Docker login to Registry server built from Rancher Catalog is not working

docker login to Registry server built from Rancher Catalog is not working

issue : from UI we are able to create users / teams / namespace, and also able to login to the same web interface.

   unable to login using docker login https://imageregistry.virtusacloud.net from docker machine where my private images are there to upload to this registry server.

Please help me to get this resolved.

Useful Info
Versions Rancher v1.1.0-dev1 Cattle: v0.160.3 UI: v1.0.7
Access localauth admin
Route catalog-tab.launch

1 Like

I am trying to setup the registry. How did you configure storage?

Hi,

i just used cattle Catalog which is available on Rancher UI, upon completing setting up Registry container in Node i went to the Registry node and setup Ca certificates which suggested in Rancher Documents.

now, i am able to login to my private registry within the same node (localhost / DNS name of the Registry server), but the issue i am facing is users which are created on the registry server (the other node) not able to connect from other machines (remote Docker client) to upload their own images to this registry.

Please guide who can suggest fix for this.

@sshipway Could you take a look? There are a couple of users trying to use the Registry catalog entry, which I know you helped contribute.

Thanks!! :slight_smile:

@denise - I will take a look

@samhitha30 - you may be omitting the registry port (5000) from your command, or else the host is not routable, or else your Load Balancer is not being set up.

  1. Make sure your load balancer is running on the host(s) you expect it to. Look for the host label LB=1
  2. Make sure the hostname you gave when setting it up actually resolves to the IP of the Host running the load balancer(s).
  3. Make sure that from your docker development workstation you can ping the hostname and it is not a private unroutable backend network
  4. When doing ‘docker login’ remember to specify the port. IE, ‘docker login imageregistry.virtusacloud.net:5000’ and then push images to that registry.

I’ve seen people having issues in the past and each time it was either because of the load balancers, or because they had omitted the port from the registry name.

@cloudlady911 - the template assumes that hosts have shared filesystems. All the mounted paths are subdirectories of the directory on the host given when deploying the template. The latest version of the template I have submitted for approval will work with Convoy, but the current one is for local filesystems only.

For the next version of the template, I might try to be a bit cleverer with the load balancer and have both Portus and the registry on the same port; however this would have some problems with the certificate as the registry containe rhandles it locally but portus has an nginx proxy to offload it.

@sshipway

Thank you very much for useful tips.

The issue which reported have been resolved now and i am able to push my images from my docker development workstation successfully.

but now i ran into no clue area to find my uploaded images from portus web interface. On the Registry Host, i went to the Volume path which i specified during my registry setup and found all my images with their id’s there, but unable to find the same from portus interface. request you to suggest.

So here is what I ended up doing.

We love Rancher so much we forget that our entire infrastructure does not have to be built with containers. First of all I should mention that I am using AWS. Since I have my GlusterFS environment already in place and my Rancher hosts are being created with an AutoScaling group on AWS the setup was actually quite easy.

This is my “User Data” for my Launch Configuration.
I created a registry.crt file which contains my wildcard certificate and all intermediaries. So its really a chain cert. (This is required by docker registry, but not documented in your instructions).

 #!/bin/bash
sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher -e CATTLE_HOST_LABELS=RancherPool=yes rancher/agent:v1.0.1 http://rch.mydomain.com:8080/v1/scripts/D67D5110CBA5A0577D90:1463691600000:50adKAtfd1aWesWH9BgSdi9GBmU
sudo apt-get install -y glusterfs-client
sudo mkdir /app
sudo mount -t glusterfs glusterfs1.mydomain.com:vol1 /app
sudo aws s3 cp s3://my-s3-bucket-certs/portus/registry.crt  /usr/local/share/ca- certificates/ca.crt
sudo update-ca-certificates
sudo service docker restart
sudo mkdir /etc/docker/certs.d/reg.mydomain.com:5000
sudo aws s3 cp s3://my-s3-bucket-certs/portus/registry.crt /etc/docker/certs.d/reg.mydomain.com:5000/ca.crt
docker login -u docker -p "password" -e docker@mydomain.com reg.mydomain.com:5000 ## Added after registry was working

My launch configuration does the following:

  • installed the rancher agent and lables it RancherPool=yes
  • installs the gluster client
  • mounts a volume at /app. (I use /app/registry as the Storage directory.)
  • installs the CA certificate to the hosts’ trusted CA store
  • creates the proper directory for my new registry
  • copies the certificate to that registry
  • logs in to the registry

Now my GlusterFS Volume is mounted on every RancherPool Host. :smile:

So then I launched your stack.

But I did not want any part of the stack to run on anything other than the instances labeled RancherPool.
So I copied the the docker and rancher compose files from the running registry down to my local machine where I have Rancher-Compose setup. Then I deleted the registry from my Applications on Rancher.

I modified the docker-compose.yml by changing the following lines:

Under db added:
io.rancher.scheduler.affinity:host_label: rancherpool=yes
Under lb modified line in labels section:
io.rancher.scheduler.global: 'false'
Under lb added to labels section:
io.rancher.scheduler.affinity:host_label: rancherpool=yes
Under sslproxy' added to labels section: 'io.rancher.scheduler.affinity:host_label: rancherpool=yes' Underregistry’ added to labels section:
‘io.rancher.scheduler.affinity:host_label: rancherpool=yes’

Edited rancher-compose.yml
Under lb added:
scale: 2
After running rancher-compose -p registry up, everything came up.
Now everything is running just as I want it to. :smile:
I logged into the GUI and created my users and namespaces.
Was able to push to the registry using one of my namespaces. And I was able to pull that image to another computer. At first it seems like the items were not showing up in the registry. The first one took a really long time. But it did eventually show up. Subsequent ones showed up much faster.

Now I am a happy camper! :blush:

The Portus container updates its database from the registry container in 2 different ways.

First, there is a periodic job that runs every 30min and queries the entire registry database. This is used for full synchronisation of the Portus database, though images in namespaces which are not known to Portus will not necessarily be displayed!

Secondly, there is a webhook in Portus called by Registry every time there is a new upload, which should make the updates immediately. This is done using the API user (registry) – you can see the definition of it in the Registry container startup.

Where things might go wrong is if you have not set up the API user correctly, or if it does not have correct access. A problem we had was where the Portus container believed the registry had one name, but the registry itself thought it had a different name, resulting in a ‘scope error’ being given by Portus every time the registry tried to authenticate. You need to verify that if the registry is running on ‘reg.company.com:5000’ then the registry definition in Portus is also ‘reg.company.com:5000’, otherwise all authentication will fail.

Hi @all
Just for your information.
Have you seen that a Docker Registry is now included in the new Gitlab v8.8?
It is VERY useful! See here: https://about.gitlab.com/2016/05/23/gitlab-container-registry/