我一直在尝试将nexus3设置为docker images的私人注册表,nginx用作nexus3的反向代理。
我一直在遇到所有类型的错误,从被禁止到连接拒绝并尝试了所有参考步骤。
以下是我的配置。
我已经使用键(orgnexus.key(设置了一个自签名证书(orgnexus.crt(,并与Nginx相同的代理使用。
nexus配置了端口4444,docker托管的存储库配置为HTTPS端口6666。Nexus配置为在" server908 "上运行,而Docker在上运行" SERVER446"
以下是nginx的配置。
server {
listen 6666;
server_name server908.int.org.com;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/orgnexus.crt;
ssl_certificate_key /etc/ssl/certs/orgnexus.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
client_max_body_size 1G;
chunked_transfer_encoding on;
location /v2/ {
access_log /var/log/nginx/docker.log;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server908.int.org.com:4444/;
proxy_read_timeout 90;
}
location / {
access_log /var/log/nginx/docker.log;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server908.int.org.com:4444/;
proxy_read_timeout 90;
}
}
相同的证书(orgnexus.crt(已在location/etc/docker/certs.d/server.int.int.org.com:6666中导入到docker服务器。
[root@server446 server908.int.org.com:6666]# ls -ltr
-rwxr-xr-x. 1 root root 2139 May 31 12:07 ca.crt
将Nexus CERT文件(orgnexus.crt(复制到>" server446" at location/et.pki/pki/pki/ca-trust/source/source/anchors/anchors/server.int.int.int.org.com.crt p>我们正在运行Docker版本1.12.6和Nexus 3.2.1-01。
当Docker服务处于活动状态时,此处的问题出现了。
Active: active (running) since Thu 2017-06-01 20:20:36 HKT; 15h ago
[root@server446 ~]# docker login server908.int.org.com:6666
Username (admin): admin
Password:
Error response from daemon: Get https://server908.int.org.com/v2/: Forbidden
但是,当我们使用Docker Service手动运行Docker Daemon时,同一命令成功通过。
[root@server446 ~]# docker login server908.int.org.com:6666
Username (admin): admin
Password:
Login Succeeded
" dockertest"是" server446"的用户名。
以下是Docker信息日志。
当守护程序用Docker客户端服务手动运行
Containers: 2
Running: 0
Paused: 0
Stopped: 2
Images: 2
Server Version: 1.12.6
Storage Driver: devicemapper
Pool Name: docker-253:8-131425-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 24.77 MB
Data Space Total: 107.4 GB
Data Space Available: 8.877 GB
Metadata Space Used: 602.1 kB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.147 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null overlay host bridge
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-514.10.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.3 (Maipo)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 7.64 GiB
Name: server446.int.org.com
ID: 3EMU:FC6L:454V:5WN4:BUXQ:AUVM:3E7D:T2TD:7G4M:AHS4:NAJ6:42OS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 16
Goroutines: 23
System Time: 2017-06-05T12:04:47.223159468+08:00
EventsListeners: 0
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
server908.int.org.com:6666,x.y.z.232:6666
127.0.0.0/8
Registries: docker.io (secure)
使用Docker客户端服务。
Containers: 26
Running: 1
Paused: 0
Stopped: 25
Images: 12
Server Version: 1.12.6
Storage Driver: devicemapper
Pool Name: vg00-docker--pool
Pool Blocksize: 524.3 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file:
Metadata file:
Data Space Used: 4.749 GB
Data Space Total: 8.623 GB
Data Space Available: 3.874 GB
Metadata Space Used: 2.019 MB
Metadata Space Total: 134.2 MB
Metadata Space Available: 132.2 MB
Thin Pool Minimum Free Space: 861.9 MB
Udev Sync Supported: true
Deferred Removal Enabled: true
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge overlay null host
Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-514.10.2.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.3 (Maipo)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 7.64 GiB
Name: server446.int.org.com
ID: 3EMU:FC6L:454V:5WN4:BUXQ:AUVM:3E7D:T2TD:7G4M:AHS4:NAJ6:42OS
Docker Root Dir: /app/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 24
Goroutines: 33
System Time: 2017-06-05T12:02:26.153754978+08:00
EventsListeners: 0
Http Proxy: http://10.10.120.98:3128
Https Proxy: http://10.10.120.98:3128
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
server908.int.org.com:6666,x.y.z.232:6666
127.0.0.0/8
Registries: docker.io (secure)
在守护程序日志(/var/log/daemon.log(中,我注意到了。
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.837496046+08:00" level=debug msg="Calling POST /v1.24/auth"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.838840542+08:00" level=debug msg="form data: {"password":"*****","serveraddress":"server908.int.org.com:6666","username":"admin"}"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.842033018+08:00" level=info msg="{Action=auth, Username=dockertest, LoginUID=1960, PID=31397}"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.843339118+08:00" level=debug msg="AuthZ request using plugin rhel-push-plugin"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.845046779+08:00" level=debug msg="hostDir: /etc/docker/certs.d/server908.int.org.com:6666"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.875205677+08:00" level=debug msg="crt: /etc/docker/certs.d/server908.int.org.com:6666/ca.crt"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.875890502+08:00" level=debug msg="attempting v2 login to registry endpoint https://server908.int.org.com:6666/v2/"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879260054+08:00" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get https://server908.int.org.com:6666/v2/: Forbidden"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879318527+08:00" level=error msg="Handler for POST /v1.24/auth returned error: Get https://server908.int.org.com:6666/v2/: Forbidden"
Jun 5 13:37:41 server446 dockerd-current[31151]: time="2017-06-05T13:37:41.879342144+08:00" level=error msg="Handler for POST /v1.24/auth returned error: Get https://server908.int.org.com:6666/v2/: Forbidden"
我出错了哪里?它与Docker Group权限或NGINX或配置有关吗?我怀疑(来自Docker客户端计算机(的请求未达到NGINX(SERVER908(,并且正在Docker Client和Daemon之间进行旋转。
我能够解决该问题,并且能够在正确配置Nginx后登录Docker登录未与Nexus 3私人注册表
Nexus HTTP端口: 8082
docker托管仓库http端口: 4444
下面是我的Nginx配置。
server {
proxy_send_timeout 120;
proxy_read_timeout 300;
proxy_buffering off;
tcp_nodelay on;
server_tokens off;
client_max_body_size 1G;
listen 80;
server_name server908.int.org.com;
location / {
rewrite ^(.*) https://server908.int.org.com$1 permanent;
}
}
server {
listen 443;
server_name server908.int.org.com;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/orgnexus.crt;
ssl_certificate_key /etc/ssl/certs/orgnexus.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server908.int.org.com:8082;
proxy_read_timeout 90;
}
}
# correlates to your nexus http connector
server {
listen 6666;
server_name server908.int.org.com;
keepalive_timeout 60;
ssl on;
ssl_certificate /etc/ssl/certs/orgnexus.crt;
ssl_certificate_key /etc/ssl/certs/orgnexus.key;
ssl_ciphers HIGH:!kEDH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSSL:16m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
client_max_body_size 1G;
chunked_transfer_encoding on;
location / {
access_log /var/log/nginx/docker.log;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server908.int.org.com:4444;
proxy_read_timeout 90;
}
}