lenain.info • Using a (in)secure registry with Synology Docker

Une version Française de ce post est disponible.

I wanted to pull docker images from my own private registry to use them on my Synology DiskStation DS918+.

So I added a new registry in the Synology Docker application:

Select Registry tab
Set up the name and the URL of the registry (ie : https://registry.onsen.lan:5000)
Check Trust SSL Self-Signed Certificate
Input login information
Start using it

The Syno Docker app could checkout the catalog and fill in the registry list when I clicked on the refresh button. However, when I tried to pull one of my registry image, I was greeted by the following error:

Docker image registry.onsen.lan:5000/lenain/lenain_info download failed. Please visit Docker Log for more information

But the Docker log did not contain any indication about the issue.

Sudo-less Docker

To let a normal user use Docker without using sudo each time, SSH to the Syno and switch as root. Then add your user in the docker group, and modify the docker socket file to grant permissions to the docker group:

# synogroup --add docker lenain
# chown root:docker /var/run/docker.sock

Docker secure registries

I tried again to pull that image, this time through the docker CLI. I faced a well known issue:

$ docker pull registry.onsen.lan:5000/my-alpine
Using default tag: latest
Error response from daemon: Get https://registry.onsen.lan:5000/v2/: x509: certificate signed by unknown authority

As stated in the Docker documentation:

A secure registry uses TLS and a copy of its CA certificate is placed on the Docker host at /etc/docker/certs.d/myregistry:5000/ca.crt. An insecure registry is either not using TLS (i.e., listening on plain text HTTP), or is using TLS with a CA certificate not known by the Docker daemon. The latter can happen when the certificate was not found under /etc/docker/certs.d/myregistry:5000/, or if the certificate verification failed (i.e., wrong CA).

Usually, it would be sufficient to put my CA in the correct path (/etc/docker/certs.d/registry.onsen.lan:5000/ca.crt). Docker would check the registry's certificate against the CA and allow Docker to pull the image. But on the Synology, x509 verification still fail.

Where is the certs.d directory ?

Let's find out where we should put our ca.crt registries files. We'll check with strace where the Docker daemon expect to read them.

Synogear

Synology provide diagnostic tools through the synogear utility. This is the way to install the aforementioned strace tool.

# synogear list
Tools are not installed yet. You can run this command to install it:
   synogear install
# synogear install
# synogear list
All tools:
[...] strace [...]

Using strace

Now that we have strace, let's trace the Docker daemon system calls. Let's identify the dockerd process, attach strace to it, use the -f option to follow forks of the process. We redirect the strace standard error output to standard output, filtering for the open(2) syscall.

# pgrep dockerd
25214
# strace -f -p 25214 2>&1|grep open
[pid 25225] openat(AT_FDCWD, "/var/packages/Docker/etc/certs.d/registry.onsen.lan:5000", O_RDONLY|O_CLOEXEC <unfinished ...>
[pid 25225] <... openat resumed> )      = 27

The solution

Just put your ca.crt registries files in the following certs.d directory as root user:

# mkdir -p /var/packages/Docker/etc/certs.d/
# mkdir /var/packages/Docker/etc/certs.d/registry.onsen.lan:5000/
# cp [...]/ca.crt /var/packages/Docker/etc/certs.d/registry.onsen.lan:5000/.

That's it, you don't even have to reload the Docker daemon. Now you can download your images from your private registry either through the CLI or the Docker app UI.