为什么 docker 在证书文件上推送注册表错误?
Why docker push registry errors on certificate file?
如此处所述How to setup docker private registry on ubuntu 16.04、
我把/etc/hosts
改成这样:
192.168.1.154 registry-server
192.168.1.90 registry-client
然后我拉取注册表镜像:
docker pull registry
然后我制作了证书文件
mkdir /etc/certs
cd /etc/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
我将 ca.crt
复制到客户端主机中的这些路径:
/etc/certs/
/etc/docker/certs.d/registry-server:5000/
然后我运行服务器主机上的容器:
docker run -d -p 5000:5000 --restart=always --name registry -v /etc/certs:/etc/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/etc/certs/ca.key registry
我标记了图片
docker tag phpmyadmin/phpmyadmin:latest registry-server:5000/pma-test
但是当我想将图片registry-server:5000/pma-test
推送到服务器时:
docker push registry-server:5000/pma-test:latest
出现以下错误:
Error response from daemon: open /etc/docker/certs.d/registry-server:5000: permission denied
======================================
更新:
我运行journalctl -xe
,发现了这些错误:
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.229097561Z" level=debug msg="Calling GET /_ping"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238248010Z" level=debug msg="Calling POST /v1.38/images/registry-server:5000/pma-test/push?tag="
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238670117Z" level=debug msg="hostDir: /etc/docker/certs.d/registry-server:5000"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238797277Z" level=debug msg="FIXME: Got an API for which error does not match any expected type!!!: open /etc/docker/certs.d/registry-server:5000: permission denied" error_type="*os.PathError" module=api
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238831133Z" level=error msg="Handler for POST /v1.38/images/registry-server:5000/pma-test/push returned error: open /etc/docker/certs.d/registry-server:5000: permission denied"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238861895Z" level=debug msg="FIXME: Got an API for which error does not match any expected type!!!: open /etc/docker/certs.d/registry-server:5000: permission denied" error_type="*os.PathError" module=api
Sep 30 13:58:37 audit[926]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/docker/certs.d/registry-server:5000/" pid=926 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 30 13:58:37 kernel: audit: type=1400 audit(1569851917.234:53): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/docker/certs.d/registry-server:5000/" pid=926 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
为什么会出现这个错误?
Docker 版本 19.03.2,构建 6a30dfc
docker-compose version 1.24.0, build 0aa59064
服务器和客户端主机:Ubuntu18.04
终于找到了:
我将以下行添加到 /var/lib/snapd/apparmor/profiles/snap.docker.docker
/etc/docker/certs.d/** r,
那我运行:
apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.dockerd
问题解决了。
如此处所述How to setup docker private registry on ubuntu 16.04、
我把/etc/hosts
改成这样:
192.168.1.154 registry-server
192.168.1.90 registry-client
然后我拉取注册表镜像:
docker pull registry
然后我制作了证书文件
mkdir /etc/certs
cd /etc/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
我将 ca.crt
复制到客户端主机中的这些路径:
/etc/certs/
/etc/docker/certs.d/registry-server:5000/
然后我运行服务器主机上的容器:
docker run -d -p 5000:5000 --restart=always --name registry -v /etc/certs:/etc/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/certs/ca.crt -e REGISTRY_HTTP_TLS_KEY=/etc/certs/ca.key registry
我标记了图片
docker tag phpmyadmin/phpmyadmin:latest registry-server:5000/pma-test
但是当我想将图片registry-server:5000/pma-test
推送到服务器时:
docker push registry-server:5000/pma-test:latest
出现以下错误:
Error response from daemon: open /etc/docker/certs.d/registry-server:5000: permission denied
======================================
更新:
我运行journalctl -xe
,发现了这些错误:
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.229097561Z" level=debug msg="Calling GET /_ping"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238248010Z" level=debug msg="Calling POST /v1.38/images/registry-server:5000/pma-test/push?tag="
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238670117Z" level=debug msg="hostDir: /etc/docker/certs.d/registry-server:5000"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238797277Z" level=debug msg="FIXME: Got an API for which error does not match any expected type!!!: open /etc/docker/certs.d/registry-server:5000: permission denied" error_type="*os.PathError" module=api
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238831133Z" level=error msg="Handler for POST /v1.38/images/registry-server:5000/pma-test/push returned error: open /etc/docker/certs.d/registry-server:5000: permission denied"
Sep 30 13:58:37 docker.dockerd[926]: time="2019-09-30T13:58:37.238861895Z" level=debug msg="FIXME: Got an API for which error does not match any expected type!!!: open /etc/docker/certs.d/registry-server:5000: permission denied" error_type="*os.PathError" module=api
Sep 30 13:58:37 audit[926]: AVC apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/docker/certs.d/registry-server:5000/" pid=926 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Sep 30 13:58:37 kernel: audit: type=1400 audit(1569851917.234:53): apparmor="DENIED" operation="open" profile="snap.docker.dockerd" name="/etc/docker/certs.d/registry-server:5000/" pid=926 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
为什么会出现这个错误?
Docker 版本 19.03.2,构建 6a30dfc
docker-compose version 1.24.0, build 0aa59064
服务器和客户端主机:Ubuntu18.04
终于找到了:
我将以下行添加到 /var/lib/snapd/apparmor/profiles/snap.docker.docker
/etc/docker/certs.d/** r,
那我运行:
apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.dockerd
问题解决了。