vagrant-service-manager icon indicating copy to clipboard operation
vagrant-service-manager copied to clipboard
verified publisher icon projectatomic

Copy certificate of CDK's docker registry to local file system

Open mlabuda opened this issue 9 years ago • 11 comments

It would be nice to have CDK's docker registry copied to local file system to let users use CDK's docker registry and still be using local docker host. It would be good for pushing locally build images to CDK's docker registry and then e.g. use it on OpenShift.

Some additional info: At the moment, I have to manually copy file from CDK to local file system (using Fedora 22) by using sudo scp [email protected]:/etc/docker/certs.d/hub.openshift.rhel-cdk.10.1.2.2.xip.io/ca.crt ./ca.crt @praveenkumar is using libvirt box for CDK and he does not have to use sudo to copy files. I am using virtualbox box and I am forced to use sudo, otherwise access is denied. Other superuser permission is required to place certificate to right place (/etc/docker/certs.d/hub.openshift.rhel-cdk.10.1.2.2.xip.io/ca.crt) - if user has native settings of environment, the directory is accessible only for read for non-superusers, it's not allowed to create missing directories there.

It would be worth of try to find out whether it would be possible to tell docker client when trying to log in to a docker registry to use a certificates stored in specific place (this would be "workaround" for demanding su permission). Docker daemon does not even need to be restarted upon certification addition, so there would be no additional superuser access required.

Other thing to think about is behaviour on Windows/OS X. I don't know where certs are stored there and how it is handled there.

mlabuda avatar Jun 10 '16 07:06 mlabuda

So just that I understand, you want to be able to push to the OpenShift registry from your host without having to do a Docker login first?

hferentschik avatar Jun 10 '16 08:06 hferentschik

Nope, I still have to log in to the registry, but I did not mention those steps. I still have to obtain a token for OpenShift user (e.g. openshift-dev) and use it to log in to docker registry docker login -u openshift-dev -p token -e [email protected] hub.openshift.rhel-cdk.10.1.2.2.xip.io, or if user is already logged in, just use inline command oc whoami -t.

But at the moment bottleneck of having this whole thing automated is obtaining certificate. If you don't have the self-signed CDK's docker registry certificate on your local file system, you get an error warning you about self-signed certificate. Other way around could be, maybe, (re)starting docker daemon in CDK with --insecure-registry flag, but I have not tried it yet.

mlabuda avatar Jun 10 '16 08:06 mlabuda

Which version of the docker client are you using? This works fine on my machine (w/o self-signed certificate problems). I am using Docker version 1.11.0, build 4dc5990. I had a similar discussion with @xcoulon. He mentioned something similar, but had a newer version of the CLI.

Also, is the warning coming from the Docker CLI or from the inlined oc call?

hferentschik avatar Jun 10 '16 09:06 hferentschik

I have docker client of version 1.8.2-fc22. Unfortunately there is no newer version of docker client available via dnf update from default repos for my Fedora 22.

This is the error message when trying to log in to CDK's docker registry with docker client connected to local (/var/run/docker.sock) docker host without having certificate stored on local file system: Error response from daemon: invalid registry endpoint https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v0/: unable to ping registry endpoint https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v0/ v2 ping attempt failed with error: Get https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v2/: x509: certificate signed by unknown authority v1 ping attempt failed with error: Get https://hub.openshift.rhel-cdk.10.1.2.2.xip.io/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry hub.openshift.rhel-cdk.10.1.2.2.xip.io to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/hub.openshift.rhel-cdk.10.1.2.2.xip.io/ca.crt

mlabuda avatar Jun 10 '16 09:06 mlabuda

This is the error message when trying to log in to CDK's docker registry with docker client connected to local (/var/run/docker.sock) docker host without having certificate stored on local file system:

Why don't you connect to the docker daemon in the VM? Is this not the whole point? Did you setup your Docker environment via vagrant service-manager env?

Is this even a usecase we want to support?

hferentschik avatar Jun 10 '16 09:06 hferentschik

That's other way around. This use case is for users who are having their docker images in local docker repository connected to local docker host. I did not set up docker environment with eval "$(vagrant service-manager env docker)" because then you have no access to your local docker images, you simply substitute your local docker host by the CDK's docker host.

Good question is, is this usecase we wanna support? Honestly, I don't have answer for it.

mlabuda avatar Jun 10 '16 09:06 mlabuda

Good question is, is this usecase we wanna support? Honestly, I don't have answer for it.

I think we expect users to connect to the CDK daemon. Build the image against this daemon. Problem solved. But yes, if you want to do what you are trying to do, then you would need the certificates. Not sure whether --tlsverify=false would work!?

hferentschik avatar Jun 10 '16 09:06 hferentschik

Well, in our current use case we expect users will be working only witk CDK docker. But we don't think about users, whose already have docker images in their local docker hosts. If we expect only users developing application from scratch, then we are OK. But I think it is also good to think about users with their own docker hosts and repositories, respectively also registries (if they would have connected/be logged in to several registries, they would have to do all set up again for CDK docker host and it would be in my humble opinion more painful process in this order).

I had also tried DOCKER_TLS_VERIFY=0, I think it should have same effect and it did not worked.

mlabuda avatar Jun 10 '16 10:06 mlabuda

But we don't think about users, whose already have docker images in their local docker hosts.

But when do you have images only locally. If you are in a team you push them to a registry (private or public) and that's the one you should configure for the CDK. I think there is some documentation around how to add additional registries. This is definitely something we need to support.

So if there is no other shared registry, then I would assume the user has the Dockerfile. In this case he would configure his environment to use the CDK's Docker daemon and rebuild the image.

Last but not least, a single image can also be exported and re-imported.

hferentschik avatar Jun 10 '16 10:06 hferentschik

So any conclusion? Do I get it right based on our discussion that newer docker client allows to access self-signed docker registry somehow without need of having certificate on machine where I am trying to do it from?

mlabuda avatar Jun 14 '16 07:06 mlabuda

@hferentschik Are you following this issue? Can we have some conclusion here?

brgnepal avatar Sep 16 '16 08:09 brgnepal