使用自签名证书将本地Docker映像推送到私有存储库 [英] Pushing a local Docker image to a private repository with a self-signed certificate
问题描述
我正在尝试将图像(例如 foo / bar )从我的本地Docker注册表推送到在OpenShift 3.11上运行的注册表(实际上 Minishift v1.33.0 + ba29431)。
I'm trying to push an image, say foo/bar, from my local Docker registry to a registry running on OpenShift 3.11 (actually Minishift v1.33.0+ba29431).
注册表位于 192.168.64.3:2376 ,它需要HTTPS连接。它使用自签名证书。
The registry is at 192.168.64.3:2376 and it expects HTTPS connections. It uses a self-signed certificate.
首先,我复制新图像的标签:
First I copy the tag for the new image:
docker tag foo/bar 192.168.64.3:2376/app/foo/bar
这成功了。然后我尝试推送:
This succeeds. Then I try pushing:
$ docker push 192.168.64.3:2376/app/foo/bar
The push refers to repository [192.168.64.3:2376/app/foo/bar]
Get https://192.168.64.3:2376/v2/: x509: certificate signed by unknown authority
,或者,当Docker配置为允许使用 192.168.64.0/24 中的不安全注册表时,它会与服务器进行HTTP通讯,而不是禁用证书验证:
or, when Docker is configured to allow use of unsafe registries in 192.168.64.0/24, it talks HTTP to the server instead of disabling certificate verification:
$ docker push 192.168.64.3:2376/app/foo/bar
The push refers to repository [192.168.64.3:2376/app/foo/bar]
Get http://192.168.64.3:2376/v2/: EOF
文档说,对于不安全的注册表,应首先,尝试使用HTTPS。如果HTTPS可用,但证书无效,请忽略有关证书的错误。如果HTTPS不可用,请退回HTTP。所以我不希望看到EOF错误。
The documentation says that for an unsafe registry, it should "First, try using HTTPS. If HTTPS is available but the certificate is invalid, ignore the error about the certificate. If HTTPS is not available, fall back to HTTP." So I would not expect to see an EOF error.
我也不能尝试告诉Docker使用Minishift证书,因为它突然失去了与本地用户交谈的能力。 Docker守护程序(它应该使用Unix域套接字,而不是tcp:// localhost:2376):
I also cannot try to tell Docker to use the Minishift certs, because it suddenly loses the ability to talk to the local Docker daemon (it should use a Unix domain socket, not tcp://localhost:2376):
$ export DOCKER_TLS_VERIFY="1"
$ export DOCKER_CERT_PATH="/Users/rzg/.minishift/certs"
$ docker push 192.168.64.3:2376/app/foo/bar
Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?
这是我使用的Docker版本:
This is the version of Docker I'm using:
Client: Docker Engine - Community
Version: 18.09.2
API version: 1.39
Go version: go1.10.8
Git commit: 6247962
Built: Sun Feb 10 04:12:39 2019
OS/Arch: darwin/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.2
API version: 1.39 (minimum version 1.12)
Go version: go1.10.6
Git commit: 6247962
Built: Sun Feb 10 04:13:06 2019
OS/Arch: linux/amd64
Experimental: false
推荐答案
Docker客户端需要配置为(i)接受由CA证书签名的私有注册表的证书,并且(ii)存在
The Docker client needs to be configured to (i) accept the private registry's certificate, which is signed by the CA certificate, and (ii) present an authorized client certificate.
Minishift会将其全部放置〜/ .minishift / certs中的s证书文件。这包括一个CA证书(ca.pem),一个客户端证书(cert.pem)和一个客户端私钥(key.pem)。
Minishift places all of its certificate files in ~/.minishift/certs. This includes a CA certificate (ca.pem), a client certificate (cert.pem), and a client private key (key.pem).
此示例查询证明所有这三个要素都会导致成功连接:
This example query proves that all three ingredients lead to a successful connection:
curl \
--cacert ~/.minishift/certs/ca.pem \
--cert ~/.minishift/certs/cert.pem \
--key ~/.minishift/certs/key.pem \
https://$(minishift ip):2376/v2/info
在macOS上,我们需要遵循< a href = https://docs.docker.com/docker-for-mac/#add-tls-certificates rel = nofollow noreferrer>这部分Docker文档,然后将CA证书安装到钥匙串:
On macOS, we need to follow this part of Docker's documentation and install the CA certificate to the keychain:
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain ~/.minishift/certs/ca.pem
并还链接到客户端证书和密钥:
And also make links to the client certificate and key:
mkdir -p ~/.docker/certs.d/$(minishift ip):2376/
ln -s ~/.minishift/certs/cert.pem ~/.docker/certs.d/$(minishift ip):2376/client.cert
ln -s ~/.minishift/certs/key.pem ~/.docker/certs.d/$(minishift ip):2376/client.key
最后,重新启动Mac版Docker和然后推送。
Finally, restart Docker for Mac and then push.
这篇关于使用自签名证书将本地Docker映像推送到私有存储库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
