Jam*_*ewy 5 haproxy docker docker-registry
我正在尝试使用HAProxy建立一个新的Docker Registry(v2).对于Docker Registry我使用docker hub中的映像并运行它docker run -d -p 5000:5000 -v /path/to/registry:/tmp/registry registry:2.0.1.这是我的HAProxy配置的一个子集:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
userlist auth_list
group docker_registry users root
user root password ***PASSWORD***
backend docker-registry
server 127.0.0.1:5000_localhost 127.0.0.1:5000 cookie 127.0.0.1:5000_localhost
frontend shared-frontend
mode http
bind *:80
bind *:443 ssl crt *** CERT FILES ***
option accept-invalid-http-request
acl domain_d.mydomain.com hdr(host) -i d.mydomain.com
acl auth_docker_registry_root http_auth(auth_list) root
redirect scheme https if !{ ssl_fc } domain_d.mydomain.com
http-request auth realm Registry if !auth_docker_registry_root { ssl_fc } domain_d.mydomain.com
use_backend docker-registry if domain_d.mydomain.com
需要注意的重要事项是我使用HAProxy进行SSL终止和HTTP身份验证而不是注册表.
我尝试登录到新注册表时出现问题.如果我运行docker login https://d.mydomain.com/v2/然后输入用户root和密码我收到以下错误消息:
Docker客户端:
FATA[0009] Error response from daemon: invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
Docker守护程序:
ERRO[0057] Handler for POST /auth returned error: invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
ERRO[0057] HTTP Error: statusCode=500 invalid registry endpoint https://d.mydomain.com/v2/: https://d.mydomain.com/v2/ does not appear to be a v2 registry endpoint. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry d.mydomain.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/d.mydomain.com/ca.crt
所以我尝试添加--insecure-registry d.mydomain.com到:
/etc/default/docker 同 DOCKER_OPTS= -H unix:///var/run/docker.sock --insecure-registry d.mydomain.comdocker -d --insecure-registry d.mydomain.com这些,或我在网上找到的任何其他工作都没有.每次重新启动docker并尝试再次登录后,都会给出相同的错误消息.
我尝试过的其他一些事情:
d.mydomain.com中将导致404d.mydomain.com/v2/中将导致:{}https://d.mydomain.com/v2/所有的这些没有成功的登录命令
http://d.mydomain.com/v2/d.mydomain.com/v2/http://d.mydomain.com/d.mydomain.com/使用HAProxy执行SSL终止和HTTP身份验证的此设置过去使用了注册表的第一个版本和旧版本的docker.那么Docker注册表v2中有什么改变了吗?这仍然有用吗?如果它没有改变,为什么--insecure-registry国旗不再做任何事了?
另外,我一直在努力让这个工作一段时间,所以我可能已经忘记了我尝试过的所有事情.如果有可能有用的东西,请告诉我,我会尝试一下.
谢谢JamesStewy
此编辑已移至下面的答案
我有它的工作.所以这是我的新配置:
haproxy.cfg
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
userlist auth_list
group docker_registry users root
user root password ***PASSWORD***
backend docker-registry
server 127.0.0.1:5000_localhost 127.0.0.1:5000 cookie 127.0.0.1:5000_localhost
backend docker-registry-auth
errorfile 503 /path/to/registry_auth.http
frontend shared-frontend
mode http
bind *:80
bind *:443 ssl crt *** CERT FILES ***
option accept-invalid-http-request
acl domain_d.mydomain.com hdr(host) -i d.mydomain.com
redirect scheme https if !{ ssl_fc } domain_d.mydomain.com
acl auth_docker_registry_root http_auth(auth_list) root
use_backend docker-registry-auth if !auth_docker_registry_root { ssl_fc } domain_d.mydomain.com
rsprep ^Location:\ http://(.*) Location:\ https://\1
use_backend docker-registry if domain_d.mydomain.com
registry_auth.http
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Docker-Distribution-Api-Version: registry/2.0
WWW-Authenticate: Basic realm="Registry"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
该http-request auth线的差异已被替换为use_backend docker-registry-auth.后端docker-registry-auth没有服务器,它总是会503出错.但503错误文件已更改为registry_auth.http.在registry_auth.http错误代码被覆盖401,标头WWW-Authenticate设置为Basic realm="Registry",提供基本的HAProxy 401错误页面,最重要的Docker-Distribution-Api-Version是,标头设置为registry/2.0.
因此,http-request auth除了自定义标头Docker-Distribution-Api-Version现在已设置之外,这种hacky解决方法与旧线路完全相同.这让这个成立于通过其开始在测试line 236的https://github.com/docker/docker/blob/v1.7.0/registry/endpoint.go.
所以现在当我运行时docker login d.mydomain.com,登录成功并且我的凭据被添加到.docker/config.json.
第二个问题是,即使通过它登录,我也无法推送到新的存储库.这是通过在中添加rsprep行来解决的frontend.这一行的作用是修改Location标题(如果存在)以将全部转换http://为https://.
我还找到了这些文档供将来参考.
| 归档时间: |
|
| 查看次数: |
4394 次 |
| 最近记录: |