为dockerd提供SSL证书以用于自己的docker登录

时间:2018-08-24 08:09:05

标签: docker ssl gitlab-ci docker-registry docker-dind

如何在gitlab-ci管道中为dockerd提供自己的CA根证书和SSL客户端证书(cert +密钥)给dockerd?

我有虚拟机(CentOS 7),并安装了docker和gitlab-runner。跑步者注册为docker:dind。设置工作正常,但是我无法连接到具有来自我自己的CA的证书的自己的docker注册表,但是还使用了客户端SSL证书。当我将参数dockerd传递给--insecure-registry=gitlab.mazel.tov:4567时,它不会验证CA,但我仍然不知道如何提供客户端SSL证书,并且pipile会因该错误而失败。

$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gitlab.mazel.tov:4567/v2/: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

我的证书在 docker:dind 容器中也有文件夹,但是这种方法不适用于dockerd吗?但在我的计算机或服务器上,它可以正常工作。

$ ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
    ca.crt
    client.cert
    client.key

我也探索了dockerd --help,但是关于证书的选项仅适用于docker套接字,而i SSL配置则适用于docker注册表。

/etc/gitlab-runner/config.toml 

[[runners]]
  name = "My Docker Runner"
  url = "https://gitlab.mazel.tov"
  token = "ac17ab5cfff675fddd059d40a3"
  tls-ca-file = "/etc/ssl/certs/myCA.pem"
  tls-cert-file = "/etc/gitlab-runner/certs/mazel.tov.pem"
  tls-key-file = "/etc/gitlab-runner/certs/mazel.tov.key"
  executor = "docker"
  [runners.docker]
    image = "docker:dind"
    privileged = true
    disable_cache = false
    volumes = ["/cache", "/etc/docker/certs.d:/etc/docker/certs.d"]
    shm_size = 0
  [runners.cache]

.gitlab-ci.yml 

services:
  - name: docker:dind
    command: ["--insecure-registry=gitlab.mazel.tov:4567"]

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_HOST: tcp://docker:2375/

stages:
  - build

before_script:
  - ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
  - docker info
  - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567

build-web:
  stage: build
  script:
    - docker build ...
    - docker push ...

我也不喜欢--insecure-registry选项。而且我的gitlab服务器在Nginx级别配置了客户端证书。

/etc/gitlab/gitlab.rb 

nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/myCA.crt"
nginx['ssl_verify_client'] = "on"

证书在我的机器和其他服务器上都可以正常运行,我只是在使用gitlab-ci管道来实现它时遇到问题...

当我在Mac上测试docker:dind并安装证书时,它工作正常,因此问题仅出在gitlab-ci管道中?也许dockerd在mount文件夹出现之前就已加载? 

docker run -it --rm --privileged -v ~/.docker/certs.d/:/etc/docker/certs.d/ docker:dind sh
dockerd &
docker login https://gitlab.mazel.tov:4567
** it works **

1 个答案:

答案 0 :(得分:0)

在 [[runners]] 下试试这个配置

 environment = ["DOCKER_TLS_CERTDIR="]
相关问题
最新问题