I have successfully set up a docker registry mirror with TLS, but without authentication, following these instructions: https://docs.docker.com/registry/recipes/mirror/. That works fine. I then tried to set up another registry that includes authentication, following these instructions: https://docs.docker.com/registry/deploying/#restricting-access, using the same TLS certificate as previously. However, although I can authenticate with https://docker-registry.my-company.com with curl -u testuser -p testsecret https://docker-registry.my-company.com/v2/_catalog to get a list of docker repositories, when I pull a previously absent image hello-world, it is pulled directly from the docker hub, although I am using the same domain as before.
Here are the logs of the registry container:
rem.ote.ip.add - - [07/Nov/2022:09:23:36 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \\(linux\\))"
time="2022-11-07T09:23:36.669318813Z" level=error msg="error authenticating user "my-user": authentication failure" go.version=go1.16.15 http.request.host=docker-registry.my-company.com http.request.id=af2937cb-df8e-45aa-a845-d1b0eace0b29 http.request.method=HEAD http.request.remoteaddr="rem.ote.ip.add:64185" http.request.uri="/v2/library/hello-world/manifests/latest" http.request.useragent="docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \(linux\))" vars.name="library/hello-world" vars.reference=latest
time="2022-11-07T09:23:36.669391528Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": authentication failure" go.version=go1.16.15 http.request.host=docker-registry.my-company.com http.request.id=af2937cb-df8e-45aa-a845-d1b0eace0b29 http.request.method=HEAD http.request.remoteaddr="rem.ote.ip.add:64185" http.request.uri="/v2/library/hello-world/manifests/latest" http.request.useragent="docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \(linux\))" vars.name="library/hello-world" vars.reference=latest
rem.ote.ip.add - - [07/Nov/2022:09:23:36 +0000] "HEAD /v2/library/hello-world/manifests/latest HTTP/1.1" 401 162 "" "docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \\(linux\\))"
time="2022-11-07T09:23:36.718320712Z" level=error msg="error authenticating user "my-user": authentication failure" go.version=go1.16.15 http.request.host=docker-registry.my-company.com http.request.id=275e4d1b-208d-4711-89a7-47350824e1da http.request.method=GET http.request.remoteaddr="rem.ote.ip.add:33878" http.request.uri="/v2/library/hello-world/manifests/latest" http.request.useragent="docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \(linux\))" vars.name="library/hello-world" vars.reference=latest
time="2022-11-07T09:23:36.718393397Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": authentication failure" go.version=go1.16.15 http.request.host=docker-registry.my-company.com http.request.id=275e4d1b-208d-4711-89a7-47350824e1da http.request.method=GET http.request.remoteaddr="rem.ote.ip.add:33878" http.request.uri="/v2/library/hello-world/manifests/latest" http.request.useragent="docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \(linux\))" vars.name="library/hello-world" vars.reference=latest
rem.ote.ip.add - - [07/Nov/2022:09:23:36 +0000] "GET /v2/library/hello-world/manifests/latest HTTP/1.1" 401 162 "" "docker/20.10.20 go/go1.18.7 git-commit/03df974 kernel/5.14.0-1054-oem os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.20 \\(linux\\))"
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60650: tls: first record does not look like a TLS handshake
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60652: tls: first record does not look like a TLS handshake
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60668: tls: first record does not look like a TLS handshake
188.166.14.36 - - [07/Nov/2022:09:23:44 +0000] "GET /ab2g HTTP/1.1" 404 19 "" "Mozilla/5.0 zgrab/0.x"
188.166.14.36 - - [07/Nov/2022:09:23:44 +0000] "GET /ab2h HTTP/1.1" 404 19 "" "Mozilla/5.0 zgrab/0.x"
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60706: read tcp reg.ist.ry.ip:5000->188.166.14.36:60706: read: connection reset by peer
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60714: read tcp reg.ist.ry.ip:5000->188.166.14.36:60714: read: connection reset by peer
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60718: tls: no cipher suite supported by both client and server
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60732: read tcp reg.ist.ry.ip:5000->188.166.14.36:60732: read: connection reset by peer
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60748: read tcp reg.ist.ry.ip:5000->188.166.14.36:60748: read: connection reset by peer
2022/11/07 09:23:44 http: TLS handshake error from 188.166.14.36:60750: tls: client offered only unsupported versions: [302 301]
2022/11/07 09:23:45 http: TLS handshake error from 188.166.14.36:60760: read tcp reg.ist.ry.ip:5000->188.166.14.36:60760: read: connection reset by peer
2022/11/07 09:23:45 http: TLS handshake error from 188.166.14.36:60768: read tcp reg.ist.ry.ip:5000->188.166.14.36:60768: read: connection reset by peer
