Docker:私有注册表访问

时间:2016-07-06 11:15:32

标签: docker coreos docker-registry

我正在尝试将图像推送到我的docker私有存储库:

docker pull busybox
docker tag busybox living-registry.com:5000/busybox
docker push living-registry.com:5000/busybox

Docker告诉我:

  

推送指的是存储库[living-registry.com:5000/busybox]   获取https://living-registry.com:5000/v1/_ping:读取tcp 195.83.122.16:39714->195.83.122.16:5000:读取:通过对等方重置连接

这些命令正在CoreOS上执行。

在另一台机器上,我使用此命令启动了我的注册表:

docker run -d -p 5000:5000 --restart=always --name registry \
  -v /root/docker-registry/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v /root/docker-registry/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
  -v /root/docker-registry/data:/var/lib/registry \
  registry:2

一切似乎都是对的:

# netstat -tupln | grep 5000
tcp6       0      0 :::5000       :::*      LISTEN      3160/docker-proxy

# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                          PORTS                    NAMES
27e79f6a504c        registry:2          "/bin/registry serve "   About an hour ago   Restarting (2) 36 minutes ago   0.0.0.0:5000->5000/tcp   registry

所以,当我尝试登录时:

[root@jenkins certs]# docker login living-registry.com:5000
Username: xxxx
Password: xxxx
  

来自守护程序的错误响应:获取https://living-registry.com:5000/v1/users/:读取tcp 195.83.122.16:39756->195.83.122.16:5000:读取:通过对等方重置连接

有什么想法吗?

修改

我已在ca.crt/etc/ssl/certs中添加了证书(/etc/docker/certs.d/x.x.x.x:5000/)。

从这个CoreOS实例,我正在尝试执行:

$ docker login https://x.x.x.x:5000 Username: xxx Password: Email: xxx@mail.com 它告诉我:

  

来自守护程序的错误响应:无效的注册表端点https://x.x.x.x:5000/v0/:无法ping注册表端点https://x.x.x.x:5000/v0/   v2 ping尝试失败,错误:获取https://x.x.x.x:5000/v2/:EOF    v1 ping尝试失败,错误:获取https://x.x.x.x:5000/v1/_ping:EOF。如果此私有注册表仅支持具有未知CA证书的HTTP或HTTPS,请将--insecure-registry x.x.x.x:5000添加到守护程序的参数中。对于HTTPS,如果您可以访问注册表的CA证书,则不需要该标志;只需将CA证书放在/etc/docker/certs.d/x.x.x.x:5000/ca.crt

我还试图直接与openssl

建立联系 
openssl s_client -connect x.x.x.x:5000

输出结果为:

CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1467812448
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

1 个答案:

答案 0 :(得分:0)

对于自签名证书,必须将crt复制到

  

/etc/docker/cert.d/hostname:port/ca.crt

cf:demo

我创建证书:

openssl req -x509 -nodes -days 3650d -newkey rsa:2048 -keyout /root/docker-registry/certs/registry.key -out /root/docker-registry/certs/registry.crt -days 3650d

cp /root/docker-registry/certs/registry.crt /etc/docker/cert.d/x.x.x.x:5000/ca.crt
相关问题
最新问题