A user tries to push an app using an image from a private Docker Registry but it fails during the staging phase with this error:

Failed getting docker image manifest by tag: error pinging docker registry <REGISTRY FQDN>: Get "https://<REGISTRY FQDN>/v2/": dial tcp <REGISTRY IP>:443: connect: connection refused Staging process failed: Exit trace for group: builder exited with error: failed to fetch metadata from [<REPO>] with tag [<TAG>] and insecure registries [<REGISTRY FQDN>:443] due to error pinging docker registry : Get "https://<REGISTRY FQDN>/v2/": dial tcp <REGISTRY FQDN>:443: connect: connection refused

Staging process failed: Exit trace for group:

  builder exited with error: failed to fetch metadata from [<REPO>] with tag [<TAG>] and insecure registries [<REGISTRY IP:443] due to error pinging docker registry <REGISTRY FQDN: Get "https://<REGISTRY FQDN>/v2/": dial tcp <REGISTRY FQDN>:443: connect: connection refused

Product Version: 2.7

The above error indicates that the Docker Registries have been correctly configured on Tanzu Application Service (TAS) for VMs and the "Private Docker insecure registry allow list" has been configured with Registry IP. For more information, refer to the documentation below for more information: Using Docker Registries

1. The connection refused error indicates that a firewall or security group is blocking access. The first step is to verify connectivity from the Diego cell to Registry:

nc -v <REGISTRY IP> 443

2. If connectivity is ok from Diego Cell, create an ASG to allow connectivity from app to Registry. For more information, refer to App Security Groups. 

3. Create a security group:

cf create-security-group <ASG NAME>  <PATH-TO-RULES-FILE.json>

Where PATH-TO-RULES-FILE.json contains:

[
  {
    "description": "private docker registry",
    "destination": "<REGISTRY IP>/32",
    "log": true,
    "ports": "443",
    "protocol": "tcp"
  }
]

4. Bind the security group to the platform-wide staging App Security Groups (ASG) set:

cf bind-staging-security-group <ASG>