本次Registry使用当前最新stable版本:Registry 2.3.0。由于镜像采用本地磁盘存储,root分区较小,需要映射使用其他volume。
$ sudo service docker restart docker stop/waiting docker start/running, process 6712 $ sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2 5966e92fce9c34705050e19368d19574e021a272ede1575385ef35ecf5cea019尝试再次Push image:
我们将本地的tag做untag处理,再从Registry pull相关image:
二、初次搭建本以为Docker Registry的搭建是何其简单的,甚至简单到通过一行命令就可以完成的。比如我们在Registry Server上执行:
10.10.105.72: $ docker push 10.10.105.71:5000/tonybai/ubuntu The push refers to a repository [10.10.105.71:5000/tonybai/ubuntu] (len: 1) unable to ping registry endpoint https://10.10.105.71:5000/v0/ v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527从错误信息来看,client与Registry交互,默认将采用https访问,但我们在install Registry时并未配置指定任何tls相关的key和crt文件,https访问定然失败。要想弄清这个问题,只能查看Registry Manual。
$docker push mydockerhub.com:5000/tonybai/busybox The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1) 65e4158d9625: Image already exists 5506dda26018: Image already exists latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739 3、外部访问Registry我们换其他机器试试访问这个secure registry。根据之前的要求,我们照猫画虎的修改一下hosts文件,安装ca.cert,去除–insecure-registry选项,并重启Docker daemon。之后尝试从registry pull image:
三、Insecure RegistryRegistry的文档还是相对详尽的。在文档中,我们找到了Insecure Registry,即接收plain http访问的Registry的配置和使用方法,虽然这不是官方推荐的。
我们按照上面的配置方法,修改105.72上的/etc/default/docker,重启Docker daemon,再执行pull/push就会得到正确的结果:
在其他机器上尝试push image到registry也遇到了同样的错误输出,如下:
$ docker push mydockerhub.com:5000/tonybai/busybox The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1) 65e4158d9625: Image push failed Head https://mydockerhub.com:5000/v2/tonybai/busybox/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: no basic auth credentials错误信息提示:鉴权失败。
$ docker push mydockerhub.com:5000/tonybai/busybox The push refers to a repository [mydockerhub.com:5000/tonybai/busybox] (len: 1) unable to ping registry endpoint https://mydockerhub.com:5000/v0/ v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authoritypush失败了!从错误日志来看,docker client认为server传输过来的证书的签署方是一个unknown authority(未知的CA),因此验证失败。我们需要让docker client安装我们的CA证书:
一、环境这里还是复用以往文章中的Docker环境:
$ docker push 10.10.105.71:5000/tonybai/busybox The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1) 65e4158d9625: Pushed 5506dda26018: Pushed latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739这回push ok!
$ openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt Generating a 2048 bit RSA private key ..............+++ ............................................+++ writing new private key to 'certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Liaoning Locality Name (eg, city) []:shenyang Organization Name (eg, company) [Internet Widgits Pty Ltd]:foo Organizational Unit Name (eg, section) []:bar Common Name (e.g. server FQDN or YOUR name) []:mydockerhub.com Email Address []:bigwhite.cn@gmail.com 2、启动Secure Registry启动带证书的Registry:
$ docker push 10.10.105.71:5000/tonybai/busybox The push refers to a repository [10.10.105.71:5000/tonybai/busybox] (len: 1) unable to ping registry endpoint https://10.10.105.71:5000/v0/ v2 ping attempt failed with error: Get https://10.10.105.71:5000/v2/: tls: oversized record received with length 20527 v1 ping attempt failed with error: Get https://10.10.105.71:5000/v1/_ping: tls: oversized record received with length 20527虽然还是失败,但错误信息已有所不同了。这次看来连接是可以建立的,但client端通过https访问server端,似乎想tls通信,但这一过程并未完成。
$ docker search 10.10.105.71:5000/tonybai/busybox/ Error response from daemon: Unexpected status code 404但通过v2版本的API,我们可以实现相同目的:
//生成鉴权密码文件 $ mkdir auth $ docker run --entrypoint htpasswd registry:2 -Bbn foo foo123 > auth/htpasswd $ ls auth htpasswd //启动带鉴权功能的Registry: $ docker run -d -p 5000:5000 --restart=always --name registry \ -v `pwd`/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v `pwd`/data:/var/lib/registry \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2 199ad0b3591fb9613b21b1c96f017267f3c39661a7025d30df636c6805e7ab50在105.72上,我们尝试push image到Registry:
DOCKER_OPTS="--insecure-registry 10.10.105.71:5000 ....