0

OS: Amazon Linux (hosted on AWS) Docker version: 17.x Tools: Ansible, Docker

Our developers use Ansible to be able to spin up individual AWS spot environments that get populated with docker images that get built on their local machines, pushed into a docker registry created on the AWS spot machine, then pulled down and run.

When the devs do this locally on their Macbooks, ansible will orchestrate building the code with sbt, spin up an AWS spot instance, run a docker registry, push the image into the docker registry, command the instance to pull down the image and run it, run a testsuite, etc.

To make things better and easier for non-devs to be able to run individual test environments, we put the ansible script behind Jenkins and use their username to let ansible create a domain name in Route53 that points to their temporary spot instance environment.

This all works great without the registry -- i.e. using JFrog Artifactory to have these dynamic envs just pull pre-built images. It lets QA team members spin up any version of the env they want. But now to allow it to build code and push, I need to have an insecure registry and that is where things fell apart...

Since any user can run this, the Route53 domain name is dynamic. That means I cannot just hardcode in daemon.json the --insecure-registry entry. I have tried to find a way to set a wildcard registry but it didnt seem to work for me. Also since this is a shared build server (the one that is running the ansible commands) so I dont want to keep adding entries and restarting docker because other things might be running.

So, to summarize the questions:

  1. Is there a way to use a wildcard for the insecure-registry entry?
  2. How can I get docker to recognize insecure-registry entry without restarting docker daemon?
JoeB
  • 1,538
  • 1
  • 11
  • 9
  • I'd either use a shared registry (and periodically clean out old images; I don't have a good recipe for this off hand) or use `docker save` and `docker load` to copy the intermediate images around without using a registry. – David Maze Jul 05 '18 at 22:34
  • Thank you for the answer. I had the same issue. FYI, you can also put certificates in /etc/docker/certs.d/. Eg: /etc/docker/certs.d/registryurl:5000/ca.crt And without any reload or restart of docker, docker automatically takes that in account. Env: Redhat 7.8 with docker-ce 19.03.X – AntoineT Feb 24 '21 at 12:07

1 Answers1

0

So far I've found this solution to satisfy my needs, but not 100% happy yet. I'll work on it more. It doesn't handle the first case of a wildcard, but it does seem to work for the 2nd question about reloading without restart.

First problem is I was editing the wrong file. It doesn't respect /etc/sysconfig/docker nor does it respect $HOME/.docker/daemon.json. The only file that works on Amazon Linux for me is /etc/docker/daemon.json so I manually edited it and then tested a reload and verified with docker info. I'll work on this more to programmatically be able to insert entries as needed, but the manual test works:

sudo vim /etc/docker/daemon.json sudo systemctl reload docker.service docker info

JoeB
  • 1,538
  • 1
  • 11
  • 9