Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure TLS for private v2 registry mirrors. #14829

Merged
merged 2 commits into from
Jul 21, 2015
Merged

Configure TLS for private v2 registry mirrors. #14829

merged 2 commits into from
Jul 21, 2015

Conversation

RichardScothern
Copy link

Signed-off-by: Richard Scothern richard.scothern@gmail.com

Closes #14823

cc @tiborvass @dmcgowan

@calavera calavera added this to the 1.8.0 milestone Jul 21, 2015
tiborvass
tiborvass reviewed Jul 21, 2015
View reviewed changes
registry/service.go
if err != nil {
return &tls.Config{}, err
}
tlsConfig, err := s.TlsConfig(mirrorUrl.Host)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can simply return s.TlsConfig(...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed with this.

@stevvooe
Copy link
Contributor

LGTM after fixing the error returns.

@tiborvass
Copy link
Contributor

I wonder what happens with v1 mirrors

@dmcgowan
Copy link
Member

Can you clarify what the original behavior was that was causing problems?

@tiborvass
Copy link
Contributor

@dmcgowan the original problem was that the tls certs were not set up for v2 mirrors.

EDIT: I agree with you that it should be clarified in the commit / PR description.

@calavera
Copy link
Contributor

without calling the s.TlsConfig function for each mirror you could try to use certificates for other host incorrectly.

@dmcgowan
Copy link
Member

@tiborvass to clarify my understanding, the issue is that it was not using certificates from /etc/docker/cert.d for mirrors, which could include needed client certificates. It should not have been using the wrong certificates since it would have defaulted to the base configuration.

@dmcgowan
Copy link
Member

I wonder what happens with v1 mirrors

@tiborvass To your comment above the section, I don't think v1 mirrors should even be included in that list. V1 mirrors do not mirror the index and those endpoints should only be indexes.

@tiborvass
Copy link
Contributor

@RichardScothern feel free to remove v1 mirrors in that LookupEndpoints list.

@dmcgowan
Copy link
Member

LGTM

@tiborvass
Copy link
Contributor

Let's make it clearer in the commit message and PR description that this is fixing private v2 mirrors and public v2 mirrors were working just fine.

rscothern added 2 commits July 21, 2015 15:21
@rscothern
Configure TLS for private registry mirrors.
cb57b25 
If a registry mirror is using TLS, ensure that certs for it
are picked up from /etc/docker/certs.d

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
@rscothern
Remove v1 registry mirror configuration from LookupEndpoints.
6b36a48 
V1 mirrors do not mirror the index and those endpoints should
only be indexes.

Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
@RichardScothern RichardScothern changed the title Configure TLS for v2 registry mirrors. Configure TLS for private v2 registry mirrors. Jul 21, 2015
@tiborvass
Copy link
Contributor

LGTM

tiborvass added a commit that referenced this pull request Jul 21, 2015
@tiborvass
Merge pull request #14829 from RichardScothern/registry-tls
42533e3 
Configure TLS for private v2 registry mirrors.
@tiborvass tiborvass merged commit 42533e3 into moby:master Jul 21, 2015
@RichardScothern RichardScothern deleted the registry-tls branch July 21, 2015 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status/4-merge
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
7 participants
@RichardScothern @stevvooe @tiborvass @dmcgowan @calavera @GordonTheTurtle @rscothern