-
Notifications
You must be signed in to change notification settings - Fork 18.9k
Description
Description
Docker v25 is confused when pulling images through unsecured registry and all pulls end in failure.
My unsecured registry on loopback (127.0.01) is using S3 in secured mode (secure: true) so that while loopback traffic is unencrypted, the registry "talks" to S3 over https.
In logs, the registry urls all indicate url=https:/127.0.0.1:5000/... even though the loopback registry does not serve over TLS.
The pull ends in failure with failed to copy: httpReadSeeker: failed to open: failed to do request: Get "https://[url to a blob]": dial tcp 52.217.75.76:80 i/o timeout.
Note that it is trying to connect to port 80 when it should use 443.
(52.217.75.76 is the IP of s3-1-w.amazonaws.com).
When setting up a dummy self-signed certificate and making the loopback registry use TLS instead, then everything starts working as expected.
This seems related, or at least similar, to #36263 .
This too seems similar. docker/buildx#2030
Reproduce
- Use docker-distribute to setup a S3 backed registry listening on loopback 127.0.0.1:5000. Be sure to enable
secure: truein the storage.s3 section - Try to pull an image with docker v25 through the local registry,
docker pull 127.0.0.1:5000/some_image.
Switch to secured registry to make it work
- Update the
http.addrfor the registry to "localhost:5000" - Generate a self signed certificate for "localhost" and update the docker-distribute config to have a TLS section (see https://github.com/wking/docker-distribution/blob/master/docs/configuration.md for more info)
http: addr: localhost:5000 tls: certificate: /path/to/x509/locahost.crt key: /path/to/x509/locahost.key ```
- Pull the same image
docker pull localhost:5000/some_imageand it now works
Expected behavior
docker pull should function with unsecured private registries just as well as with secured registries.
docker version
Client:
Version: 20.10.24+dfsg1
API version: 1.41
Go version: go1.19.8
Git commit: 297e128
Built: Thu May 18 08:38:34 2023
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: v25.0.0
API version: 1.43 (minimum version 1.12)
Go version: go1.21.6
Git commit: 311b9ff0aa93aa55880e1e5f8871c4fb69583426
Built: Fri Jan 26 20:46:21 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.20~ds1
GitCommit: 1.6.20~ds1-1+b1
runc:
Version: 1.1.5+ds1
GitCommit: 1.1.5+ds1-1+b1
docker-init:
Version: 0.19.0
GitCommit:docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 2
Server Version: v25.0.0
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 1.6.20~ds1-1+b1
runc version: 1.1.5+ds1-1+b1
init version:
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-15-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 7.753GiB
Name: bookworm
ID: e432cf75-f542-4c5c-99a2-7c5fc146ce5c
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: falseAdditional Info
No response