Docker:私人registry访问
我正在尝试将图像推送到我的docker专用存储库:
docker pull busybox docker tag busybox living-registry.com:5000/busybox docker push living-registry.com:5000/busybox
Docker告诉我:
推送是指存储库[living-registry.com:5000/busybox]获取https://living-registry.com:5000/v1/_ping :读取tcp 195.83.122.16:39714->195.83.122.16:5000:读取:通过同级重置连接
这些命令正在CoreOS上执行。
在另一台机器上,我使用这个命令启动了我的registry:
docker run -d -p 5000:5000 --restart=always --name registry \ -v /root/docker-registry/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /root/docker-registry/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \ -v /root/docker-registry/data:/var/lib/registry \ registry:2
一切似乎都是对的:
# netstat -tupln | grep 5000 tcp6 0 0 :::5000 :::* LISTEN 3160/docker-proxy # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 27e79f6a504c registry:2 "/bin/registry serve " About an hour ago Restarting (2) 36 minutes ago 0.0.0.0:5000->5000/tcp registry
所以,当我尝试login时:
[root@jenkins certs]# docker login living-registry.com:5000 Username: xxxx Password: xxxx
来自守护进程的错误响应:Get https://living-registry.com:5000/v1/users/:read tcp 195.83.122.16:39756->195.83.122.16:5000:read:由对等方重置的连接
有任何想法吗?
编辑
我已经在/etc/ssl/certs
和/etc/docker/certs.d/xxxx:5000/
添加了证书( ca.crt
)。
从这个CoreOS实例,我试图执行:
$ docker login https://xxxx:5000 Username: xxx Password: Email: xxx@mail.com
它告诉我:
来自守护进程的错误响应:无效的registry端点https:// xxxx:5000 / v0 / :无法ping通registry端点https:// xxxx:5000 / v0 / v2 ping尝试失败,出现错误:获取https:// xxxx:5000 / v2 / :EOF v1 ping尝试失败,出现错误:获取https:// xxxx:5000 / v1 / _ping :EOF。 如果此私有registry仅支持具有未知CA证书的HTTP或HTTPS,请将
--insecure-registry xxxx:5000
到守护程序的参数中。 在HTTPS的情况下,如果您有权访问registry的CA证书,则不需要该标志; 只需将CA证书放在/etc/docker/certs.d/xxxx:5000/ca.crt
我也试图直接与openssl
进行连接:
openssl s_client -connect xxxx:5000
输出是:
CONNECTED(00000003) 140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1467812448 Timeout : 300 (sec) Verify return code: 0 (ok) ---
对于自签名证书,必须将crt复制到
/etc/docker/cert.d/hostname:port/ca.crt
cf: https : //docs.docker.com/engine/security/certificates/
我创build证书:
openssl req -x509 -nodes -days 3650d -newkey rsa:2048 -keyout /root/docker-registry/certs/registry.key -out /root/docker-registry/certs/registry.crt -days 3650d cp /root/docker-registry/certs/registry.crt /etc/docker/cert.d/xxxx:5000/ca.crt