[英]Docker: private registry access
我正在嘗試將映像推送到我的docker私有存儲庫:
docker pull busybox
docker tag busybox living-registry.com:5000/busybox
docker push living-registry.com:5000/busybox
Docker告訴我:
推送指向存儲庫[living-registry.com:5000/busybox]獲取https://living-registry.com:5000/v1/_ping :讀取tcp 195.83.122.16:39714->195.83.122.16:5000:讀取:對等連接重置
這些命令在CoreOS上執行。
在另一台計算機上,我使用以下命令啟動了注冊表:
docker run -d -p 5000:5000 --restart=always --name registry \
-v /root/docker-registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /root/docker-registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-v /root/docker-registry/data:/var/lib/registry \
registry:2
一切似乎都是正確的:
# netstat -tupln | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 3160/docker-proxy
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27e79f6a504c registry:2 "/bin/registry serve " About an hour ago Restarting (2) 36 minutes ago 0.0.0.0:5000->5000/tcp registry
因此,當我嘗試登錄時:
[root@jenkins certs]# docker login living-registry.com:5000
Username: xxxx
Password: xxxx
來自守護程序的錯誤響應:Get https://living-registry.com:5000/v1/users/ :讀取tcp 195.83.122.16:39756->195.83.122.16:5000:讀取:對等重置連接
有任何想法嗎?
編輯
我已經在/etc/ssl/certs
和/etc/docker/certs.d/xxxx:5000/
添加了證書( ca.crt
)。
我正在這個CoreOS實例中嘗試執行以下操作:
$ docker login https://xxxx:5000 Username: xxx Password: Email: xxx@mail.com
它告訴我:
來自守護程序的錯誤響應:無效的注冊表端點https:// xxxx:5000 / v0 / :無法ping注冊表端點https:// xxxx:5000 / v0 / v2 ping嘗試失敗,並出現錯誤:獲取https:// xxxx:5000 / v2 / :EOF v1 ping嘗試失敗,並出現錯誤:獲取https:// xxxx:5000 / v1 / _ping :EOF。 如果此私有注冊表僅支持帶有未知CA證書的HTTP或HTTPS,請在守護程序的參數中添加
--insecure-registry xxxx:5000
。 對於HTTPS,如果您有權訪問注冊表的CA證書,則不需要該標志; 只需將CA證書放在/etc/docker/certs.d/xxxx:5000/ca.crt
我也嘗試過直接與openssl
建立連接:
openssl s_client -connect x.x.x.x:5000
輸出為:
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
對於自簽名證書,必須將crt復制到
/etc/docker/cert.d/hostname:port/ca.crt
cf: https : //docs.docker.com/engine/security/certificates/
我創建證書:
openssl req -x509 -nodes -days 3650d -newkey rsa:2048 -keyout /root/docker-registry/certs/registry.key -out /root/docker-registry/certs/registry.crt -days 3650d
cp /root/docker-registry/certs/registry.crt /etc/docker/cert.d/x.x.x.x:5000/ca.crt
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.