我想在自修复的AWS ECS群集上运行私有的,安全的,已通过身份验证的码头注册表。群集设置完成并正常工作,但我挣扎着让registry:latest
运行。问题是,每次我推送图像时,推动blob失败,并进入重试周期,除非我得到超时。为什么要推送私人,安全的码头注册表失败?
为了确保我的ECS设置不是阻挡程序,我尝试使用Docker4Mac 1.12.0-a在本地设置所有设置。
首先,非常基本的设置工作。我创建了我自己的注册表映像版本,在那里我将TLS证书包和密钥以及必要的htpasswd
文件直接放到映像中。 [我知道,这是不安全的,我只是为了测试目的而做到这一点]。因此,这里是我的Dockerfile
:
FROM registry:latest
COPY htpasswd /etc/docker
COPY server_bundle.pem /etc/docker
COPY server_key.pem /etc/docker
server_bundle.pem
有通配符证书我的域mydomain.com
(CN = * mydomain.com。)作为第一位的,其次是中间CA证书,所以客户应该是快乐的。我htpasswd
文件是使用推荐的方法创建:
docker run --entrypoint htpasswd registry:2 -Bbn heyitsme mysupersecurepassword > htpasswd
我建我的形象:
docker build -t heyitsme/registry .
事后我运行一个非常基本的版本W/O TLS和身份验证:
docker run --restart=always -p 5000:5000 heyitsme/registry
和我实际上可以拉,标记和重新推图像:
docker pull alpine
docker tag alpine localhost:5000/alpine
docker push localhost:5000/alpine
This Works。接下来,我通过环境变量使TLS和基本的认证工作:
docker run -h registry.mydomain.com --name registry --restart=always -p 5000:5000 \
-e REGISTRY_HTTP_HOST=http://registry.mydomain.com:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/server_bundle.pem \
-e REGISTRY_HTTP_TLS_KEY=/etc/docker/server_key.pem \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry-Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/etc/docker/htpasswd heyitsme/registry
暂时我创造/etc/hosts
它说的条目:
127.0.0.1 registry.mydomain.com
然后我登录:
docker login registry.mydomain.com:5000
Username: heyitsme
Password: ***********
Login Succeeded
所以现在让我们在这里标记并推送图像:
docker tag alpine registry.mydomain.com:5000/alpine
docker push registry.mydomain.com:5000/alpine
The push refers to a repository [registry.mydomain.com:5000/alpine]
4fe15f8d0ae6: Retrying in 4 seconds
会发生什么,码头客户端试图推送碎片并失败。然后它重试并再次失败,直到我超时。所以接下来的检查中,V2
API是否正常:
curl -i -XGET https://registry.mydomain.com:5000/v2/
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Basic realm="Registry-Realm"
X-Content-Type-Options: nosniff
Date: Thu, 15 Sep 2016 10:06:04 GMT
Content-Length: 87
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
好,符合市场预期。所以让我们下次验证:
curl -i -XGET https://heyitsme:[email protected]:5000/v2/
HTTP/1.1 200 OK
Content-Length: 2
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Thu, 15 Sep 2016 10:06:16 GMT
{}%
工程。但推动仍然失败。
日志说:
time="2016-09-15T10:24:34Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"Registry-Realm\": invalid authorization credential" go.version=go1.6.3 http.request.host="registry.mydomain.com:5000" http.request.id=6d2ec080-6824-4bf7-aac2-5af31db44877 http.request.method=GET http.request.remoteaddr="172.17.0.1:40878" http.request.uri="/v2/" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))" instance.id=be3a8877-de64-4574-b47a-70ab036e7b79 version=v2.5.1
172.17.0.1 - - [15/Sep/2016:10:24:34 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))"
time="2016-09-15T10:24:34Z" level=info msg="response completed" go.version=go1.6.3 http.request.host="registry.mydomain.com:5000" http.request.id=8f81b455-d592-431d-b67d-0bc34155ddbf http.request.method=POST http.request.remoteaddr="172.17.0.1:40882" http.request.uri="/v2/alpine/blobs/uploads/" http.request.useragent="docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))" http.response.duration=30.515131ms http.response.status=202 http.response.written=0 instance.id=be3a8877-de64-4574-b47a-70ab036e7b79 version=v2.5.1
172.17.0.1 - - [15/Sep/2016:10:24:34 +0000] "POST /v2/alpine/blobs/uploads/ HTTP/1.1" 202 0 "" "docker/1.12.0 go/go1.6.3 git-commit/8eab29e kernel/4.4.15-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.0 \\(darwin\\))"
2016/09/15 10:24:34 http: TLS handshake error from 172.17.0.1:40886: tls: first record does not look like a TLS handshake
我还测试了不同版本的原始registry
形象,尤其是几个版本以上2
。所有产生相同的错误。如果有人能够帮助我解决这个问题,那就太棒了。