[英]Cannot login to private docker registry
i've set up a private docker registry (v2) via the following: 我已经通过以下方式设置了一个私有Docker注册表(v2):
docker run -d -p 4000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
i ensure that the registry dns is manually overridden on all machines: 我确保在所有计算机上手动覆盖注册表dns:
# cat /etc/hosts | grep myregistrydomain.com
172.23.67.28 myregistrydomain.com
and i created a self signed cert under certs
for the fake hostname myregistrydomain.com
and added a simple auth using: 我创建了一个自签名的证书在
certs
为假主机名myregistrydomain.com
并添加使用一个简单的身份验证:
mkdir auth
sudo docker run --entrypoint htpasswd registry:2 -Bbn kolla kolla-pass > auth/htpasswd
i then copy the .crt
to both /etc/docker/certs.d/myregistrydomain.com\\:4000/ca.crt
and /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
and run update-ca-trust
on all machines and restart docker (centos7). 然后,我将
.crt
复制到/etc/docker/certs.d/myregistrydomain.com\\:4000/ca.crt
和/etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
并运行update-ca-trust
所有机器,然后重新启动docker(centos7)。
on host A, i get: 在主机A上,我得到:
# docker login --username=kolla --password=kolla-pass myregistrydomain.com:4000
Login Succeeded
however, on host B, i get: 但是,在主机B上,我得到:
# docker login --username=kolla --password=kolla-pass https://myregistrydomain.com:4000
Error response from daemon: Get https://myregistrydomain.com:4000/v1/users/: Forbidden
i can however (on host B) successfully run: 但是,我可以(在主机B上)成功运行:
# curl -k https://kolla:kolla-pass@myregistrydomain.com:4000/v2/_catalog
to make things even stranger, on the registry node itself, i run: 使事情变得更奇怪,在注册表节点本身上,我运行:
# docker login --username=kolla --password=kolla-pass myregistrydomain.com:4000
Error response from daemon: Get https://myregistrydomain.com:4000/v1/users/: Forbidden
# docker login --username=kolla --password=kolla-pass localhost:4000
Login Succeeded
to make it even stranger, i run tcpdump
on the registry node and when i run docker login
from host B, i see no packets! 更奇怪的是,我在注册表节点上运行
tcpdump
,当我从主机B运行docker login
,我看不到任何数据包! (i, of course, do see pings etc. from host B) (我当然可以看到主机B发出的ping等信息)
i've been trying to work out what i did right on host A that i haven't been able to do on host B - with very little success! 我一直在尝试找出我在主机A上所做的正确的事情,而我在主机B上无法做到的-很少取得成功! can anyone put me out of my misery?
谁能把我从痛苦中解救出来?
# docker --version # same across all servers
Docker version 1.12.1, build 23cf638
grrr... answering my own question.... grrr ...回答我自己的问题...
so what happened was that i was using the systemctl drop-in's... and node B and the registry node were both in RFC1918 space... so in order to allow docker to download from the official docker registry, it was set to use: 所以发生的事情是我正在使用systemctl插件...并且节点B和注册表节点都在RFC1918空间中...所以为了允许docker从官方docker注册表下载,它设置为:
[Service]
Environment="HTTP_PROXY=http://<proxy>:3128/"
which of course is rather restrictive and hence not forwarding the packets to my private registry. 当然这是限制性的,因此不会将数据包转发到我的私有注册表。
removing this dropin under /etc/systemd/system/docker.service.d
fixed the problem! 删除
/etc/systemd/system/docker.service.d
下的该dropin可以解决此问题!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.