为自己的docker注册表提供dockerd的SSL证书

Question

为自己的docker注册表提供dockerd的SSL证书

Maz*_*Tov 11 ssl docker gitlab-ci docker-registry docker-dind

如何在gitlab-ci管道中为自己的docker注册表提供自己的CA Root证书和SSL客户端证书(cert + key)到dockerd？

我有虚拟机(CentOS 7)并安装了docker和gitlab-runner.跑步者注册为docker:dind.安装工作正常,但我无法连接到我自己的docker注册表,该注册表具有来自我自己的CA的证书,但也使用客户端SSL证书.当我转到dockerd参数时,--insecure-registry=gitlab.mazel.tov:4567它不会验证CA,但我仍然不知道如何提供客户端SSL证书,并且pipile将失败并显示此错误.

$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gitlab.mazel.tov:4567/v2/: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

Run Code Online (Sandbox Code Playgroud)

我也有docker中的文件夹:带有我的证书的dind容器,但这种方法不起作用dockerd？但是在我的电脑或服务器上它运行正常.

$ ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
    ca.crt
    client.cert
    client.key

Run Code Online (Sandbox Code Playgroud)

我也进行过探索,dockerd --help但关于证书的选项仅适用于docker套接字和i SSL配置docker注册表.

/etc/gitlab-runner/config.toml

[[runners]]
  name = "My Docker Runner"
  url = "https://gitlab.mazel.tov"
  token = "ac17ab5cfff675fddd059d40a3"
  tls-ca-file = "/etc/ssl/certs/myCA.pem"
  tls-cert-file = "/etc/gitlab-runner/certs/mazel.tov.pem"
  tls-key-file = "/etc/gitlab-runner/certs/mazel.tov.key"
  executor = "docker"
  [runners.docker]
    image = "docker:dind"
    privileged = true
    disable_cache = false
    volumes = ["/cache", "/etc/docker/certs.d:/etc/docker/certs.d"]
    shm_size = 0
  [runners.cache]

Run Code Online (Sandbox Code Playgroud)

.gitlab-ci.yml

services:
  - name: docker:dind
    command: ["--insecure-registry=gitlab.mazel.tov:4567"]

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_HOST: tcp://docker:2375/

stages:
  - build

before_script:
  - ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
  - docker info
  - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567

build-web:
  stage: build
  script:
    - docker build ...
    - docker push ...

Run Code Online (Sandbox Code Playgroud)

我也不喜欢--insecure-registry选项.我的gitlab服务器在Nginx级别配置了客户端证书.

/etc/gitlab/gitlab.rb

nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/myCA.crt"
nginx['ssl_verify_client'] = "on"

Run Code Online (Sandbox Code Playgroud)

证书在我的机器和其他服务器上运行正常,我只是在使用gitlab-ci管道实现它时遇到了麻烦...

当我测试docker时:在我的mac上安装并挂载证书它可以正常工作,所以问题只出现在gitlab-ci管道中？也许在mount文件夹出现之前加载了dockerd？

docker run -it --rm --privileged -v ~/.docker/certs.d/:/etc/docker/certs.d/ docker:dind sh
dockerd &
docker login https://gitlab.mazel.tov:4567
** it works **

Run Code Online (Sandbox Code Playgroud)

Answer 1

小智 -1

在 [[runners]] 下尝试此配置

 environment = ["DOCKER_TLS_CERTDIR="]

Run Code Online (Sandbox Code Playgroud)

归档时间：	7 年，4 月前
查看次数：	527 次
最近记录：	7 年前