Docker登录仅适用于守护程序,但不适用于Docker活动服务

问题描述 投票:1回答:1

我一直在尝试将nexus3设置为Docker镜像的私有注册表,其中nginx用作nexus3的反向代理。

我遇到了从Forbidden到Connection Refused的所有类型的错误,并尝试了所有参考步骤。

以下是我的配置。

我已经使用密钥(orgnexus.key)设置了自签名证书(orgnexus.crt),并使用与nginx相同的反向代理。

Nexus配置了端口4444和docker托管repo配置了https端口6666.Nexus配置为在“server908”上运行,而docker在“server446”上运行

以下是nginx的配置。

server {

    listen 6666;
    server_name server908.int.org.com;
    keepalive_timeout 60;

    ssl on;
    ssl_certificate /etc/ssl/certs/orgnexus.crt;
    ssl_certificate_key /etc/ssl/certs/orgnexus.key;
    ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
    ssl_session_cache shared:TLSSSL:16m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on;

    client_max_body_size 1G;
    chunked_transfer_encoding on;

    location /v2/ {

            access_log              /var/log/nginx/docker.log;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto "https";
            proxy_pass              http://server908.int.org.com:4444/;
            proxy_read_timeout      90;
}

    location / {

            access_log              /var/log/nginx/docker.log;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto "https";
            proxy_pass              http://server908.int.org.com:4444/;
            proxy_read_timeout      90;
    }
}  

已将相同的证书(orgnexus.crt)导入到位于/etc/docker/certs.d/server.int.org.com:6666的docker服务器上。

[root@server446 server908.int.org.com:6666]# ls -ltr
-rwxr-xr-x. 1 root root 2139 May 31 12:07 ca.crt

将nexus证书文件(orgnexus.crt)复制到位于/etc/pki/ca-trust/source/anchors/server.int.org.com.crt的“server446”

我们正在运行docker版本1.12.6和nexus 3.2.1-01。

当docker服务处于活动状态时,会出现此问题。

Active: active (running) since Thu 2017-06-01 20:20:36 HKT; 15h ago
[root@server446 ~]# docker login server908.int.org.com:6666
Username (admin): admin
Password:
Error response from daemon: Get https://server908.int.org.com/v2/: Forbidden

但是当我们手动运行docker守护进程并停止使用docker服务时,同样的命令会成功完成。

[root@server446 ~]# docker login server908.int.org.com:6666
Username (admin): admin
Password:
Login Succeeded

“dockertest”是“server446”的用户名。

以下是泊坞窗信息日志。

当Daemon手动运行Docker客户端服务时

Containers: 2
 Running: 0
 Paused: 0
 Stopped: 2
Images: 2
Server Version: 1.12.6
Storage Driver: devicemapper
 Pool Name: docker-253:8-131425-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 24.77 MB
 Data Space Total: 107.4 GB
 Data Space Available: 8.877 GB
 Metadata Space Used: 602.1 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null overlay host bridge
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-514.10.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.3 (Maipo)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 7.64 GiB
Name: server446.int.org.com
ID: 3EMU:FC6L:454V:5WN4:BUXQ:AUVM:3E7D:T2TD:7G4M:AHS4:NAJ6:42OS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 16
 Goroutines: 23
 System Time: 2017-06-05T12:04:47.223159468+08:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 server908.int.org.com:6666,x.y.z.232:6666
 127.0.0.0/8
Registries: docker.io (secure)

