0

I'm just going to put this here, because it was very difficult to find information on this topic and I ended up solving it myself.

Setup

  • Bastion host in aws with a public ip address
  • Registry (image registry:2) on a private subnet behind bastion host
  • Successful ssh port forwarding through bastion, connecting localhost:5000 to registry:5000

curl localhost:5000/v2/_catalog provides a list of installed registries.

So far so good.

docker tag {my image} localhost:5000/{my image}
docker push localhost:5000/{my image}

Result

The push refers to repository [localhost:5000/{my image}]                                                 
Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: connect: connection refused

How do we connect to a registry port forwarded to localhost?

Josh
  • 12,602
  • 2
  • 41
  • 47

1 Answers1

0

I have found some obscure posts suggesting that you need to make a custom privileged container and do your ssh bastion port forwarding inside the container. This is essentially working around a problem introduced by the fact that the docker daemon is actually running inside a virtual machine!

https://docs.docker.com/docker-for-windows/networking/

You can find a hint here:

I WANT TO CONNECT FROM A CONTAINER TO A SERVICE ON THE HOST The host has a changing IP address (or none if you have no network access). From 18.03 onwards our recommendation is to connect to the special DNS name host.docker.internal, which resolves to the internal IP address used by the host. This is for development purpose and will not work in a production environment outside of Docker Desktop for Windows.

So given the above, I reasoned that even though this advice is for containers, the docker daemon itself is probably acting on docker cli commands from within a similar context.

Therefore, first you need to add host.docker.internal:5000 as an insecure registry in your docker daemon setup. On Docker for Windows, this can be found in Settings > Daemon > Insecure registries. Unfortunately this doesn't count as localhost, so this has to be done (Docker allows localhost insecure registries by default). Then simply:

docker tag {my image} host.docker.internal:5000/{my image}
docker push host.docker.internal:5000/{my image}

Success!

Hopefully this helps some other very confused developers.

Josh
  • 12,602
  • 2
  • 41
  • 47