Push docker image to GitLab registry with self signed certificate (the dirty way)
Tuesday, December 25 2018 · Lesezeit: 3 Minuten · 497 Wörter · Tags: GitLabDocker Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!I wanted to use GitLabs CI/CD feature using a GitLab runner. With a privileged container running docker:dind
I’m able to build an image inside another image. That already works fine. I wanted the addition push to the registry after building. But the selfsigned certificate stopped me.
x509: certificate signed by unknown authority
Building my own image based on docker:dind
My first try was to build my own image based on docker:dind
. Here is the full Dockerfile for that:
FROM docker:dind
COPY veloc1tyNetworksRootCA.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
VOLUME ["/var/lib/docker"]
EXPOSE 2375
ENTRYPOINT ["dockerd-entrypoint.sh"]
CMD []
The file veloc1tyNetworksRootCA.crt
contains the certificate of my internal certificate authority. With that I should get rid of the error message. It probably did, but DNS resolution now fails:
error during connect: Post http://docker:2375/v1.39/auth: dial tcp: lookup docker on 10.20.20.2:53: no such host
Somehow the DNS lookup for “docker” is now passed on to my local DNS resolver. Normally the DNS lookup should’ve been intercepted and answered by the docker daemon.
After some debugging attempts I gave up.
Skipping certifiacte checking
I ended up using the original docker:dind
image and skipped the certificate check. This can be done by adding a command to the corresponding service. Here is an example .gitlab-ci.yml
file:
---
stages:
- build
create_docker_image:
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
GIT_DEPTH: 1
image: docker:dind
stage: build
only:
- master
services:
- name: docker:dind
command: ["--insecure-registry=git.veloc1ty.lan:4567"]
tags:
- docker-privileged
script:
- "docker --version"
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN git.veloc1ty.lan:4567
- docker build -t git.veloc1ty.lan:4567/veloc1ty/mycoolcontainer:latest .
- docker push git.veloc1ty.lan:4567/veloc1ty/mycoolcontainer:latest
With --insecure-registry=git.veloc1ty.lan:4567
I was able to skip certificate checking. That’s not cool but any other solution did not help. Making the registry public using a Let’s Encrypt TLS certificate was not an option.
What else I’ve tried and not
Besides trying to build my own image I tried the following:
- Adding the CA certificate to the Linux running my GitLab runner (this was done before before by ansible)
- Adding the CA certtificate to
/etc/docker/certs.d
using various styles of writing the hostname + port
What I’ve not tried: Adapting the GitLab runner config to mount additional directories inside containers.
Using insecure registries with Docker Desktop on Mac
The error message about the untrusted certificate is also present on my Mac. Adding the CA certificate to the Mac keyring is not an option, because docker is running in a VM. You would have to add the certificate to the docker vm. Way too much fiddling.
The solution is to add the insecure-registries
key to the daemon.json
. This can be done via GUI:
Click on Docker Desktop Icon in the top taskbar -> Preferences -> Daemon -> Advanced. You should get the following JSON:
{
"debug" : true,
"experimental" : false
}
Now you can add your insecure registries:
{
"debug" : true,
"insecure-registries" : [
"git.veloc1ty.lan:4567"
],
"experimental" : false
}
Hit Apply & Restart
and wait until docker is up again. You should now be able to log in without a certificate error.
Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.
🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück