私有注册表上的代理登录后面的代理提供TLS握手超时
[英]docker login behind proxy on private registry gives TLS handshake timeout
问题描述
We have a private docker registry at work (based on portus, but whatever) and I try to push an image to this registry but it doesn't work. 
我们有一个私有的docker注册表在工作(基于portus,但无论如何),我尝试将图像推送到此注册表,但它不起作用。 It fails with the following error message: 它失败并显示以下错误消息:
$ sudo docker login archive.docker-registry.mycompany.com
Username: mylogin
Password:
Error response from daemon: Get https://archive.docker-registry.mycompany.com/v1/users/:
net/http: TLS handshake timeout
$
I already configured the proxy in /etc/systemd/system/docker.service.d/http-proxy.conf (my docker is on centos 7): 我已经在/etc/systemd/system/docker.service.d/http-proxy.conf中配置了代理(我的docker在centos 7上):
[Service]
Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,archive.docker-registry.mycompany.com"
but it still fails. 但它仍然失败。
I tried to use HTTPS_PROXY instead of HTTP_PROXY using either http or https in url, I tried to download certificate manually and configure them in system (update-ca-certs) but it keeps failing. 我尝试在url中使用http或https来使用HTTPS_PROXY而不是HTTP_PROXY,我尝试手动下载证书并在系统中配置它们(update-ca-certs)但它仍然失败。
When I changed this configuration file, as root, I executed: 当我以root身份更改此配置文件时,我执行了:
# systemctl daemon-reload
# systemctl restart docker
4 个解决方案
解决方案1
2 2017-04-21 11:48:34
actually, I found that if I comment out the full Environment line it works for the private registry but not for docker hub anymore (of course, no more proxy). 实际上,我发现如果我注释掉完整的环境线,它适用于私有注册表,但不适用于docker hub(当然,不再需要代理)。 And here is the final solution that works for both private registry and docker hub public registry: 这是最终解决方案适用于私有注册表和docker hub公共注册表:
In the NO_PROXY environment variable, only the domain name should be used, not the FQDN (including "archive." hostname prefix): 在NO_PROXY环境变量中,只应使用域名,而不是FQDN(包括“archive。”hostname prefix):
Here is my config file now: 这是我的配置文件:
[Service]
Environment="HTTP_PROXY=http://proxy.mycompany.com:8000/" "NO_PROXY=localhost,127.0.0.1,docker-registry.mycompany.com"
Note that there is no more "archive." 请注意,不再有“存档”。 nor "portus." 也不是“portus”。 prefix in NO_PROXY anymore, just the domain name starting from "docker-registry". NO_PROXY中的前缀,只是从“docker-registry”开始的域名。
As I saw the docker login command line including "archive." 当我看到docker登录命令行包括“archive”时。 prefix, it was misleading and I thought it had to be in the NO_PROXY environment variable... but no, it should not. 前缀,这是误导,我认为它必须在NO_PROXY环境变量...但不,它不应该。
Hope it helps someone. 希望它可以帮助某人。 I wish I found the answer on google before, but I didn't so I'm just posting it here, it might help someone. 我希望我之前在谷歌上找到答案,但我没有,所以我只是在这里发布,它可能对某人有所帮助。
解决方案2
1 2018-08-27 13:59:16
If you are using a private registry, you need to place the certificate for that under /etc/docker/certs.d/ registryname /ca.crt 如果您使用的是私有注册表,则需要在/etc/docker/certs.d/ registryname /ca.crt下为其提供证书
registryname will change accordingly registryname将相应更改
Also, please change your MTU size to 1300, this was also one thing I did to resolve the error. 另外,请将您的MTU大小更改为1300,这也是我解决错误的一件事。 Registry one I believe you might have already done. 注册表一,我相信你可能已经完成了。 Command for MTU change MTU更改命令
ip link set dev eth0 mtu 1300
MTU size is important to check MTU大小非常重要
解决方案3
1 2018-11-06 19:15:45
我安装的最新稳定版本(18.xx)有这个问题,在降级到17.12.0-ce后,它对我来说很好。
解决方案4
0 2019-08-12 23:25:02
You can get the TLS handshake timeout error if your docker daemon proxy is not configured correctly. 如果未正确配置docker守护程序代理,则可以获取TLS handshake timeout错误。
# verify docker daemon proxy configuration
/etc/systemd/system/docker.service.d/proxy.conf
# flush changes
sudo systemctl daemon-reload
# restart docker service
sudo systemctl restart docker
For more details, see https://docs.docker.com/config/daemon/systemd/#httphttps-proxy 有关更多详细信息,请参阅https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.