docker registry_v2 部署过程中遇到的坑

docker registry_v2

docker registry_v2的搭建和排错文档,nginx+registry源码搭建,有别于网上类docker的搭建方法,方便registry日后调优

搭建过程

  • CA证书的制作(openssl)
  • nginx的搭建及配置
  • registry源码编译及配置
  • 验证及排错

CA证书的制作

1.首先我们去 /etc/ssl/openssl.cnf下修改下参数,必须在生成证书之前修改,否则无意义  

[ CA_default ]

  dir			 = /etc/ssl/demoCA	   # Where everything is kept

  certs		   = $dir/certs			# Where the issued certs are kept

  crl_dir		 = $dir/crl			  # Where the issued crl are kept

  database		= $dir/index.txt		# database index file.

  #unique_subject = no					# Set to 'no' to allow creation of

                      # several ctificates with same subject.

  new_certs_dir   = $dir/newcerts		 # default place for new certs.



  certificate	 = $dir/certs/cacert.pem		 # The CA certificate

  serial		  = $dir/serial		   # The current serial number

  crlnumber	   = $dir/crlnumber		# the current crl number

                      # must be commented out to leave a V1 CRL

  crl			 = $dir/crl.pem		  # The current CRL

  private_key	 = $dir/private/cakey.pem# The private key

  RANDFILE		= $dir/private/.rand	# private random number file



  [ v3_req ]



  # Extensions to add to a certificate request



  basicConstraints = CA:FALSE



  keyUsage = nonRepudiation, digitalSignature, keyEncipherment



  #这个很重要,否则在后面会报registry endpoint...x509: cannot validate certificate for ... because it doesn't contain any IP SANs

  subjectAltName=IP:192.168.172.150

2.制作证书
 证书的配置文件都在 Ubuntu的路径在/etc/ssl下
cd /etc/ssl

    mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private

    touch /etc/ssl/demoCA/index.txt

    echo 01 > /etc/ssl/demoCA/serial

    cd /etc/ssl/demoCA

    openssl req -newkey rsa:4096 -nodes -sha256 -keyout cakey.pem -x509 -days 365 -out cacert.pem

    mv cacert.pem certs/ && mv cakey.pem private/
注意这里的domain设置成自己的域名即可,比如我的是*.192.168.172.150.xip.io
You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [XX]:CN

    State or Province Name (full name) []:beijing

    Locality Name (eg, city) [Default City]:beijing

    Organization Name (eg, company) [Default Company Ltd]:self

    Organizational Unit Name (eg, section) []:

    Common Name (eg, your name or your server's hostname) []:*.192.168.172.150.xip.io

    Email Address []:[email protected]


OK,至此,根证书等制作完成

nginx的搭建及配置

方式一:
yum install nginx 

方式二:

1.选择版本安装,最好是高版本,否则add header功能没法使用

cd ~

    wget http://nginx.org/download/nginx-1.9.4.tar.gz

    tar zxvf nginx-1.9.4.tar.gz

    cd ./nginx-1.4.6 && \

./configure --user=www --group=www --prefix=/opt/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module --with-openssl=/root/openssl-1.0.2h --with-zlib=/root/zlib-1.2.8 --with-pcre=/root/pcre-8.39

    make &&  make install

2.生成nginx的ssl证书,并加入进openssl本身的证书数据库

mkdir -p /etc/nginx/ssl

  cd /etc/nginx/ssl

  openssl genrsa -out nginx.key 4096



  openssl req -new -key nginx.key -out nginx.csr

  #上面这一步的配置要和跟设置的一样,尤其是domain那块

  openssl ca -in nginx.csr -out nginx.crt

在这里如果不在之前配置好CA的配置,则会出现demoCA无法打开等错误,所以要注意。

3.生成htpassword,用户名和密码都为admin

htpasswd -cb /opt/nginx/conf/.htpasswd admin admin

4.修改nginx配置

user  www www;

  worker_processes  auto;



  error_log   /var/log/nginx_error.log error;

  #error_log  logs/error.log  notice;

  #error_log  logs/error.log  info;



  #pid		logs/nginx.pid;





  worker_rlimit_nofile 51200;



  events {

    use epoll;

    worker_connections  51200;

    multi_accept on;

  }



  http {

    include	   mime.types;

    default_type  application/octet-stream;



    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

              '$status $body_bytes_sent "$http_referer" '

              '"$http_user_agent" "$http_x_forwarded_for"';



    access_log  /var/log/nginx_access.log  main;



    server_names_hash_bucket_size 128;

    client_header_buffer_size 32k;

    large_client_header_buffers 4 32k;



    sendfile		on;

    tcp_nopush	 on;

    tcp_nodelay	on;



