如何通过反向代理将 docker 个图像推送到 artifactory
How to push docker images through reverse proxy to artifactory
我在将 docker 图像推送到人工制品 [Artifactory Pro Power Pack 3.5.2.1(修订版 30160)](用作 docker 注册表)时遇到问题。
我有 docker 版本:
$ sudo docker version
Client version: 1.5.0
Client API version: 1.17
Go version (client): go1.3.3
Git commit (client): a8a31ef/1.5.0
OS/Arch (client): linux/amd64
Server version: 1.5.0
Server API version: 1.17
Go version (server): go1.3.3
Git commit (server): a8a31ef/1.5.0
我关注了这个 link http://www.jfrog.com/confluence/display/RTF/Docker+Repositories and this one
我在名为 docker-local
的 artifactory 中创建了一个 docker 注册表并启用了 docker 支持。
我的 artifactory 没有选项,我可以像 this document 中那样说 docker v1 或 v2,所以我假设它使用 docker v1。
Artifactory 为我生成了这些:
<distributionManagement>
<repository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-releases</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</repository>
<snapshotRepository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-snapshots</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</snapshotRepository>
</distributionManagement>
虽然有些东西不适用于这些设置。
我安装了反向代理 nginx
并将这些设置复制到它的 /etc/nginx/nginx.conf
中:
http {
##
# Basic Settings
##
[...]
server {
listen 443;
server_name sdpvvrwm812.ib.tor.company.com;
ssl on;
ssl_certificate /etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
ssl_certificate_key /etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;
access_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.access.log;
error_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.error.log;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_read_timeout 900;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v1 {
proxy_pass http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1;
}
} }
我生成了我的 ssl 密钥,如 http://www.akadia.com/services/ssh_test_certificate.html 所示,并放置在 2 个目录中
/etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
/etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;
我不确定如何 ping 新的 docker 注册表,但是
sudo docker login -u adrianus -p AT65UTJpXEFBHaXrzrdUdCS -e adrian@company.com http://sdpvvrwm812.ib.tor.company.com
出现此错误:
FATA[0000] Error response from daemon: v1 ping attempt failed with
error: Get https://sdpvvrwm812.ib.tor.company.com/v1/_ping: dial tcp
172.25.10.44:443: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry sdpvvrwm812.ib.tor.company.com
to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's
CA certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt
但是证书 /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt
存在,这是怎么回事?
sudo curl -k -uadrianus:AP2pKojAeMSpXEFBHaXrzrdUdCS "https://sdpvvrwm812.ib.tor.company.com"
出现此错误:
curl: (35) SSL connect error
我开始使用 docker 客户端:
sudo docker -d --insecure-registry https://sdpvvrwm812.ib.tor.company.com
难道是因为我的docker注册表是http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local
并且docker和nginx正在寻找http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local
/v1?
任何线索如何获得 docker 将图像推送到人工制品?
<distributionManagement/>
部分是针对 maven 的。 Artifactory 3 显示 Docker repos 的 maven 代码段(已在 Artifactory 4 中修复,欢迎您升级),这有点面子,所以请忽略它。
通常 Docker 不能使用 /artifactory/repoName。这是 Docker 限制,您的注册表必须是 hostname:port,没有任何其他路径。
这正是您必须配置反向代理的原因。您在 nginx 配置中所做的是将所有请求转发到 sdpvvrwm812.ib.tor.company.com:443/v1
到 http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1
,这是正确的做法。
请注意,证书的位置应该是 /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/
,而不是 /etc/ssl/certs/
。
我在将 docker 图像推送到人工制品 [Artifactory Pro Power Pack 3.5.2.1(修订版 30160)](用作 docker 注册表)时遇到问题。
我有 docker 版本:
$ sudo docker version
Client version: 1.5.0
Client API version: 1.17
Go version (client): go1.3.3
Git commit (client): a8a31ef/1.5.0
OS/Arch (client): linux/amd64
Server version: 1.5.0
Server API version: 1.17
Go version (server): go1.3.3
Git commit (server): a8a31ef/1.5.0
我关注了这个 link http://www.jfrog.com/confluence/display/RTF/Docker+Repositories and this one docker-local
的 artifactory 中创建了一个 docker 注册表并启用了 docker 支持。
我的 artifactory 没有选项,我可以像 this document 中那样说 docker v1 或 v2,所以我假设它使用 docker v1。
Artifactory 为我生成了这些:
<distributionManagement>
<repository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-releases</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</repository>
<snapshotRepository>
<id>sdpvvrwm812</id>
<name>sdpvvrwm812-snapshots</name>
<url>http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local</url>
</snapshotRepository>
</distributionManagement>
虽然有些东西不适用于这些设置。
我安装了反向代理 nginx
并将这些设置复制到它的 /etc/nginx/nginx.conf
中:
http {
## # Basic Settings ## [...] server { listen 443; server_name sdpvvrwm812.ib.tor.company.com; ssl on; ssl_certificate /etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt; ssl_certificate_key /etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key; access_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.access.log; error_log /var/log/nginx/sdpvvrwm812.ib.tor.company.com.error.log; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-URI $request_uri; proxy_read_timeout 900; client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location /v1 { proxy_pass http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1; } } }
我生成了我的 ssl 密钥,如 http://www.akadia.com/services/ssh_test_certificate.html 所示,并放置在 2 个目录中
/etc/ssl/certs/sdpvvrwm812.ib.tor.company.com.crt;
/etc/ssl/private/sdpvvrwm812.ib.tor.company.com.key;
我不确定如何 ping 新的 docker 注册表,但是
sudo docker login -u adrianus -p AT65UTJpXEFBHaXrzrdUdCS -e adrian@company.com http://sdpvvrwm812.ib.tor.company.com
出现此错误:
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://sdpvvrwm812.ib.tor.company.com/v1/_ping: dial tcp 172.25.10.44:443: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry sdpvvrwm812.ib.tor.company.com
to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt
但是证书 /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/ca.crt
存在,这是怎么回事?
sudo curl -k -uadrianus:AP2pKojAeMSpXEFBHaXrzrdUdCS "https://sdpvvrwm812.ib.tor.company.com"
出现此错误:
curl: (35) SSL connect error
我开始使用 docker 客户端:
sudo docker -d --insecure-registry https://sdpvvrwm812.ib.tor.company.com
难道是因为我的docker注册表是http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local
并且docker和nginx正在寻找http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/docker-local
/v1?
任何线索如何获得 docker 将图像推送到人工制品?
<distributionManagement/>
部分是针对 maven 的。 Artifactory 3 显示 Docker repos 的 maven 代码段(已在 Artifactory 4 中修复,欢迎您升级),这有点面子,所以请忽略它。
通常 Docker 不能使用 /artifactory/repoName。这是 Docker 限制,您的注册表必须是 hostname:port,没有任何其他路径。
这正是您必须配置反向代理的原因。您在 nginx 配置中所做的是将所有请求转发到 sdpvvrwm812.ib.tor.company.com:443/v1
到 http://sdpvvrwm812.ib.tor.company.com:8081/artifactory/api/docker/docker-local/v1
,这是正确的做法。
请注意,证书的位置应该是 /etc/docker/certs.d/sdpvvrwm812.ib.tor.company.com/
,而不是 /etc/ssl/certs/
。