没有这样的主机:Docker 守护进程无法访问 kubernetes 注册表,但同一节点上的 wget 可以连接到注册表
No Such Host: Docker daemon can't access kubernetes registry but wget on the same node can connect to the registry
我在单节点 kubernetes 集群上有一个基于 Alpine Linux 的节点(用于测试)。我在 docker-registry.default:5000
的集群中安装了私有 docker 注册表。我可以登录到 alpine 节点并使用 wget
并访问我的私有 docker 注册表。
kubectl exec -it pod/nuclio-dashboard-5c5c48947b-lpgx8 -- /bin/sh
/ # wget -qO- https://docker:mypassword@docker-registry.default:5000/v2/_catalog
{"repositories":["nuclio/processor-helloworld3"]}
但我似乎无法在同一个 pod 上使用 docker 访问它。客户端和服务器都是 2019 版本
kubectl exec -it pod/nuclio-dashboard-5c5c48947b-lpgx8 -- /bin/sh
/ # which docker
/usr/local/bin/docker
/ # docker login -u docker -p mypassword docker-registry.default:5000
Error response from daemon: Get https://docker-registry.default:5000/v2/: dial tcp: lookup docker-registry.default on 169.254.169.254:53: no such host
我可以登录 Docker 集线器注册表。
docker login -u my_hub_user -p my_hub_password
Login Succeeded
编辑:
在 kubectl describe pod nuclio-dashboard-5c5c48947b-lpgx8
,我们得到。
kd pod/nuclio-dashboard-5c5c48947b-2dpnz
Name: nuclio-dashboard-5c5c48947b-2dpnz
Namespace: nuclio
Priority: 0
Node: gke-your-first-cluster-1-pool-1-fe915942-506h/10.128.0.30
Start Time: Tue, 31 Dec 2019 09:39:45 -0500
Labels: app=nuclio
nuclio.io/app=dashboard
nuclio.io/class=service
nuclio.io/name=nuclio-dashboard
pod-template-hash=5c5c48947b
release=nuclio
Annotations: nuclio.io/version: 1.3.4-amd64
Status: Running
IP: 10.4.0.9
Controlled By: ReplicaSet/nuclio-dashboard-5c5c48947b
Containers:
nuclio-dashboard:
Container ID: docker://4f358607618f89da911e191226313193e38ed5335a3e46c207eee16669f1dd46
Image: quay.io/nuclio/dashboard:1.3.4-amd64
Image ID: docker-pullable://quay.io/nuclio/dashboard@sha256:e6d94f7bf46601b2454a9e73ba292c62edac3d4684ea15057855af2277eab8a5
Port: 8070/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 31 Dec 2019 09:40:27 -0500
Ready: True
Restart Count: 0
Environment:
NUCLIO_DASHBOARD_REGISTRY_URL: <set to the key 'registry_url' of config map 'nuclio-registry-url'> Optional: true
NUCLIO_DASHBOARD_DEPLOYMENT_NAME: nuclio-dashboard
NUCLIO_CONTAINER_BUILDER_KIND: docker
NUCLIO_DASHBOARD_EXTERNAL_IP_ADDRESSES:
NUCLIO_DASHBOARD_HTTP_INGRESS_HOST_TEMPLATE:
Mounts:
/etc/nuclio/dashboard/registry-credentials from registry-credentials (ro)
/var/run/docker.sock from docker-sock (rw)
/var/run/secrets/kubernetes.io/serviceaccount from nuclio-nuclio-token-d7fwp (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
docker-sock:
Type: HostPath (bare host directory volume)
Path: /var/run/docker.sock
HostPathType:
registry-credentials:
Type: Secret (a volume populated by a Secret)
SecretName: nuclio-registry-credentials
Optional: true
nuclio-nuclio-token-d7fwp:
Type: Secret (a volume populated by a Secret)
SecretName: nuclio-nuclio-token-d7fwp
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
Kubernetes 会将内部 DNS 服务器注入 pod 的 /etc/resolv.conf 文件。这就是为什么您可以从 Pod 访问注册表的原因。
通常,此 DNS 服务不会暴露在 Pod
网络之外。
当您使用 docker 命令时,您在 host
中,主机将指向另一个无法解析注册表内部服务名称的 DNS 服务器。
要从您的主机访问注册表,您需要以下内容。
1) 将注册表 Service
公开为 NodePort
或 LoadBalancer
(因为是测试环境,所以使用NodePort
)doc link
