前言
Harbor 是为企业用户设计的容器镜像仓库开源项目,包括了权限管理(RBAC)、LDAP、审计、安全漏洞扫描、镜像验真、管理界面、自我注册、HA 等企业必需的功能,同时针对中国用户的特点,设计镜像复制和中文支持等功能。
在本地服务器中搭建了一台 Harbor 私服,并配置了外网访问,在使用过程中产生了一些问题,这里记录下来。
整理教程时的系统环境
Harbor (v2.6.0-b035ca7c)
Docker Engine - Community (20.10.6)
CentOS (7.9.2009)
Harbor 的安装很简单,官方教程很完善:Harbor Installation and Configuration,一步一步来没有什么问题
Harbor 部分配置
因为需要外网访问,所以修改 hostname 并且增加了证书,其余有需要的自行配置
root@harbor:/usr/local/harbor# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
# 这里改成需要访问的域名
hostname: registry.icoeus.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
# 这里使用默认 80 端口
port: 80
# https related config
https:
# https port for harbor, default is 443
# 这里使用默认 443 端口
port: 443
# The path of cert and key files for nginx
# 注意修改成本机存放证书与密钥的位置
certificate: /usr/local/harbor/ca/server.crt
private_key: /usr/local/harbor/ca/server.key
客户端登录 Harbor
直接使用 docker login registry.icoeus.com,这里还未修改 daemon.json
[root@localhost ~]# docker login registry.icoeus.com
Username: root
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
遇到的问题
docker push 反复 Retrying in XXX second
无论如何都无法 push,之前以为是镜像太大了,专门做的精简,只有之前 1/3 的大小还是无法 push。
[root@localhost ~]# docker push registry.icoeus.com/local/g3-license:1.7.3
The push refers to repository [registry.icoeus.com/local/g3-license]
8c71aa77d0ac: Pushing [==================================================>] 130.7MB
d74b4c63784b: Layer already exists
dda3ee1b97f7: Layer already exists
830d01e8f725: Retrying in 4 seconds
7f30cde3f699: Layer already exists
fe810f5902cc: Layer already exists
dfd8c046c602: Pushing [==================================================>] 81.76MB
4fc242d58285: Layer already exists
read tcp 192.168.31.178:34672->183.201.223.85:443: read: connection reset by peer
可以看到最后的错误为 read: connection reset by peer,多次 push 最后指向的 IP 都不同,猜测是因为使用了 CDN 导致的,使用 dig 命令查找出 IP 后,写入 hosts 文件中,依旧不行,在 daemon.json 中添加 registry-mirrors 也不行。
这里记录一些未测试的方案:
docker push harbor 反复 Retrying in XXX second
docker push 到私服问题 : Retrying in 5 seconds
failed with status: 401 Unauthorized
域名 push 行不通,那就使用 IP 登录,反正局域网更快,还不耗费 CDN 流量。登录时竟然报了 failed with status: 401 Unauthorized 的错误
[root@localhost ~]# docker login 192.168.31.216
Authenticating with existing credentials...
Login did not succeed, error: Error response from daemon: login attempt to https://192.168.31.216/v2/ failed with status: 401 Unauthorized
Username (root): root
Password:
Error response from daemon: login attempt to https://192.168.31.216/v2/ failed with status: 401 Unauthorized
加协议与端口登录试一下,也是 401 错误
[root@localhost ~]# docker login http://192.168.31.216:80
Username: root
Password:
Error response from daemon: login attempt to http://192.168.31.216:80/v2/ failed with status: 401 Unauthorized
这里是需要在 daemon.json 中将 IP 添加到insecure-registries 的。
[root@localhost ~]# vim /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{
"insecure-registries": ["192.168.31.216"]
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
正常情况下应该是可以登录了。
x509: certificate has expired or is not yet valid
上一步修改完配置,新的错误出来了!仔细一看原来登录地址是 https 协议的,因为配置 Harbor 的时候增加了 https 协议,应该是默认走 https 了。还需要使用 date 看一下时间对不对,服务端与客户端都需要看一下,如果不正确先修改时间后再进行尝试 push 等操作。
[root@localhost yapi]# docker login 192.168.31.216
Username: root
Password:
Error response from daemon: Get https://192.168.31.216/v2/: x509: certificate has expired or is not yet valid
接着修改 daemon.json 文件,主要是添加 443 端口的地址,将 registry-mirrors 也顺手加上了,不知道有没有作用
[root@localhost ~]# vim /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://192.168.31.216"],
"insecure-registries": ["192.168.31.216", "192.168.31.216:443"]
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker login 192.168.31.216
Username: root
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
接下来再 push,可以看到已经没问题了
[root@localhost ~]# docker push 192.168.31.216/local/g3-license:1.7.3
The push refers to repository [192.168.31.216/local/g3-license]
8c71aa77d0ac: Pushed
d74b4c63784b: Layer already exists
dda3ee1b97f7: Layer already exists
830d01e8f725: Pushed
7f30cde3f699: Layer already exists
fe810f5902cc: Layer already exists
dfd8c046c602: Pushed
4fc242d58285: Layer already exists
1.7.3: digest: sha256:2637c6238d30b0caceda9330c270edf7fd496deae70c5c2b2de051a78fj5683b size: 1996
评论区