K8S学习笔记之docker registry使用http非https
0x00 概述
本地调试环境,docker registry不需要使用https,规避复杂操作。
0x01 默认https传输问题
docker registry默认使用https,在私有镜像源操作会提示以下错误:
vm01@root:~$ docker push 172.16.16.3:5000/alpine:v1.0 The push refers to repository [172.16.16.3:5000/alpine] Get https://172.16.16.3:5000/v2/: http: server gave HTTP response to HTTPS client
0x02 修改docker registory配置
在docker的daemon.json文件内,新增私有镜像源信息(在K8S被所有节点进行此操作)
vm01@shenzhen:~$ cat /etc/docker/daemon.json { "registry-mirrors": ["https://834kie09.mirror.aliyuncs.com"], "insecure-registry": ["172.16.16.3:5000"] }
0x03 修改docker.service配置
在docker的docker.service文件内,新增私有镜像源信息(在K8S被所有节点进行此操作)
vm01@root:~$ cat /lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --insecure-registry 172.16.16.3:5000 ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always # Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. # Both the old, and new location are accepted by systemd 229 and up, so using the old location # to make them work for either version of systemd. StartLimitBurst=3 # Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. # Both the old, and new name are accepted by systemd 230 and up, so using the old name to make # this option work for either version of systemd. StartLimitInterval=60s # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Comment TasksMax if your systemd version does not support it. # Only systemd 226 and above support this option. TasksMax=infinity # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target
0x04 重启docker服务
重启各个节点的docker服务,加载新的配置文件
systemctl daemon-reload
systemctl restart docker
在节点验证私有源的push和pull操作
docker push 172.16.16.3:5000/nginx_ss:v1.2
docker pull 172.16.16.3:5000/nginx_ss:v1.2