我有虚拟机(CentOS 7),并安装了docker和gitlab-runner。跑步者注册为docker:dind
。设置工作正常,但是我无法连接到具有来自我自己的CA的证书的我自己的docker注册表,但是也正在使用client SSL certificate。当我将参数dockerd
传递给--insecure-registry=gitlab.mazel.tov:4567
时,它不会验证CA,但我仍然不知道如何提供客户端SSL证书,并且pipile会因该错误而失败。
容器内也有文件夹,但是这种方法不适用于$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567 WARNING! Using --password via the CLI is insecure. Use --password-stdin. Error response from daemon: Get https://gitlab.mazel.tov:4567/v2/: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
我在带有证书的docker:dind
dockerd
吗?但在我的计算机或服务器上,它可以正常工作。$ ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/ ca.crt client.cert client.key
我也探索了
dockerd --help
,但有关证书的选项仅适用于docker套接字,而i SSL配置用于docker注册表。
/ etc / gitlab-runner / config.toml
[[runners]] name = "My Docker Runner" url = "https://gitlab.mazel.tov" token = "ac17ab5cfff675fddd059d40a3" tls-ca-file = "/etc/ssl/certs/myCA.pem" tls-cert-file = "/etc/gitlab-runner/certs/mazel.tov.pem" tls-key-file = "/etc/gitlab-runner/certs/mazel.tov.key" executor = "docker" [runners.docker] image = "docker:dind" privileged = true disable_cache = false volumes = ["/cache", "/etc/docker/certs.d:/etc/docker/certs.d"] shm_size = 0 [runners.cache]
。gitlab-ci.yml
services: - name: docker:dind command: ["--insecure-registry=gitlab.mazel.tov:4567"] variables: DOCKER_DRIVER: overlay2 DOCKER_HOST: tcp://docker:2375/ stages: - build before_script: - ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/ - docker info - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567 build-web: stage: build script: - docker build ... - docker push ...
我也不喜欢--insecure-registry选项。我的gitlab服务器在Nginx级别配置了客户端证书。
/ etc / gitlab / gitlab.rb
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/myCA.crt" nginx['ssl_verify_client'] = "on"
证书在我的机器和其他服务器上都可以正常运行,我只是在使用gitlab-ci管道来实现它时遇到问题...
当我在Mac上测试docker:dind并安装证书时,它工作正常,因此问题仅出在gitlab-ci管道中?也许dockerd在mount文件夹出现之前就已加载?
docker run -it --rm --privileged -v ~/.docker/certs.d/:/etc/docker/certs.d/ docker:dind sh
dockerd &
docker login https://gitlab.mazel.tov:4567
** it works **
如何在gitlab-ci管道中为自己的Docker注册表的dockerd提供自己的CA Root证书和SSL客户端证书(cert +密钥)?我有虚拟机(CentOS 7),并安装了docker和...
您找到解决问题的方法了吗?我目前有类似的问题