docker registry_v2的搭建和排错文档,nginx+registry源码搭建,有别于网上类docker的搭建方法,方便registry日后调优
1.首先我们去 /etc/ssl/openssl.cnf下修改下参数,必须在生成证书之前修改,否则无意义
[ CA_default ]
dir = /etc/ssl/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#这个很重要,否则在后面会报registry endpoint...x509: cannot validate certificate for ... because it doesn't contain any IP SANs
subjectAltName=IP:192.168.172.150
2.制作证书
证书的配置文件都在 Ubuntu的路径在/etc/ssl下
cd /etc/ssl
mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
touch /etc/ssl/demoCA/index.txt
echo 01 > /etc/ssl/demoCA/serial
cd /etc/ssl/demoCA
openssl req -newkey rsa:4096 -nodes -sha256 -keyout cakey.pem -x509 -days 365 -out cacert.pem
mv cacert.pem certs/ && mv cakey.pem private/
注意这里的domain设置成自己的域名即可,比如我的是*.192.168.172.150.xip.io
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.192.168.172.150.xip.io
Email Address []:[email protected]
OK,至此,根证书等制作完成
1.选择版本安装,最好是高版本,否则add header功能没法使用
cd ~
wget http://nginx.org/download/nginx-1.9.4.tar.gz
tar zxvf nginx-1.9.4.tar.gz
cd ./nginx-1.4.6 && \
./configure --user=www --group=www --prefix=/opt/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module --with-openssl=/root/openssl-1.0.2h --with-zlib=/root/zlib-1.2.8 --with-pcre=/root/pcre-8.39
make && make install
2.生成nginx的ssl证书,并加入进openssl本身的证书数据库
mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl openssl genrsa -out nginx.key 4096 openssl req -new -key nginx.key -out nginx.csr #上面这一步的配置要和跟设置的一样,尤其是domain那块 openssl ca -in nginx.csr -out nginx.crt
在这里如果不在之前配置好CA的配置,则会出现demoCA无法打开等错误,所以要注意。
3.生成htpassword,用户名和密码都为admin
htpasswd -cb /opt/nginx/conf/.htpasswd admin admin
4.修改nginx配置
user www www;
worker_processes auto;
error_log /var/log/nginx_error.log error;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx_access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream registry {
server 192.168.172.150:5000;
}
server {
listen 443;
server_name 192.168.172.150;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
client_max_body_size 0;
chunked_transfer_encoding on;
location /v2/ {
auth_basic "Registry realm";
auth_basic_user_file /opt/nginx/conf/.htpasswd;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://registry;
proxy_set_header Host \$http_host; # required for docker client's sake
proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
proxy_set_header Host \$http_host; # required for docker client's sake
proxy_set_header X-Real-IP \$remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
改成
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
就好使了
不然路径有可能是 https://localhost/v2\ 报错,多了反斜杠,报400 Bad Request: malformed Host header
curl -i -k -v https://admin:[email protected]/v2/
400 Bad Request: malformed Host header
========================================================================================================================
重点细节要注意的
Nginx配置proxy_pass转发的/路径问题
在nginx中配置proxy_pass时,如果是按照^~匹配路径时,要注意proxy_pass后的url最后的/,当加上了/,相当于是绝对根路径,则nginx不会把location中匹配的路径部分代理走;如果没有/,则会把匹配的路径部分也给代理走。
location ^~ /static_js/
{
proxy_cache js_cache;
proxy_set_header Host js.test.com;
proxy_pass http://js.test.com/;
}
如上面的配置,如果请求的url是http://servername/static_js/test.html
会被代理成http://js.test.com/test.html
而如果这么配置
location ^~ /static_js/
{
proxy_cache js_cache;
proxy_set_header Host js.test.com;
proxy_pass http://js.test.com;
}
则会被代理到http://js.test.com/static_js/test.htm
当然,我们可以用如下的rewrite来实现/的功能
location ^~ /static_js/
{
proxy_cache js_cache;
proxy_set_header Host js.test.com;
rewrite /static_js/(.+)$ /$1 break;
proxy_pass http://js.test.com;
}
=============================================================================================
5.验证及启动启动nginx
/opt/nginx/sbin/nginx -t 检查nginx.conf配置是否正确 /opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf
1.checkout 源码:
git clone https://github.com/docker/distribution
cd distribution
git checkout v2.1.1
godep restore ./...