    #keepalive_timeout  0;

    keepalive_timeout  65;



    #gzip  on;



    upstream registry {

      server 192.168.172.150:5000;

    }	



    server {

      listen	   443;

      server_name  192.168.172.150;



      ssl		  on;

      ssl_certificate /etc/nginx/ssl/nginx.crt;

      ssl_certificate_key /etc/nginx/ssl/nginx.key;



      client_max_body_size 0;



      chunked_transfer_encoding on;



      location /v2/ {

        auth_basic "Registry realm";

        auth_basic_user_file /opt/nginx/conf/.htpasswd;

        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;



        proxy_pass						  http://registry;

        proxy_set_header  Host			  \$http_host;   # required for docker client's sake  

        proxy_set_header  X-Real-IP		 \$remote_addr; # pass on real client's IP

        proxy_set_header  X-Forwarded-For   \$proxy_add_x_forwarded_for;

        proxy_set_header  X-Forwarded-Proto $scheme;

        proxy_read_timeout				  900;

      }


      error_page   500 502 503 504  /50x.html;

      location = /50x.html {

        root   html;

      }

    }
}
  

        proxy_set_header  Host			  \$http_host;   # required for docker client's sake  

        proxy_set_header  X-Real-IP		 \$remote_addr; # pass on real client's IP

        proxy_set_header  X-Forwarded-For   \$proxy_add_x_forwarded_for;
 改成


        proxy_set_header  Host			  $http_host;   # required for docker client's sake  

        proxy_set_header  X-Real-IP		 $remote_addr; # pass on real client's IP

        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
就好使了

不然路径有可能是 https://localhost/v2\   报错,多了反斜杠,报400 Bad Request: malformed Host header

 curl -i -k -v https://admin:[email protected]/v2/

400 Bad Request: malformed Host header

========================================================================================================================

重点细节要注意的

Nginx配置proxy_pass转发的/路径问题

在nginx中配置proxy_pass时,如果是按照^~匹配路径时,要注意proxy_pass后的url最后的/,当加上了/,相当于是绝对根路径,则nginx不会把location中匹配的路径部分代理走;如果没有/,则会把匹配的路径部分也给代理走。

location ^~ /static_js/ 

proxy_cache js_cache; 
proxy_set_header Host js.test.com; 
proxy_pass http://js.test.com/; 
}

如上面的配置,如果请求的url是http://servername/static_js/test.html
会被代理成http://js.test.com/test.html

而如果这么配置
location ^~ /static_js/ 

proxy_cache js_cache; 
proxy_set_header Host js.test.com; 
proxy_pass http://js.test.com; 
}


则会被代理到http://js.test.com/static_js/test.htm
当然,我们可以用如下的rewrite来实现/的功能

location ^~ /static_js/ 

proxy_cache js_cache; 
proxy_set_header Host js.test.com; 
rewrite /static_js/(.+)$ /$1 break; 
proxy_pass http://js.test.com; 

=============================================================================================



5.验证及启动启动nginx

/opt/nginx/sbin/nginx -t 检查nginx.conf配置是否正确

    /opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf

registry源码编译及配置

1.checkout 源码:

git clone https://github.com/docker/distribution

    cd distribution

    git checkout v2.1.1

    godep restore ./...

2.安装registry,这里图省事,要编译重新设定下gopath即可

go get github.com/docker/distribution

3.配置registry,config-example.yml

version: 0.1

log:

  fields:

  service: registry

storage:

  cache:

    layerinfo: inmemory

  filesystem:

    rootdirectory: /home/jojo/registry

http:

  addr: :5000

  secret: admin

#	tls: 

#	  certificate: /etc/ssl/demoCA/certs/cacert.pem

#	  key: /etc/ssl/demoCA/private/cakey.pem

#proxy:

#  remoteurl: https://api.192.168.172.150.xip.io

#  username: admin

#  password: admin

这里注意我注掉的部分,因为前方已经有一层代理了,我们这里就没有必要设置tls了,否则,后端 会报 tls: first record does not look like a TLS handshake

4.配置docker,增加一行

vi /etc/default/docker

    DOCKER_OPTS="--insecure-registry api.192.168.172.150.xip.io --tlsverify --tlscacert /etc/ssl/demoCA/certs/cacert.pem"

5.启动docker和registry

service docker start

    registry serve /home/jojo/register/config-example.yml

验证及排错

1.验证联通性:

curl -i -k -v https://admin:[email protected]/v2/



    * Hostname was NOT found in DNS cache

    *   Trying 192.168.172.150...

