我想在自修復的AWS ECS羣集上運行私有的,安全的,已通過身份驗證的碼頭註冊表。羣集設置完成並正常工作,但我掙扎着讓registry:latest
運行。問題是,每次我推送圖像時,推動blob失敗,並進入重試周期,除非我得到超時。爲什麼要推送私人,安全的碼頭註冊表失敗?
爲了確保我的ECS設置不是阻擋程序,我嘗試使用Docker4Mac 1.12.0-a在本地設置所有設置。
首先,非常基本的設置工作。我創建了我自己的註冊表映像版本,在那裏我將TLS證書包和密鑰以及必要的htpasswd
文件直接放到映像中。 [我知道,這是不安全的,我只是爲了測試目的而做到這一點]。因此,這裏是我的Dockerfile
:
FROM registry:latest
COPY htpasswd /etc/docker
COPY server_bundle.pem /etc/docker
COPY server_key.pem /etc/docker
server_bundle.pem
有通配符證書我的域mydomain.com
(CN = * mydomain.com。)作爲第一位的,其次是中間CA證書,所以客戶應該是快樂的。我htpasswd
文件是使用推薦的方法創建:
docker run --entrypoint htpasswd registry:2 -Bbn heyitsme mysupersecurepassword > htpasswd
我建我的形象:
docker build -t heyitsme/registry .
事後我運行一個非常基本的版本W/O TLS和身份驗證:
docker run --restart=always -p 5000:5000 heyitsme/registry
和我實際上可以拉,標記和重新推圖像:
docker pull alpine
docker tag alpine localhost:5000/alpine
docker push localhost:5000/alpine
This Works。接下來,我通過環境變量使TLS和基本的認證工作:
docker run -h registry.mydomain.com --name registry --restart=always -p 5000:5000 \
-e REGISTRY_HTTP_HOST=http://registry.mydomain.com:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/server_bundle.pem \
-e REGISTRY_HTTP_TLS_KEY=/etc/docker/server_key.pem \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry-Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/etc/docker/htpasswd heyitsme/registry
暫時我創造/etc/hosts
它說的條目:
127.0.0.1 registry.mydomain.com
然後我登錄:
docker login registry.mydomain.com:5000
Username: heyitsme
Password: ***********
Login Succeeded
所以現在讓我們在這裏標記並推送圖像:
docker tag alpine registry.mydomain.com:5000/alpine
docker push registry.mydomain.com:5000/alpine
The push refers to a repository [registry.mydomain.com:5000/alpine]
4fe15f8d0ae6: Retrying in 4 seconds
會發生什麼,碼頭客戶端試圖推送碎片並失敗。然後它重試並再次失敗,直到我超時。所以接下來的檢查中,V2
API是否正常:
curl -i -XGET https://registry.mydomain.com:5000/v2/
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Basic realm="Registry-Realm"
X-Content-Type-Options: nosniff
Date: Thu, 15 Sep 2016 10:06:04 GMT
Content-Length: 87
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
好,符合市場預期。所以讓我們下次驗證:
curl -i -XGET https://heyitsme:[email protected]:5000/v2/
HTTP/1.1 200 OK
Content-Length: 2
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 15 Sep 2016 10:06:16 GMT
{}%
工程。但推動仍然失敗。
日誌說:
time="2016-09-15T10:24:34Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry-Realm\": invalid authorization credential" go.version=go1.6.3 http.request.host="registry.mydomain.com:5000" http.request.id=6d2ec080-6824-4bf7-aac2-5af31db44877 http.request.method=GET http.request.remoteaddr="172.17.0.1:40878" http.request.uri="/v2/" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))" instance.id=be3a8877-de64-4574-b47a-70ab036e7b79 version=v2.5.1
172.17.0.1 - - [15/Sep/2016:10:24:34 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))"
time="2016-09-15T10:24:34Z" level=info msg="response completed" go.version=go1.6.3 http.request.host="registry.mydomain.com:5000" http.request.id=8f81b455-d592-431d-b67d-0bc34155ddbf http.request.method=POST http.request.remoteaddr="172.17.0.1:40882" http.request.uri="/v2/alpine/blobs/uploads/" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))" http.response.duration=30.515131ms http.response.status=202 http.response.written=0 instance.id=be3a8877-de64-4574-b47a-70ab036e7b79 version=v2.5.1
172.17.0.1 - - [15/Sep/2016:10:24:34 +0000] "POST /v2/alpine/blobs/uploads/ HTTP/1.1" 202 0 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))"
2016/09/15 10:24:34 http: TLS handshake error from 172.17.0.1:40886: tls: first record does not look like a TLS handshake
我還測試了不同版本的原始registry
形象,尤其是幾個版本以上2
。所有產生相同的錯誤。如果有人能夠幫助我解決這個問題,那就太棒了。