Kubernetes私人dockerregistry推送错误
所以我部署了一个Kubernetes集群,并安装了一个私有的Dockerregistry。 这是我的registry控制器:
--- apiVersion: v1 kind: ReplicationController metadata: name: registry-master labels: name: registry-master spec: replicas: 1 selector: name: registry-master template: metadata: labels: name: registry-master spec: containers: - name: registry-master image: registry ports: - containerPort: 5000 command: ["docker-registry"]
而服务:
--- apiVersion: v1 kind: Service metadata: name: registry-master labels: name: registry-master spec: ports: # the port that this service should serve on - port: 5000 targetPort: 5000 selector: name: registry-master
现在我将其中一个Kubernetes的节点和构build一个Ruby应用程序容器:
cd /tmp git clone https://github.com/RichardKnop/sinatra-redis-blog.git cd sinatra-redis-blog docker build -t ruby-redis-app
当我尝试标记它并将其推送到registry:
docker tag ruby-redis-app registry-master/ruby-redis-app docker push 10.100.129.115:5000/registry-master/ruby-redis-app
我得到这个错误:
Error response from daemon: invalid registry endpoint https://10.100.129.115:5000/v0/: unable to ping registry endpoint https://10.100.129.115:5000/v0/ v2 ping attempt failed with error: Get https://10.100.129.115:5000/v2/: read tcp 10.100.129.115:5000: connection reset by peer v1 ping attempt failed with error: Get https://10.100.129.115:5000/v1/_ping: read tcp 10.100.129.115:5000: connection reset by peer. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 10.100.129.115:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/10.100.129.115:5000/ca.crt
任何想法如何解决它? 我一直在挣扎几个小时。
理查德
如果您使用HTTPS,则必须创build一个自签名证书(使用您自己的CA权限),或者您拥有一个CA签名证书。
如果是这样,你需要在你打电话的机器上安装这个CA证书
把你的CA证书放进去
/etc/ssl/certs
并运行
update-ca-certificates
有时我不得不把它也放进去
/usr/local/share/ca-certificates/
(在这两种情况下,您的CA文件EXTENSION应该是.pem
对于Docker,您可能还需要放入一个文件
/etc/docker/certs.d/<--your-site-url--->/ca.crt
并且该文件必须命名为ca.crt
(与.pem文件相同的文件,但命名为ca.crt)
我看到了类似的问题,这与我的registry不支持https有关。 如果您的registry不支持https,那么您必须指定它是对docker守护程序不安全的registry
echo'DOCKER_OPTS =“ – insecure-registry 10.100.129.115:5000”'| sudo tee -a / etc / default / docker
然后重新启动你的docker守护进程。
如果您使用的是Ubuntu,请将此行添加到/etc/default/docker
文件中。
$DOCKER_OPTS=“--insecure-registry xxx.xxx.xxx.xxx:5000”
其中xxx.xxx.xxx.xxx
是您的私有registryip。
然后重新启动你的docker客户端。
sudo docker service restart