[英]Docker on windows - certificate error
When I try to build or run a docker container, eg: 当我尝试构建或运行docker容器时,例如:
docker build -t docker.example.com/research/example_project .
It leads to following error: 它会导致以下错误:
Sending build context to Docker daemon 6.513 MB
Step 1 : FROM docker.example.com/research/example_project:latest
unable to ping registry endpoint https://docker.example.com/v0/
v2 ping attempt failed with error: Get https://docker.example.com/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://docker.example.com/v1/_ping: x509: certificate signed by unknown authority
All workaround I found on google are for ubuntu, but this case is when docker is running on windows 8 (virtual machine is installed). 我在google上找到的所有解决方法都是针对ubuntu的,但这种情况是在Windows 8上运行docker(安装了虚拟机)。
If you are using the pre-1.12 Docker version for Windows (the one that uses VirtualBox with Boot2Docker), you need to add your registry certificate to the Boot2Docker virtual machine. 如果您使用Windows 1.1之前的Docker版本(使用VirtualBox和Boot2Docker的版本),则需要将注册表证书添加到Boot2Docker虚拟机。 From your Docker console window, type:
在Docker控制台窗口中,键入:
$ docker-machine ssh default
$ DOMAIN_NAME=<type your domain name here>:5000
$ sudo mkdir -p /etc/docker/certs.d/$DOMAIN_NAME
$ sudo vi /etc/docker/certs.d/$DOMAIN_NAME/ca.crt
--> then copy certificate text in there and save (type :wq)
The next step is creating a script that adds the certificate to a list of allowed certificates: 下一步是创建一个脚本,将证书添加到允许的证书列表中:
$ sudo touch /var/lib/boot2docker/bootlocal.sh && sudo chmod +x /var/lib/boot2docker/bootlocal.sh
$ sudo vi /var/lib/boot2docker/bootlocal.sh
Then fill in the "your domain name" variable below and paste this script in the file you just created: 然后在下面填写“您的域名”变量并将此脚本粘贴到您刚刚创建的文件中:
#!/bin/bash
CA_CERTS_DIR=/usr/local/share/ca-certificates
DOCKER_CERTS_DOMAIN_DIR=/etc/docker/certs.d/<your domain name>
CERTS_DIR=/etc/ssl/certs
CAFILE=${CERTS_DIR}/ca-certificates.crt
cp ${DOCKER_CERTS_DOMAIN_DIR}/ca.crt ${CA_CERTS_DIR}
for cert in $(/bin/ls -1 ${DOCKER_CERTS_DOMAIN_DIR}); do
SRC_CERT_FILE=${CA_CERTS_DIR}/${cert}
CERT_FILE=${CERTS_DIR}/${cert}
HASH_FILE=${CERTS_DIR}/$(/usr/local/bin/openssl x509 -noout -hash -in ${SRC_CERT_FILE} 2>/dev/null)
[ ! -L ${CERT_FILE} ] && /bin/ln -fs ${SRC_CERT_FILE} ${CERT_FILE}
for idx in $(/usr/bin/seq 0 9); do
if [ -L ${HASH_FILE}.${idx} ]; then
[ "$(/usr/bin/readlink ${HASH_FILE}.${idx})" = "${SRC_CERT_FILE}" ] && break
else
/bin/ln -fs ${SRC_CERT_FILE} ${HASH_FILE}.${idx}
break
fi
done
/bin/cat ${SRC_CERT_FILE} >> ${CAFILE}
done
If you are running Docker >= 1.12 for Windows (the one that runs native and uses Hyper-V instead of VirtualBox), you can add the host address of your registry as an "insecure registry" to the Docker daemon config: 如果您运行Docker> = 1.12 for Windows(运行本机并使用Hyper-V而不是VirtualBox),您可以将注册表的主机地址添加为Docker守护程序配置的“不安全注册表”:
Right click Docker icon in your system tray --> Settings... --> click the 'Docker Daemon' tab --> change the line 右键单击系统托盘中的Docker图标 - >设置... - >单击“Docker守护程序”选项卡 - >更改行
"insecure-registries": [
],
into 成
"insecure-registries": [
"your.domain.com:5000"
],
This allowed me to access my private registry again using the new Docker for Windows. 这允许我使用新的Docker for Windows再次访问我的私人注册表。 Probably works for Mac too, but haven't tested.
也可能适用于Mac,但尚未测试过。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.