From 7c1bd2d0c0bd1f6d9fe063d81bfbfca8adec7a1a Mon Sep 17 00:00:00 2001 From: root Date: Thu, 2 Jul 2026 12:06:01 -0400 Subject: [PATCH] Support insecure VPN registry pulls --- production/.env.docker.production.example | 1 + production/README.md | 17 +++++++ production/scripts/docker-prod-common.sh | 52 ++++++++++++++++++++++ scripts/docker-prod-common.sh | 54 ++++++++++++++++++++++- 4 files changed, 123 insertions(+), 1 deletion(-) diff --git a/production/.env.docker.production.example b/production/.env.docker.production.example index 276b25e..484ceaf 100644 --- a/production/.env.docker.production.example +++ b/production/.env.docker.production.example @@ -16,6 +16,7 @@ REGISTRY_HOST=10.0.0.4 REGISTRY_USER=melabidi REGISTRY_TOKEN= REGISTRY_PASSWORD= +REGISTRY_INSECURE=true # Optional shared folder for image archives. Leave empty when the VPS can pull from the VPN registry directly. # Current production VPN routing: VPS 10.0.0.1 can reach registry 10.0.0.4. diff --git a/production/README.md b/production/README.md index 19c741f..e163115 100644 --- a/production/README.md +++ b/production/README.md @@ -50,10 +50,27 @@ APP_IMAGE=10.0.0.4/melabidi/carmanagement REGISTRY_HOST=10.0.0.4 REGISTRY_USER=melabidi REGISTRY_TOKEN= +REGISTRY_INSECURE=true IMAGE_ARCHIVE_DIR= IMAGE_ARCHIVE_REQUIRED=false ``` +Because Docker image names cannot include `http://`, the VPS Docker daemon must +mark the registry as insecure before direct HTTP pulls. Add this entry to +`/etc/docker/daemon.json`, merging it with any existing settings: + +```json +{ + "insecure-registries": ["10.0.0.4"] +} +``` + +Then restart Docker: + +```bash +sudo systemctl restart docker +``` + ## VPN Container Image Handoff This fallback is only needed if the VPS cannot reach `10.0.0.4` directly. If the diff --git a/production/scripts/docker-prod-common.sh b/production/scripts/docker-prod-common.sh index 0888b8b..6d79001 100755 --- a/production/scripts/docker-prod-common.sh +++ b/production/scripts/docker-prod-common.sh @@ -118,6 +118,7 @@ load_prod_env_exports() { REGISTRY_USER \ REGISTRY_PASSWORD \ REGISTRY_TOKEN \ + REGISTRY_INSECURE \ VPN_CONTAINER do export_env_value_if_unset "${key}" @@ -129,6 +130,54 @@ load_prod_env_exports() { fi } +registry_host_name() { + local host="${REGISTRY_HOST:-}" + + host="${host#http://}" + host="${host#https://}" + host="${host%%/*}" + printf '%s' "${host}" +} + +ensure_registry_transport_configured() { + local insecure="${REGISTRY_INSECURE:-false}" + local host + + if [[ "${insecure}" != "true" && "${insecure}" != "1" ]]; then + return 0 + fi + + host="$(registry_host_name)" + if [[ -z "${host}" ]]; then + return 0 + fi + + REGISTRY_HOST="${host}" + export REGISTRY_HOST + + if docker info 2>/dev/null | awk '/Insecure Registries:/,/Live Restore Enabled:/' | grep -Fqx " ${host}"; then + return 0 + fi + + cat >&2 </dev/null | awk '/Insecure Registries:/,/Live Restore Enabled:/' | grep -Fqx " ${host}"; then + return 0 + fi + + cat >&2 <