxy_read_timeout  900;
                proxy_pass_header   Server;
                proxy_cookie_path ~*^/.* /;
                proxy_pass         http://artifactory.mycompany.com:8081/artifactory/;
                proxy_set_header   X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory;
                proxy_set_header    X-Forwarded-Port  $server_port;
                proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
                proxy_set_header    Host              $http_host;
                proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        }
    }
}


Once again, any help, insight, etc. would be appreciated.

Regards,

Greg Evans
Reply | Threaded
Open this post in threaded view
|

Re: Artifactory docker - pulling my hair out

phanidhar
Hello Gevans,

Ensure you added your company proxy certs which also includes root and intermediate certs

/etc/pki/ca-trust/source/anchors(RHEL,Centos)


Please add insecure registry in /etc/sysconfig/docker or else add your verification certs to  /etc/docker/certs.d with name as you mentioned artifactory.company.com and  place your verification certs  inside the folder  /etc/docker/certs.d/artifactory.company.com for validation.
 and do execute below commands..

update-ca-trust enable

update-ca-trust extract

 service docker restart

Reply | Threaded
Open this post in threaded view
|

Re: Artifactory docker - pulling my hair out

byrner75
In reply to this post by gevans
Your DOCKER_OPTS should be

--insecure-registry=artifactory.mycompany.com:5000

And your proxy is listening on 8081 ! Should be listening on 5000.
Reply | Threaded
Open this post in threaded view
|

Re: Artifactory docker - pulling my hair out

rajashekarbabu.eppala
In reply to this post by gevans
Is it V1 or V2 repository?

i had the same problem.

Also check if your docker client is behind proxy. Also let me know which OS installed in your docker client.