Adr*_*ian 4 continuous-integration nginx artifactory docker
我有一个问题是将我的docker镜像推向神器[Artifactory Pro Power Pack 3.5.2.1(rev.30160)](用作docker注册表).
我有泊坞版:
$ sudo docker version
Client version: 1.5.0
Client API version: 1.17
Go version (client): go1.3.3
Git commit (client): a8a31ef/1.5.0
OS/Arch (client): linux/amd64
Server version: 1.5.0
Server API version: 1.17
Go version (server): go1.3.3
Git commit (server): a8a31ef/1.5.0
我已经关注了这个链接http://www.jfrog.com/confluence/display/RTF/Docker+Repositories和这个神器作为docker注册表
我创建了一个名为docker的docker注册表docker-local并启用了docker支持.我的神器没有选项,我可以说像本文档中的 docker v1或v2,所以我假设它使用docker v1.
Artifactory为我生成了这些:
<distributionManagement>
<repository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-releases</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</repository>
<snapshotRepository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-snapshots</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</snapshotRepository>
</distributionManagement>
虽然有些东西不适合这些设置.
我安装了反向代理nginx并将这些设置复制到其中/etc/nginx/nginx.conf:
http {
Run Code Online (Sandbox Code Playgroud)## # Basic Settings ## [...] server { listen 443; server_name sdpvvrwm812.ib.tor.company.com; ssl on; ssl_certificate /etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt; ssl_certificate_key /etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key; access_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.access.log; error_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.error.log; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-URI $request_uri; proxy_read_timeout 900; client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location /v1 { proxy_pass http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1; } } }
我生成了我的ssl密钥,如http://www.akadia.com/services/ssh_test_certificate.html所示,并放在2个目录中
/etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
/etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;
我不知道如何ping新的docker注册表,但这样做
sudo docker login -u adrianus -p AT65UTJpXEFBHaXrzrdUdCS -e adrian@company.com http://sdpvvrwm812.ib.tor.company.com
给出了这个错误:
FATA [0000]来自守护进程的错误响应:v1 ping尝试失败并出现错误:获取https://sdpvvrwm812.ib.tor.company.com/v1/_ping:拨打tcp 172.25.10.44:443:连接被拒绝.如果此私有注册表仅支持具有未知CA证书的HTTP或HTTPS,请添加
--insecure-registry sdpvvrwm812.ib.tor.company.com到守护程序的参数.对于HTTPS,如果您可以访问注册表的CA证书,则不需要该标志; 只需将CA证书放在/etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt
但是证书/etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt存在,所以发生了什么?
sudo curl -k -uadrianus:AP2pKojAeMSpXEFBHaXrzrdUdCS "https://sdpvvrwm812.ib.tor.company.com"
给出了这个错误:
curl: (35) SSL connect error
我确实启动了docker client:
sudo docker -d --insecure-registry https://sdpvvrwm812.ib.tor.company.com
可能是因为我的docker注册表是http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local和docker和nginx正在寻找http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local/ v1?
任何线索如何让docker将图像推送到神器?
这<distributionManagement/>部分是为了maven.有点facepalm,Artifactory 3显示了Docker repos的maven片段(在Artifactory 4中修复,欢迎你升级),所以请忽略它.
通常使用Docker,您不能使用/ artifactory/repoName.这是Docker限制,您的注册表必须是hostname:port,没有任何其他路径.
这正是您必须配置反向代理的原因.您在nginx配置中所做的是将所有请求转发sdpvvrwm812.ib.tor.company.com:443/v1给http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1,这是正确的事情.
请注意,证书的位置应该是/etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/,而不是/etc/ssl/certs/.