2.安装registry,这里图省事,要编译重新设定下gopath即可
go get github.com/docker/distribution
3.配置registry,config-example.yml
version: 0.1 log: fields: service: registry storage: cache: layerinfo: inmemory filesystem: rootdirectory: /home/jojo/registry http: addr: :5000 secret: admin # tls: # certificate: /etc/ssl/demoCA/certs/cacert.pem # key: /etc/ssl/demoCA/private/cakey.pem #proxy: # remoteurl: https://api.192.168.172.150.xip.io # username: admin # password: admin
这里注意我注掉的部分,因为前方已经有一层代理了,我们这里就没有必要设置tls了,否则,后端 会报 tls: first record does not look like a TLS handshake
4.配置docker,增加一行
vi /etc/default/docker DOCKER_OPTS="--insecure-registry api.192.168.172.150.xip.io --tlsverify --tlscacert /etc/ssl/demoCA/certs/cacert.pem"
5.启动docker和registry
service docker start
registry serve /home/jojo/register/config-example.yml
1.验证联通性:
curl -i -k -v https://admin:[email protected]/v2/
* Hostname was NOT found in DNS cache
* Trying 192.168.172.150...
* Connected to api.192.168.172.150.xip.io (192.168.172.150) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=CN; ST=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; [email protected]
* start date: 2015-09-18 13:54:11 GMT
* expire date: 2016-09-17 13:54:11 GMT
* issuer: C=CN; ST=beijing; L=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; [email protected]
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'admin'
> GET /v2/ HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.35.0
> Host: api.192.168.172.150.xip.io
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
* Server nginx/1.9.4 is not blacklisted
< Server: nginx/1.9.4
Server: nginx/1.9.4
< Date: Fri, 18 Sep 2015 17:02:00 GMT
Date: Fri, 18 Sep 2015 17:02:00 GMT
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Content-Length: 2
Content-Length: 2
< Connection: keep-alive
Connection: keep-alive
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
2.验证docker login
docker login -u admin -p admin -e jackyuan@126 https://api.192.168.172.150.xip.io/v2/
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
3.push镜像到私有registry
docker tag 91e54dfb1179 api.192.168.172.150.xip.io/ubuntu:trusty docker push api.192.168.172.150.xip.io/ubuntu:trusty The push refers to a repository [api.192.168.172.150.xip.io/ubuntu] (len: 1) 91e54dfb1179: Image already exists d74508fb6632: Image successfully pushed c22013c84729: Image successfully pushed d3a1f33e8a5a: Image successfully pushed Digest: sha256:a731c12a4d21af384c4659666f177cd1e871646b95b9440d709ec4ee176145b2
4.查看是否上传
curl -i -k -v https://admin:[email protected]/v2/_catalog {"repositories":["ubuntu"]} cd /home/jojo/registry/docker/registry/v2 && ls blobs repositories
这里就不往里面看了,深入registry后可以继续看里面的数据结构。
重要的是,查看registry日志,查看nginx日志,三者的日志
====================================================
registry 日志
INFO[5489] response completed go.version=go1.6.2 http.request.host=registry http.request.id=bafd9501-08e5-418b-9bba-ddadbefc819a http.request.method=GET http.request.remoteaddr=192.168.225.132:53216 http.request.uri=// http.request.useragent=curl/7.29.0 http.response.duration=105.962µs http.response.status=301 http.response.written=0 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:10:47 +0800] "GET // HTTP/1.0" 301 0 "" "curl/7.29.0"
这个当时的proxy_pass http://registry/; 末尾有斜杠,参考Nginx配置proxy_pass转发的/路径问题
INFO[5574] response completed go.version=go1.6.2 http.request.host=registry http.request.id=b2a20ff4-bc84-4529-9c5a-a0472f76c992 http.request.method=GET http.request.remoteaddr=192.168.225.132:53222 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.370983ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"
INFO[5658] response completed go.version=go1.6.2 http.request.host=registry http.request.id=9e744f42-c563-48d4-87b7-29ed31deb8e5 http.request.method=GET http.request.remoteaddr=192.168.225.132:53230 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.093502ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"
INFO[5674] response completed go.version=go1.6.2 http.request.host=registry http.request.id=6d7b3e74-a066-4b3d-a414-463d4d6b7bd7 http.request.method=GET http.request.remoteaddr=192.168.225.132:53232 http.request.uri=/v2/_catalog/ http.request.useragent=curl/7.29.0 http.response.duration=108.687µs http.response.status=301 http.response.written=47 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.0" 301 47 "" "curl/7.29.0"
INFO[5738] response completed go.version=go1.6.2 http.request.host=registry http.request.id=4bc3c40f-be43-4a7b-b014-372456fa6123 http.request.method=GET http.request.remoteaddr=192.168.225.132:53237 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0 http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.176057ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"
nginx日志