    * Connected to api.192.168.172.150.xip.io (192.168.172.150) port 443 (#0)

    * successfully set certificate verify locations:

    *   CAfile: none

      CApath: /etc/ssl/certs

    * SSLv3, TLS handshake, Client hello (1):

    * SSLv3, TLS handshake, Server hello (2):

    * SSLv3, TLS handshake, CERT (11):

    * SSLv3, TLS handshake, Server key exchange (12):

    * SSLv3, TLS handshake, Server finished (14):

    * SSLv3, TLS handshake, Client key exchange (16):

    * SSLv3, TLS change cipher, Client hello (1):

    * SSLv3, TLS handshake, Finished (20):

    * SSLv3, TLS change cipher, Client hello (1):

    * SSLv3, TLS handshake, Finished (20):

    * SSL connection using ECDHE-RSA-AES256-GCM-SHA384

    * Server certificate:

    *        subject: C=CN; ST=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; [email protected]

    *        start date: 2015-09-18 13:54:11 GMT

    *        expire date: 2016-09-17 13:54:11 GMT

    *        issuer: C=CN; ST=beijing; L=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; [email protected]

    *        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

    * Server auth using Basic with user 'admin'

    > GET /v2/ HTTP/1.1

    > Authorization: Basic YWRtaW46YWRtaW4=

    > User-Agent: curl/7.35.0

    > Host: api.192.168.172.150.xip.io

    > Accept: */*

    > 

    < HTTP/1.1 200 OK

    HTTP/1.1 200 OK

    * Server nginx/1.9.4 is not blacklisted

    < Server: nginx/1.9.4

    Server: nginx/1.9.4

    < Date: Fri, 18 Sep 2015 17:02:00 GMT

    Date: Fri, 18 Sep 2015 17:02:00 GMT

    < Content-Type: application/json; charset=utf-8

    Content-Type: application/json; charset=utf-8

    < Content-Length: 2

    Content-Length: 2

    < Connection: keep-alive

    Connection: keep-alive

    < Docker-Distribution-Api-Version: registry/2.0

    Docker-Distribution-Api-Version: registry/2.0

    < Docker-Distribution-Api-Version: registry/2.0

    Docker-Distribution-Api-Version: registry/2.0

2.验证docker login

docker login -u admin -p admin -e jackyuan@126 https://api.192.168.172.150.xip.io/v2/



    WARNING: login credentials saved in /root/.docker/config.json

    Login Succeeded

3.push镜像到私有registry

docker tag 91e54dfb1179 api.192.168.172.150.xip.io/ubuntu:trusty

  docker push api.192.168.172.150.xip.io/ubuntu:trusty



  The push refers to a repository [api.192.168.172.150.xip.io/ubuntu] (len: 1)

  91e54dfb1179: Image already exists 

  d74508fb6632: Image successfully pushed 

  c22013c84729: Image successfully pushed 

  d3a1f33e8a5a: Image successfully pushed 

  Digest: sha256:a731c12a4d21af384c4659666f177cd1e871646b95b9440d709ec4ee176145b2

4.查看是否上传

curl -i -k -v https://admin:[email protected]/v2/_catalog



    {"repositories":["ubuntu"]}



    cd /home/jojo/registry/docker/registry/v2 && ls

    blobs  repositories

这里就不往里面看了,深入registry后可以继续看里面的数据结构。



重要的是,查看registry日志,查看nginx日志,三者的日志

====================================================

registry 日志


INFO[5489] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=bafd9501-08e5-418b-9bba-ddadbefc819a http.request.method=GET http.request.remoteaddr=192.168.225.132:53216 http.request.uri=// http.request.useragent=curl/7.29.0 http.response.duration=105.962µs http.response.status=301 http.response.written=0 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:10:47 +0800] "GET // HTTP/1.0" 301 0 "" "curl/7.29.0" 
这个当时的proxy_pass  http://registry/; 末尾有斜杠,参考Nginx配置proxy_pass转发的/路径问题



INFO[5574] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=b2a20ff4-bc84-4529-9c5a-a0472f76c992 http.request.method=GET http.request.remoteaddr=192.168.225.132:53222 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.370983ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"
INFO[5658] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=9e744f42-c563-48d4-87b7-29ed31deb8e5 http.request.method=GET http.request.remoteaddr=192.168.225.132:53230 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.093502ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"
INFO[5674] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=6d7b3e74-a066-4b3d-a414-463d4d6b7bd7 http.request.method=GET http.request.remoteaddr=192.168.225.132:53232 http.request.uri=/v2/_catalog/ http.request.useragent=curl/7.29.0 http.response.duration=108.687µs http.response.status=301 http.response.written=47 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.0" 301 47 "" "curl/7.29.0"




