本章主要介紹GitLab CI/CD過程中遇到的問題。
問題1. Docker in Docker模式下注冊 Runner
如果gitlab-runner已經運行了,我們可以通過
執行
gitlab-runner register \
--non-interactive \
--url "http://192.168.0.102/" \
--registration-token "3k1yGnbpuS2skUfrbB3t" \
--executor "docker" \
--docker-image alpine:3 \
--description "102-docker-runner" \
--tag-list "docker" \
--run-untagged \
--locked="false" \
--docker-privileged
注意:docker in docker 模式要求docker-privileged=“true”。
問題2. Insecure Registry下Docker Push的問題
在docker push的時候遇到如下錯誤:
2.1 解決方法
在/etc/docker/daemon.json
2.2 解決方法
修改Registry server上的Docker daemon的配置,爲DOCKER_OPTS增加–insecure-registry:DOCKER_OPTS="--insecure-registry xxx:5000”。
重啓Docker Daemon,啓動Registry容器:
$ sudo service docker restart
docker stop/waiting
docker start/running, process 6712
$ sudo docker run -d -p 5000:5000 -v `pwd`/data:/var/lib/registry --restart=always --name registry registry:2
5966e92fce9c34705050e19368d19574e021a272ede1575385ef35ecf5cea019
嘗試再次Push image:
$ docker push xxxx:5000/test/busybox
The push refers to a repository
[xxxx:5000/test/busybox] (len: 1) 65e4158d9625: Pushed
5506dda26018: Pushed
latest: digest: sha256:800f2d4558acd67f52262fbe170c9fc2e67efaa6f230a74b41b555e6fcca2892 size: 2739
push ok!
問題3. Secure Registry下Docker Push的問題
$ docker push mydockerhub.com:5000/test/busybox
The push refers to a repository [mydockerhub.com:5000/test/busybox] (len: 1)
unable to ping registry endpoint https://mydockerhub.com:5000/v0/
v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authority
push失敗了!從錯誤日誌來看,docker client認爲server傳輸過來的證書的簽署方是一個unknown authority(未知的CA),因此驗證失敗。我們需要讓docker client安裝我們的CA證書:
$ sudo mkdir -p /etc/docker/certs.d/mydockerhub.com:5000
$ sudo cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt
$ sudo service docker restart //安裝證書後,重啓Docker Daemon
另外,macOS的用戶還需要額外執行下面的命令:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
再執行Push,我們看到了成功的輸出日誌。