2) 创建正确的 DNS 条目以将名称解析为 IP(此处 IP 将是 NodePort
服务节点的 IP)。由于您只有一个节点,因此在 /etc/hosts
文件中创建一个条目以解析注册表 FQDN。
我在单节点 kubernetes 集群上有一个基于 Alpine Linux 的节点(用于测试)。我在 docker-registry.default:5000
的集群中安装了私有 docker 注册表。我可以登录到 alpine 节点并使用 wget
并访问我的私有 docker 注册表。
kubectl exec -it pod/nuclio-dashboard-5c5c48947b-lpgx8 -- /bin/sh
/ # wget -qO- https://docker:mypassword@docker-registry.default:5000/v2/_catalog
{"repositories":["nuclio/processor-helloworld3"]}
但我似乎无法在同一个 pod 上使用 docker 访问它。客户端和服务器都是 2019 版本
kubectl exec -it pod/nuclio-dashboard-5c5c48947b-lpgx8 -- /bin/sh
/ # which docker
/usr/local/bin/docker
/ # docker login -u docker -p mypassword docker-registry.default:5000
Error response from daemon: Get https://docker-registry.default:5000/v2/: dial tcp: lookup docker-registry.default on 169.254.169.254:53: no such host
我可以登录 Docker 集线器注册表。
docker login -u my_hub_user -p my_hub_password
Login Succeeded
编辑:
在 kubectl describe pod nuclio-dashboard-5c5c48947b-lpgx8
,我们得到。
kd pod/nuclio-dashboard-5c5c48947b-2dpnz
Name: nuclio-dashboard-5c5c48947b-2dpnz
Namespace: nuclio
Priority: 0
Node: gke-your-first-cluster-1-pool-1-fe915942-506h/10.128.0.30
Start Time: Tue, 31 Dec 2019 09:39:45 -0500
Labels: app=nuclio
nuclio.io/app=dashboard
nuclio.io/class=service
nuclio.io/name=nuclio-dashboard
pod-template-hash=5c5c48947b
release=nuclio
Annotations: nuclio.io/version: 1.3.4-amd64
Status: Running
IP: 10.4.0.9
Controlled By: ReplicaSet/nuclio-dashboard-5c5c48947b
Containers:
nuclio-dashboard:
Container ID: docker://4f358607618f89da911e191226313193e38ed5335a3e46c207eee16669f1dd46
Image: quay.io/nuclio/dashboard:1.3.4-amd64
Image ID: docker-pullable://quay.io/nuclio/dashboard@sha256:e6d94f7bf46601b2454a9e73ba292c62edac3d4684ea15057855af2277eab8a5
Port: 8070/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 31 Dec 2019 09:40:27 -0500
Ready: True
Restart Count: 0
Environment:
NUCLIO_DASHBOARD_REGISTRY_URL: <set to the key 'registry_url' of config map 'nuclio-registry-url'> Optional: true
NUCLIO_DASHBOARD_DEPLOYMENT_NAME: nuclio-dashboard
NUCLIO_CONTAINER_BUILDER_KIND: docker
NUCLIO_DASHBOARD_EXTERNAL_IP_ADDRESSES:
NUCLIO_DASHBOARD_HTTP_INGRESS_HOST_TEMPLATE:
Mounts:
/etc/nuclio/dashboard/registry-credentials from registry-credentials (ro)
/var/run/docker.sock from docker-sock (rw)
/var/run/secrets/kubernetes.io/serviceaccount from nuclio-nuclio-token-d7fwp (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
docker-sock:
Type: HostPath (bare host directory volume)
Path: /var/run/docker.sock
HostPathType:
registry-credentials:
Type: Secret (a volume populated by a Secret)
SecretName: nuclio-registry-credentials
Optional: true
nuclio-nuclio-token-d7fwp:
Type: Secret (a volume populated by a Secret)
SecretName: nuclio-nuclio-token-d7fwp
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
Kubernetes 会将内部 DNS 服务器注入 pod 的 /etc/resolv.conf 文件。这就是为什么您可以从 Pod 访问注册表的原因。
通常,此 DNS 服务不会暴露在 Pod
网络之外。
当您使用 docker 命令时,您在 host
中,主机将指向另一个无法解析注册表内部服务名称的 DNS 服务器。
要从您的主机访问注册表,您需要以下内容。
1) 将注册表 Service
公开为 NodePort
或 LoadBalancer
(因为是测试环境,所以使用NodePort
)doc link
2) 创建正确的 DNS 条目以将名称解析为 IP(此处 IP 将是 NodePort
服务节点的 IP)。由于您只有一个节点,因此在 /etc/hosts
文件中创建一个条目以解析注册表 FQDN。