INFO[5738] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=4bc3c40f-be43-4a7b-b014-372456fa6123 http.request.method=GET http.request.remoteaddr=192.168.225.132:53237 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.176057ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"

 ================================================================= 
   

nginx日志

192.168.225.132 - admin [05/Jul/2016:17:04:21 +0800] "GET /v2/_catalog HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/_catalog/v2/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:13 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"


192.168.225.132 - admin [05/Jul/2016:17:05:25 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:30 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:05:30 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - - [05/Jul/2016:17:06:04 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:06:05 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:06:06 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/_catalog/v2 HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:23 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:26 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:27 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:10:15 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:26 +0800] "GET /v2/_category HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:33 +0800] "GET /v2/_category/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:47 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:11:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:11:51 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"


192.168.225.132 - admin [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:12:36 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:12:52 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:19 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 47 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:14:01 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:14:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:15:03 +0800] "GET /v2/search HTTP/1.1" 400 49 "-" "curl/7.29.0"


192.168.225.132 - - [05/Jul/2016:17:16:57 +0800] "GET /v2/_catalog HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:08 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:27 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:31 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"



192.168.225.132 - admin [05/Jul/2016:17:18:18 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:18:22 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:18:28 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:21:50 +0800] "GET /v2/ HTTP/1.1" 200 2 "-" "curl/7.29.0"


===========================================================================================

===========================================================================================

最后联调通的结果

[root@centos-master conf]# curl -i -k -v https://admin:[email protected]/v2/
* About to connect() to zq.reg32.jd.com port 443 (#0)
*   Trying 192.168.225.132...
* Connected to zq.reg32.jd.com (192.168.225.132) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: [email protected],CN=*.reg32.jd.com,OU=jd,O=jd,ST=bj,C=CN
* start date: 7月 01 11:31:46 2016 GMT
* expire date: 7月 01 11:31:46 2017 GMT
* common name: *.reg32.jd.com
* issuer: [email protected],CN=*.reg32.jd.com,OU=jd,O=jd,L=bj,ST=bj,C=CN
* Server auth using Basic with user 'admin'
> GET /v2/ HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.29.0
> Host: zq.reg32.jd.com
> Accept: */*

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.9.4
Server: nginx/1.9.4
< Date: Tue, 05 Jul 2016 10:05:16 GMT
Date: Tue, 05 Jul 2016 10:05:16 GMT
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Content-Length: 2
Content-Length: 2
< Connection: keep-alive
Connection: keep-alive
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff



* Connection #0 to host zq.reg32.jd.com left intact
{}


=============================================================================

root@VM-201-98-ubuntu:~# docker login
输入申请证书时填写的用户名和密码,发现并没有成功,出现下面的一段提示:


2014/12/01 23:47:17 Error response from daemon: Invalid registry endpoint https://registry.example.com/v1/: Get https://registry.example.com/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry registry.example.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry.example.com/ca.crt
这到底是怎么一回事呢?原来现在官方的 docker 还不能用自授权的证书。那怎么解决呢?办法总是有的,我们需要把服务器的根证书在docker这端自己认证一下。还记得之前申请自签名证书所生成的docker-registry.crt 文件吗?把这个文件下载到所要从registry服务器拉去镜像或者上传镜像的机器上面,加入到 boot2docker 的证书( /etc/ssl/certs/ca-certificates.crt )中去,这样,通过docker命令登陆到Docker Registry时,就可以通过认证了(这里,我们的测试机和Docker Registry是同一台机器)。


root@VM-201-98-ubuntu:~#cat /etc/ssl/certs/docker-regi/etcrt | sudo tee -a /etc/ssl/certs/ca-certificates.crt
重新使用docker login 命令登陆,问题解决。

********************************************************************

添加证书 
  Centos 6/7 添加证书具体步骤如下 
  


安装ca-certificates包
$ yum install ca-certificates
使能动态CA配置功能
$ update-ca-trust force-enable 
将key拷贝到/etc/pki/ca-trust/source/anchors/
$ cp devdockerCA.crt /etc/pki/ca-trust/source/anchors/
使新拷贝的证书生效
$ update-ca-trust extract
证书拷贝后,需要重启docker以保证docker能使用新的证书
$ service docker restart
Docker pull/push image测试
制作要push到registry的镜像

你可能感兴趣的:(docker registry_v2 部署过程中遇到的坑)