Using a (in)secure registry with Synology Docker2019-11-29
I wanted to pull docker images from my own private registry to use them on my Synology DiskStation DS918+.
So I added a new registry in the Synology Docker application:
- Select Registry tab
- Set up the name and the URL of the registry (ie : https://registry.onsen.lan:5000)
- Check Trust SSL Self-Signed Certificate
- Input login information
- Start using it
The Syno Docker app could checkout the catalog and fill in the registry list when I clicked on the refresh button. However, when I tried to pull one of my registry image, I was greeted by the following error:
Docker image registry.onsen.lan:5000/lenain/lenain_info download failed. Please visit Docker Log for more information
But the Docker log did not contain any indication about the issue.
To let a normal user use Docker without using sudo each time, SSH to the Syno and switch as
Then add your user in the
docker group, and modify the docker socket file to grant permissions to
# synogroup --add docker lenain # chown root:docker /var/run/docker.sock
Docker secure registries
I tried again to pull that image, this time through the docker CLI. I faced a well known issue:
$ docker pull registry.onsen.lan:5000/my-alpine Using default tag: latest Error response from daemon: Get https://registry.onsen.lan:5000/v2/: x509: certificate signed by unknown authority
As stated in the Docker documentation:
A secure registry uses TLS and a copy of its CA certificate is placed on the Docker host at /etc/docker/certs.d/myregistry:5000/ca.crt. An insecure registry is either not using TLS (i.e., listening on plain text HTTP), or is using TLS with a CA certificate not known by the Docker daemon. The latter can happen when the certificate was not found under /etc/docker/certs.d/myregistry:5000/, or if the certificate verification failed (i.e., wrong CA).
Usually, it would be sufficient to put my CA in the correct path (
Docker would check the registry's certificate against the CA and allow Docker to pull the image.
But on the Synology, x509 verification still fail.
Where is the certs.d directory ?
Let's find out where we should put our ca.crt registries files. We'll check with the strace where the Docker daemon expect to read them.
Synology provide diagnostic tools through the
synogear utility. This is the way to install the
# synogear list Tools are not installed yet. You can run this command to install it: synogear install # synogear install # synogear list All tools: [...] strace [...]
Now that we have
strace, let's trace the Docker daemon system calls.
Let's identify the
dockerd process, attach
strace to it, use the
-f option to
follow forks of the process.
We redirect the
strace standard error output to standard output, filtering for the
# pgrep dockerd 25214 # strace -f -p 25214 2>&1|grep open [pid 25225] openat(AT_FDCWD, "/var/packages/Docker/etc/certs.d/registry.onsen.lan:5000", O_RDONLY|O_CLOEXEC <unfinished ...> [pid 25225] <... openat resumed> ) = 27
Just put your ca.crt registries files in the following certs.d directory as
# mkdir -p /var/packages/Docker/etc/certs.d/ # mkdir /var/packages/Docker/etc/certs.d/registry.onsen.lan:5000/ # cp [...]/ca.crt /var/packages/Docker/etc/certs.d/registry.onsen.lan:5000/.
That's it, you don't even have to reload the Docker daemon. Now you can download your images from your private registry either through the CLI or the Docker app UI.