[英]Docker Registry 2.0 with Amazon S3 and TLS setup
I'm trying to set up internal docker-registry for our company in our amazon cloud which will store everything in S3 and work with TLS 我正在尝试在我们的亚马逊云中为我们的公司设置内部docker-registry,它将所有内容存储在S3中并使用TLS
Here are steps I did: 这是我执行的步骤:
1) Created new bot account in Amazon 1)在亚马逊上创建新的机器人帐户
2) Create and assign new policy to that bot: 2)创建新策略并将其分配给该机器人:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::docker-repo-storage",
"arn:aws:s3:::docker-repo-storage/*"
]
}
]
}
3) Created bucket with the same name as per policy " docker-repo-storage " 3)创建与策略“ docker-repo-storage ”同名的存储桶
4) Installed docker: 4)安装的docker:
curl -sSL https://get.docker.com/ | sh
5) Download in " /etc/docker/certs/ " our corporate wildchar certificate and key 5)在“ / etc / docker / certs / ”中下载我们的公司通配符证书和密钥
6) Created config file in " /etc/docker/config/config.yml " 6)在“ /etc/docker/config/config.yml ”中创建配置文件
version: 0.1
log:
level: debug
fields:
service: registry
storage:
s3:
accesskey: <my_key_which_i_hide>
secretkey: <my_secret_key_which_i_hide>
region: eu-central-1
bucket: docker-repo-storage
encrypt: true
secure: true
v4auth: true
http:
addr: <my_domain_which_I_hide>:5000
tls:
certificate: /etc/docker/certs/wcard.<my_cert>.crt
key: /etc/docker/certs/wcard.<my_key>.key
7) Register domain in amazon "Route 53" against IP of machine where i installed docker 7)针对我安装了docker的机器的IP在亚马逊“ Route 53”中注册域
8) Running docker with the fallowing parameters: 8)使用以下参数运行docker:
docker run -d -p 5000:5000 --restart=always --name <my_custom_name> -v 'pwd'/config.yml:/etc/docker/config/config.yml registry:2
as per description in official documentation 按照官方文件中的描述
It runs successfully, so I perform the fallowing test: 它成功运行,因此我执行了以下测试:
docker pull ubuntu && docker tag ubuntu localhost:5000/mytestimg
docker push localhost:5000/mytestimg
Go to S3 bucket - and its empty, image wasn't uploaded to the S3 storage, instead it store it locally on EC2 instance VM 转到S3存储桶-空的映像未上载到S3存储,而是将其本地存储在EC2实例VM上
I set up another node with docket and try to pull " mytestimg " from that repo: 我用docket设置了另一个节点,并尝试从该存储库中提取“ mytestimg ”:
docker pull <my_domain>:5000/mytestimg
Using default tag: latest
Error response from daemon: unable to ping registry endpoint https://<my_domain>:5000/v0/
v2 ping attempt failed with error: Get https://<my_domain>:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://<my_domain>:5000/v1/_ping: tls: oversized record received with length 20527
As you see it fail to ping. 如您所见,它无法ping通。 I removed TLS from config, densest help, I spiked config and run all params from command line: 我从配置中删除了TLS,获得了最密集的帮助,我添加了配置并从命令行运行所有参数:
docker run -d -p 5000:5000 --restart=always --name <custom_name> -e SETTINGS_FLAVOR=s3 -e AWS_BUCKET=docker-repo-storage -e STORAGE_PATH=/registry -e AWS_KEY=<hidden> -e AWS_SECRET=<hidden> -e AWS_REGION=eu-central-1 -e STORAGE_REDIRECT=true -e SEARCH_BACKEND=sqlalchemy -v `pwd`/certs:/etc/docker/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/wcard.<hidden>.crt -e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/wcard.<hidden>.key registry:2
it doesn't work, nor like this: 它不起作用,也不是这样的:
docker run -d -p 5000:5000 --restart=always --name <custom_name> -e SETTINGS_FLAVOR=s3 -e AWS_BUCKET=docker-repo-storage -e STORAGE_PATH=/registry -e AWS_KEY=<hidden> -e AWS_SECRET=<hidden> -e AWS_REGION=eu-central-1 -e STORAGE_REDIRECT=true -e SEARCH_BACKEND=sqlalchemy registry:2
What am i doing wrong? 我究竟做错了什么? why its ignoring S3 and not uploading it there? 为什么忽略S3而不上传到那里? why I cant connect from another machine and ping v0, v1, v2 fails? 为什么我无法从另一台计算机连接并ping v0,v1,v2失败?
Please help 请帮忙
I had the same issue while creating my own private repository. 创建自己的私有存储库时,我遇到了同样的问题。
When i exported the DOCKER_OPTS environment variable both in the docker host and the connecting node the issue got resolved. 当我在Docker主机和连接节点中导出DOCKER_OPTS环境变量时,问题已解决。
example DOCKER_OPTS=--insecure-registry=xx.xxx.xxx.xxx:5000 示例DOCKER_OPTS =-不安全的注册表= xx.xxx.xxx.xxx:5000
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.