192.168.225.132 - admin [05/Jul/2016:17:04:21 +0800] "GET /v2/_catalog HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/_catalog/v2/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:13 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:25 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:05:30 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:05:30 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:06:04 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:06:05 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - - [05/Jul/2016:17:06:06 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/_catalog/v2 HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:23 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:26 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:06:27 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"
192.168.225.132 - admin [05/Jul/2016:17:10:15 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:26 +0800] "GET /v2/_category HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:33 +0800] "GET /v2/_category/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:47 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:11:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:11:51 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:12:36 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:12:52 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:19 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 47 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:14:01 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:14:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:15:03 +0800] "GET /v2/search HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - - [05/Jul/2016:17:16:57 +0800] "GET /v2/_catalog HTTP/1.1" 401 194 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:08 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:27 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:17:31 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:18:18 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:18:22 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:18:28 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:21:50 +0800] "GET /v2/ HTTP/1.1" 200 2 "-" "curl/7.29.0"
===========================================================================================
===========================================================================================
最后联调通的结果
[root@centos-master conf]# curl -i -k -v https://admin:[email protected]/v2/
* About to connect() to zq.reg32.jd.com port 443 (#0)
* Trying 192.168.225.132...
* Connected to zq.reg32.jd.com (192.168.225.132) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: [email protected],CN=*.reg32.jd.com,OU=jd,O=jd,ST=bj,C=CN
* start date: 7月 01 11:31:46 2016 GMT
* expire date: 7月 01 11:31:46 2017 GMT
* common name: *.reg32.jd.com
* issuer: [email protected],CN=*.reg32.jd.com,OU=jd,O=jd,L=bj,ST=bj,C=CN
* Server auth using Basic with user 'admin'
> GET /v2/ HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.29.0
> Host: zq.reg32.jd.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.9.4
Server: nginx/1.9.4
< Date: Tue, 05 Jul 2016 10:05:16 GMT
Date: Tue, 05 Jul 2016 10:05:16 GMT
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Content-Length: 2
Content-Length: 2
< Connection: keep-alive
Connection: keep-alive
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
<
* Connection #0 to host zq.reg32.jd.com left intact
{}
=============================================================================
root@VM-201-98-ubuntu:~# docker login
输入申请证书时填写的用户名和密码,发现并没有成功,出现下面的一段提示:
2014/12/01 23:47:17 Error response from daemon: Invalid registry endpoint https://registry.example.com/v1/: Get https://registry.example.com/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry registry.example.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry.example.com/ca.crt
这到底是怎么一回事呢?原来现在官方的 docker 还不能用自授权的证书。那怎么解决呢?办法总是有的,我们需要把服务器的根证书在docker这端自己认证一下。还记得之前申请自签名证书所生成的docker-registry.crt 文件吗?把这个文件下载到所要从registry服务器拉去镜像或者上传镜像的机器上面,加入到 boot2docker 的证书( /etc/ssl/certs/ca-certificates.crt )中去,这样,通过docker命令登陆到Docker Registry时,就可以通过认证了(这里,我们的测试机和Docker Registry是同一台机器)。
root@VM-201-98-ubuntu:~#cat /etc/ssl/certs/docker-regi/etcrt | sudo tee -a /etc/ssl/certs/ca-certificates.crt
重新使用docker login 命令登陆,问题解决。
********************************************************************
添加证书
Centos 6/7 添加证书具体步骤如下
安装ca-certificates包
$ yum install ca-certificates
使能动态CA配置功能
$ update-ca-trust force-enable
将key拷贝到/etc/pki/ca-trust/source/anchors/
$ cp devdockerCA.crt /etc/pki/ca-trust/source/anchors/
使新拷贝的证书生效
$ update-ca-trust extract
证书拷贝后,需要重启docker以保证docker能使用新的证书
$ service docker restart
Docker pull/push image测试
制作要push到registry的镜像