简而言之:我无法从外部登录我的docker-registry(托管在servercenter中的ubuntu-vm(14.04LTS))(我的本地计算机正在运行MAC)使用my.domain.ch名称。Docker-registry v2 with tls和基本身份验证背后的nginx身份验证错误
我可以成功地从Ubuntu的机(VM-2)运行与 '搬运工登录http://localhost:5000' 注册表登录
这是我的设置:
VM-1:nginx的/ 1.10.1在Ubuntu 14.04作为反向代理(此处没有安装搬运工):在Ubuntu 14.04
upstream registry {
server vm-2:5000 fail_timeout=5s;
}
server {
listen 80;
server_name my.domain.ch; # server_name ;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name my.domain.ch; # server_name ;
charset utf-8;
keepalive_timeout 5;
add_header Docker-Distribution-Api-Version registry/2.0 always;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_ecdh_curve secp521r1;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCMSHA384:ECDHE-ECDSA-AES256-SHA384:EC$
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Docker-Distribution-Api-Version registry/2.0;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 900;
location/{
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
proxy_pass https://registry;
}
}
VM-2泊坞窗的注册表作为注册主机。
Docker version 1.12.1, build 23cf638
docker-compose version 1.7.0, build 0d7bf73
docker-registry version 2.5.1
这些是
- /选择/搬运工的注册表/ AUTH(htaccess的)
- /选择/搬运工的注册表/证书(钥匙和证书)
- 的/ opt /泊坞窗的注册表/数据(空)
- /opt/docker-registry/docker-compose.yml
泊坞窗,compose.yml看起来是这样的:
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/cert.pem
REGISTRY_HTTP_TLS_KEY: /certs/key.pem
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: basic-realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_LOG_LEVEL: "debug"
volumes:
- /opt/docker_registry/data:/var/lib/registry
- /opt/docker_registry/certs:/certs
- /opt/docker_registry/auth:/auth
从我的MAC我尝试
docker login https://my.domain.ch
Username: MyUserName
Password:
Error response from daemon: login attempt to https://my.domain.ch/v2/ failed with status: 401 Unauthorized
我研究向我表明:
David Daeschler写道docker只支持bcrypt的基本认证。 (我尝试使用apache-md5,md5和crypt都不起作用)。所以我使用bcrypt来提示我的htacces。
我搬运工的注册表日志:
registry_1 | time="2016-09-22T10:01:00.809076941Z" level=debug msg="authorizing request" go.version=go1.6.3 http.request.host=mydomain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=xxx.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | time="2016-09-22T10:01:00.811894104Z" level=error msg="error authenticating user \"MyUserName\": authentication failure" go.version=go1.6.3 http.request.host=my.domain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=xxx.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | time="2016-09-22T10:01:00.812631504Z" level=warning msg="error authorizing context: basic authentication challenge for realm \"basic-realm\": authentication failure" go.version=go1.6.3 http.request.host=my.domain.ch http.request.id=f1b0ccda-2d03-4480-aaf8-b7248acaed5f http.request.method=GET http.request.remoteaddr=83.xxx.xxx.127 http.request.uri="/v2/" http.request.useragent="docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))" instance.id=59b4a38a-307e-446d-9f8a-3618c35bb6bb service=registry version=v2.5.1
registry_1 | xxx.xxx.xxx.11 - - [22/Sep/2016:10:01:00 +0000] "GET /v2/ HTTP/1.0" 401 87 "" "docker/1.12.1 go/go1.6.3 git-commit/23cf638 kernel/4.4.20-moby os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.1 \\(darwin\\))"
nginx的日志:
2016/09/22 09:14:34 [crit] 13318#0: *8 crypt_r() failed (22: Invalid argument), client: xxx.xxx.xxx.127, server: my.domain.ch, request: "GET /v2/ HTTP/1.1", host: "my.domain.ch"
的原因错误被这个答案from a Docker.com guy覆盖。 (简而言之:狩猎这表明这取决于Debian附带的gcc版本。)
我从日志知道&错误是:
- 它正确地转发请求
- 端口是开放的,接受请求
- TLS工作&证书是正确的 - 它使用的V2该api
- 必须与htaccess
- 必须与nginx问题。因此,它在本地工作
我该如何让nginx了解bcrypt? 或者是其他地方的错误?
感谢所有帮助 SWiggels
编辑:
Found this从docker.com家伙:
I'm not sure if this will help, but we've become tired of dealing with nginx's edge cases for new users, so registry 2.1 will come with htpasswd based basic auth support.
由于使用泊坞窗的注册表V2.5.1基本身份验证的应工作。
我安装了sudo apt-get install apache2-utils上vm-1。我认为它可能带来bcrypt。它没有工作。
当安装bcrypt明确(sudo apt-get install bcrypt)我得到bcrypt is already the newest version.
添加sudo apt-get install libgmp3-dev的建议here没有正常工作。
如上所述here auth_basic(nginx?或基本身份验证一般?)不支持bcrypt。但docker-registry允许的唯一加密是对htaccess密码进行加密。
看过read here nginx无法处理bcrypt密码哈希值。
难道在nginx 1.10.1后面没有docker-registry v2.5.1吗?