2022/11/07 09:23:45 http: TLS handshake error from 188.166.14.36:60784: read tcp reg.ist.ry.ip:5000->188.166.14.36:60784: read: connection reset by peer
2022/11/07 09:23:45 http: TLS handshake error from 188.166.14.36:60790: read tcp reg.ist.ry.ip:5000->188.166.14.36:60790: read: connection reset by peer
188.166.14.36 - - [07/Nov/2022:09:23:45 +0000] "GET / HTTP/1.1" 200 0 "" "Mozilla/5.0 zgrab/0.x"
docker inspect registry-mirror:
[
{
"Id": "c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a",
"Created": "2022-11-08T12:51:35.187778712Z",
"Path": "/entrypoint.sh",
"Args": [
"/etc/docker/registry/config.yml"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 307102,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-11-08T14:05:01.720419807Z",
"FinishedAt": "2022-11-08T13:18:28.224870681Z"
},
"Image": "sha256:3a0f7b0a13ef62e85d770396e1868bf919f4747743ece4f233895a246c436394",
"ResolvConfPath": "/var/lib/docker/containers/c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a/hostname",
"HostsPath": "/var/lib/docker/containers/c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a/hosts",
"LogPath": "/var/lib/docker/containers/c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a/c1ea139de563da8aafab406e2092039dd0acf47530e6e79b10988e2d5b8f8d4a-json.log",
"Name": "/registry-mirror",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "docker-default",
"ExecIDs": null,
"HostConfig": {
"Binds": [
"/etc/letsencrypt/archive/docker-registry.my-company.com:/data/tls",
"/root/auth:/auth"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"5000/tcp": [
{
"HostIp": "",
"HostPort": "443"
}
]
},
"RestartPolicy": {
"Name": "always",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "host",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/9147a94bf0c3a737ae2a1548b039d053143d2bdd34b0c5474ca431087a9e369b-init/diff:/var/lib/docker/overlay2/00cc5411b6c498c10b2ffcb2504562b79d1b697e66923956e4ff8b6a8ac7c486/diff:/var/lib/docker/overlay2/d018e0a71b3c7eddd9fe13c6674622f1706b7696852560611e3a71637d4ee82b/diff:/var/lib/docker/overlay2/1e2428dbc88cf32f85c284308379e09cfb3e500ec648aade8550c6ebc4b4d372/diff:/var/lib/docker/overlay2/b17c4a68d628eecf5aabc44c4e7537cfef7dfd73fdd3594808cf3028babb2e6d/diff:/var/lib/docker/overlay2/e7a21779d8e8e3e3afb68f1446770dfc4ddea9ea8f259ef2da3a7c05eb79bbda/diff",
"MergedDir": "/var/lib/docker/overlay2/9147a94bf0c3a737ae2a1548b039d053143d2bdd34b0c5474ca431087a9e369b/merged",
"UpperDir": "/var/lib/docker/overlay2/9147a94bf0c3a737ae2a1548b039d053143d2bdd34b0c5474ca431087a9e369b/diff",
"WorkDir": "/var/lib/docker/overlay2/9147a94bf0c3a737ae2a1548b039d053143d2bdd34b0c5474ca431087a9e369b/work"
},
"Name": "overlay2"
},
"Mounts": [
{
"Type": "volume",
"Name": "167fecc1410a6aaaa456c07b7def5eda09f871e90dc294eb51df0bfbb3b92440",
"Source": "/var/lib/docker/volumes/167fecc1410a6aaaa456c07b7def5eda09f871e90dc294eb51df0bfbb3b92440/_data",
"Destination": "/var/lib/registry",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
},
{
"Type": "bind",
"Source": "/etc/letsencrypt/archive/docker-registry.my-company.com",
"Destination": "/data/tls",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/root/auth",
"Destination": "/auth",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "c1ea139de563",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"5000/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"REGISTRY_PROXY_PASSWORD=<dockerhub_access_token>",
"REGISTRY_HTTP_TLS_CERTIFICATE=/data/tls/fullchain1.pem",
"REGISTRY_HTTP_TLS_KEY=/data/tls/privkey1.pem",
"REGISTRY_AUTH=htpasswd",
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm",
"REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
"REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io",
"REGISTRY_PROXY_USERNAME=<dockerhub_username>",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/etc/docker/registry/config.yml"
],
"Image": "registry:2",
"Volumes": {
"/var/lib/registry": {}
},
"WorkingDir": "",
"Entrypoint": [
"/entrypoint.sh"
],
"OnBuild": null,
"Labels": {}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "9050fba97d8bb847ec9f78d24341277e2da0b3e479beb2932d5f6ce5900382df",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"5000/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "443"
},
{
"HostIp": "::",
"HostPort": "443"
}
]
},
"SandboxKey": "/var/run/docker/netns/9050fba97d8b",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "dc808204781c4db2d3da2097422865a1d699631ca9301c45466ff8eb35b7eb79",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "mac:address",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "51b19cd496ff7882b6ee5fecc2bdb1fb6cb4b01b4bd428ef7a37b69863bb9506",
"EndpointID": "dc808204781c4db2d3da2097422865a1d699631ca9301c45466ff8eb35b7eb79",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "mac:address",
"DriverOpts": null
}
}
}
}
]
Update
As I suspect the docs are wrong, I raised an issue: https://github.com/docker/docs/issues/16119
