导航

使用nexus作为docker的私人仓库

Posted on 2019-12-17 17:30  zouyq  阅读(1027)  评论(0编辑  收藏  举报

vps上用docker搭建了一个nexus,顺便用来做docker私人仓库

 

 修改/etc/docker/daemon.json,加入insecure-registry:xxxx:port,也就是nexus docker hosted的地址,但是在登录的时候一直报:

Error response from daemon: Get https://bj1.com:8082/v2/: http: server gave HTTP response to HTTPS client

 google百度搜了一堆,网上说/etc/docker/daemon.json insecure-registry私服地址不要加https就可以了,然而我并没有加https,还是报这个错,算了nginx给配置一个https转http的代理

这样总行了吧?使用docker启动nginx:

docker run --rm -d --network host --name my_nginx nginx

然后进入nginx,复制出配置文件到home目录下,因为后面要修改nginx的配置文件

docker cp nginx:/etc/nginx /home/

指定目录生成证书和秘钥/hone/nginx/serc目录下(我这里生成证书相关的信息是随便乱填的,会有问题,后面有提到)

#生成秘钥
openssl genrsa -out privkey.pem 2048
#生成证书
openssl req -new -x509 -key privkey.pem -out server.pem -days 365

编辑nginx配置文件,配置http反向代理https->http,在nginx/conf.d目录下创建一个nexus.conf配置文件:

server {
        listen  18082 ssl;
        server_name  bj1.com;
    #证书位置
        ssl_certificate      /etc/nginx/serc/server.pem; # 路径为证书生成的路径
        ssl_certificate_key  /etc/nginx/serc/privkey.pem; # 路径为证书生成的路径

    #    ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        #协议配置
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;

        # 转发到http
        location / {
           proxy_pass http://bj1.com:8082;
        }
 }

重新启动nginx(不要忘了挂载/home/nginx): 

#--network host 直接使用宿主机网络,因为考虑到后面可能有其他应用要做反向代理,避免做端口映射
docker run -it -v /home/nginx:/etc/nginx/ --name nginx --network host nginx

 可以看到https已经代理到原有的8082 http端口了,接下来继续配置docker私服,docker login,还是报错了:

Username: admin
Password: 
Error response from daemon: Get https://xxx.com:18082/v2/: x509: certificate is not valid for any names, but wanted to match xxx.com

curl一下,应该是证书问题

root@DESKTOP-KMP2DN2:/home/zyq# curl  https://xxx1.com:18082/v2/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

信任证书后还是失败,应该是创建证书的时候没有对应域名:

root@DESKTOP-KMP2DN2:/home/serc# sudo cp bj1server.crt /usr/local/share/ca-certificates
root@DESKTOP-KMP2DN2:/home/serc#  update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@DESKTOP-KMP2DN2:/home/serc# curl  https://bj1.com:18082/v2/
curl: (51) SSL: unable to obtain common name from peer certificate
root@DESKTOP-KMP2DN2:/home/serc# docker login bj1.com:18082
Username: admin
Password: 
Error response from daemon: Get https://bj1.com:18082/v2/: x509: certificate is not valid for any names, but wanted to match bj1.com

换ip 登录了一下,还是失败:

root@DESKTOP-KMP2DN2:/home/serc# docker login 49xxx48:18082
Username: admin
Password: 
Error response from daemon: Get https://4xxx8.148:18082/v2/: x509: cannot validate certificate for 4xxxxxx.148 because it doesn't contain any IP SANs
root@DESKTOP-KMP2DN2:/home/serc#

重新创建证书吧,对应好域名bj1.com,这次不能乱填了

root@VM-0-9-ubuntu:/home/nginx/serc/new# openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
.+++++
e is 65537 (0x010001)
root@VM-0-9-ubuntu:/home/nginx/serc/new# openssl req -new -x509 -key privkey.pem -out server.pem -days 365
Can't load /root/.rnd into RNG
140629673918912:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:a
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [AU]:a
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [AU]:a
string is too short, it needs to be at least 2 bytes long
Country Name (2 letter code) [AU]:df
State or Province Name (full name) [Some-State]:fd
Locality Name (eg, city) []:fd
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fd
Organizational Unit Name (eg, section) []:fd
Common Name (e.g. server FQDN or YOUR name) []:bj1.com
Email Address []:df

注意创建证书的时候,Common Name (e.g. server FQDN or YOUR name) []:bj1.com,这里填对,然后按照之前的操作重新弄一次

root@DESKTOP-KMP2DN2:/home/serc# curl  https://bj1.com:18082/v2/
{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
root@DESKTOP-KMP2DN2:/home/serc# docker login bj1.com:18082
Username: admin
Password: 
Error response from daemon: Get https://bj1.com:18082/v2/: x509: certificate signed by unknown authority
root@DESKTOP-KMP2DN2:/home/serc#

curl没问题了,但是docker login报未知机构创建的证书

改/etc/docker/daemon.json,-"insecure-registry":["bj.com:18082"],因为这里我之前换成了ip,重启docker后重新登录,还是登录失败:

root@DESKTOP-KMP2DN2:/etc# docker login bj1.com:18082
Username: admin
Password: 
Error response from daemon: login attempt to https://bj1.com:18082/v2/ failed with status: 401 Unauthorized

原来还有一步(https://stackoverflow.com/questions/54826047/401-unauthorized-error-while-login-into-nexus-docker-registry

 终于登录成功了:

root@DESKTOP-KMP2DN2:/etc# docker login bj1.com:18082
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@DESKTOP-KMP2DN2:/etc#

上传一个镜像试试看

docker tag bj1.com:18080/zouyq/springcloud-config bj1.com:18082/zouyq/springcloud-config
docker push bj1.com:18082/zouyq/springcloud-config

又报错了:

edf1195b0d39: Pushing [==================================================>]  30.63MB/30.63MB
22fad1a62612: Pushing [==================================================>]   2.56kB
1a5572e30f8e: Pushing [==================================================>]   2.56kB
f2deb1ddcd80: Pushing [==================================================>]   2.56kB
3d1f9bd75481: Pushing [==================================================>]  104.6MB/104.6MB
4558483e2b61: Waiting 
ac06742e2f8b: Waiting 
73bfa217d66f: Waiting 
91ecdd7165d3: Waiting 
e4b20fcc48f4: Waiting 
error parsing HTTP 413 response body: invalid character 
'<' looking for beginning of value: "<html>
\r\n<head><title>413 
Request Entity Too Large</title></head>\r\n<body>\r\n<center><h1>413 Request Entity Too Large</h1>
</center>\r\n<hr
><center>nginx/1.17.6</center>\r\n</body>\r\n</html>\r\n"

  

上传文件太大了,百度了一下,试着修改一下nginx配置,nginx.conf http节点下加入client_max_body_size 500m,最大500m,然后docker重启nginx,重新push就没报错了

 

 已经推上去了