使用Docker客户端服务。

Containers: 26
 Running: 1
 Paused: 0
 Stopped: 25
Images: 12
Server Version: 1.12.6
Storage Driver: devicemapper
 Pool Name: vg00-docker--pool
 Pool Blocksize: 524.3 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file:
 Metadata file:
 Data Space Used: 4.749 GB
 Data Space Total: 8.623 GB
 Data Space Available: 3.874 GB
 Metadata Space Used: 2.019 MB
 Metadata Space Total: 134.2 MB
 Metadata Space Available: 132.2 MB
 Thin Pool Minimum Free Space: 861.9 MB
 Udev Sync Supported: true
 Deferred Removal Enabled: true
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
 Volume: local
 Network: bridge overlay null host
 Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-514.10.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.3 (Maipo)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 7.64 GiB
Name: server446.int.org.com
ID: 3EMU:FC6L:454V:5WN4:BUXQ:AUVM:3E7D:T2TD:7G4M:AHS4:NAJ6:42OS
Docker Root Dir: /app/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 24
 Goroutines: 33
 System Time: 2017-06-05T12:02:26.153754978+08:00
 EventsListeners: 0
Http Proxy: http://10.10.120.98:3128
Https Proxy: http://10.10.120.98:3128
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 server908.int.org.com:6666,x.y.z.232:6666
 127.0.0.0/8
Registries: docker.io (secure)

在守护进程日志(/var/log/daemon.log)中我注意到了这一点。

Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.837496046+08:00" level=debug msg="Calling POST /v1.24/auth"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.838840542+08:00" level=debug msg="form data: {\"password\":\"*****\",\"serveraddress\":\"server908.int.org.com:6666\",\"username\":\"admin\"}"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.842033018+08:00" level=info msg="{Action=auth, Username=dockertest, LoginUID=1960, PID=31397}"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.843339118+08:00" level=debug msg="AuthZ request using plugin rhel-push-plugin"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.845046779+08:00" level=debug msg="hostDir: /etc/docker/certs.d/server908.int.org.com:6666"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.875205677+08:00" level=debug msg="crt: /etc/docker/certs.d/server908.int.org.com:6666/ca.crt"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.875890502+08:00" level=debug msg="attempting v2 login to registry endpoint https://server908.int.org.com:6666/v2/"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879260054+08:00" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get https://server908.int.org.com:6666/v2/: Forbidden"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879318527+08:00" level=error msg="Handler for POST /v1.24/auth returned error: Get https://server908.int.org.com:6666/v2/: Forbidden"
Jun  5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879342144+08:00" level=error msg="Handler for POST /v1.24/auth returned error: Get https://server908.int.org.com:6666/v2/: Forbidden"

我哪里错了?它是与docker组权限或nginx或配置相关的东西吗?我怀疑请求(来自docker客户端机器)没有到达nginx(server908)并且在docker客户端和守护进程之间进行转换。

nginx docker https nexus docker-registry
1个回答
0
投票

我能够解决问题,并且能够在正确引用docker login not working with nexus 3 private registry配置nginx后登录

Nexus HTTP端口:8082

Docker Hosted Repo HTTP端口:4444

下面是我的nginx配置。

    server {

    proxy_send_timeout 120;
    proxy_read_timeout 300;
    proxy_buffering    off;
    tcp_nodelay        on;

    server_tokens off;
    client_max_body_size 1G;

    listen 80;
    server_name server908.int.org.com;
    location / {
          rewrite ^(.*) https://server908.int.org.com$1 permanent;
    }
}

server {

    listen 443;
    server_name server908.int.org.com;
    keepalive_timeout 60;
    ssl on;
    ssl_certificate /etc/ssl/certs/orgnexus.crt;
    ssl_certificate_key /etc/ssl/certs/orgnexus.key;
    ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
    ssl_session_cache shared:TLSSSL:16m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on;

    location / {

      proxy_set_header        Host $http_host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto "https";
      proxy_pass              http://server908.int.org.com:8082;
      proxy_read_timeout      90;

    }
}

# correlates to your nexus http connector
server {

    listen 6666;
    server_name server908.int.org.com;
    keepalive_timeout 60;
    ssl on;
    ssl_certificate /etc/ssl/certs/orgnexus.crt;
    ssl_certificate_key /etc/ssl/certs/orgnexus.key;
    ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
    ssl_session_cache shared:TLSSSL:16m;
    ssl_session_timeout 10m;
    ssl_prefer_server_ciphers on;
    client_max_body_size 1G;
    chunked_transfer_encoding on;

    location / {

      access_log              /var/log/nginx/docker.log;
      proxy_set_header        Host $http_host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto "https";
      proxy_pass              http://server908.int.org.com:4444;
      proxy_read_timeout      90;

    }
}
© www.soinside.com 2019 - 2024. All rights reserved.