2

我正在使用自托管 Gitlab 并启用 Gitlab 容器注册表来构建、推送和存储图像。我的 gitlab-runner 在容器中运行,并且我正在使用 rootless-docker,因为我的组织的安全性不允许使用完整套件 docker。

我正在尝试使用 docker-in-docker 并按照本文档进行了所有设置 - https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-与-docker-executor

现在,当我尝试使用我的容器注册表进行身份验证时,我docker login registry.gitlab.systems -u $username -p $PAT能够成功地对其进行身份验证,并且还能够使用buildpush命令成功构建和推送图像。但是当我尝试从我的 Gitlab 管道中执行相同操作时,我看到以下错误 -

$ docker login registry.gitlab.systems -u $username-p $PAT
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry.gitlab.systems/v2/: net/http: TLS handshake timeout

我的gitlab-ci.yml档案——

stages:
  - build

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""

docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker info
    - docker login registry.gitlab.systems -u $username-p $PAT

管道作业的完整输出 -

Running with gitlab-runner 13.5.0 (ece86343)
  on My Docker Runner Nw3Z89BR
Preparing the "docker" executor
Using Docker executor with image docker:latest ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:jdbcajdcnlkdnjbsdhcbhsbdjkbdsbjds87756565tubmdn for docker:dind with digest docker@sha256:7877989978677tjkbmbjbhvhjg67687687878jknky8 ...
Waiting for services to be up and running...
*** WARNING: Service runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0 probably didn't start properly.
Health check error:
start service container: Error response from daemon: Cannot link to a non running container: /runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0 AS /runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0-wait-for-service/service (docker.go:1271:0s)
Service container logs:
2020-12-08T13:26:38.262883588Z mount: permission denied (are you root?)
2020-12-08T13:26:38.262943608Z Could not mount /sys/kernel/security.
2020-12-08T13:26:38.262966886Z AppArmor detection and --privileged mode might break.
2020-12-08T13:26:38.344450436Z time="2020-12-08T13:26:38.342564548Z" level=info msg="Starting up"
2020-12-08T13:26:38.346064501Z time="2020-12-08T13:26:38.345847145Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2020-12-08T13:26:38.346467932Z failed to load listeners: can't create unix socket /var/run/docker.sock: device or resource busy
*********
Pulling docker image docker:latest ...
Using docker image sha256:gdfgsdksdcjkblkxnvknsdklnvjkbxjvnkfxl989for docker:latest with digest docker@sha256:adkfhklsnvjlkbjkbcklnmvbj\bzjkchsjncvk.lkvsfy8...
Preparing environment
00:01
Running on runner-nw3z89br-project-23-concurrent-0 via 1b495184edc9...
Getting source from Git repository
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/root/test-container-registry/.git/
Checking out 0d15685a as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script
$ docker info
Client:
 Debug Mode: false
Server:
 Containers: 7
  Running: 2
  Paused: 0
  Stopped: 5
 Images: 36
 Server Version: 19.03.9
 Storage Driver: vfs
 Logging Driver: json-file
 Cgroup Driver: none
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 3.10.0-1160.6.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.9 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.51GiB
 Name: gitrunoid-kn-p1
 ID: 3A54:NKR7:QSJL:WBYV:EFTH:WFXQ:Q7EC:F4OU:TMMM:UZNJ:N557:ZUFK
 Docker Root Dir: /app/docker
 Debug Mode: false
 HTTP Proxy: http://myproxy.co:8080
 HTTPS Proxy: http://myproxy.co:8080
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
$ docker login registry.gitlab.systems -u $username -p $PAT
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry.gitlab.systems/v2/: net/http: TLS handshake timeout
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
4

1 回答 1

0

我有一个非常相似的问题——我无法通过 Internet 访问我的 Omnibus GitLab 安装(不是 Docker-in-Docker)的注册表。我得到了与 OP 提到的相同的握手超时错误。

事实证明,我的 GitLab Debian 发行版默认只允许特定端口通过 UFW:

root@gitlab:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
25                         ALLOW       Anywhere
587                        ALLOW       Anywhere
110                        ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
25 (v6)                    ALLOW       Anywhere (v6)
587 (v6)                   ALLOW       Anywhere (v6)
110 (v6)                   ALLOW       Anywhere (v6)

我通过允许注册表的面向公众的端口来修复它:

root@gitlab:~# ufw allow 5050/tcp
Rule added
Rule added (v6)

这可能会或可能不会适应 OP 的情况,但希望它可以帮助一些任性的谷歌人。

于 2021-04-15T00:58:47.450 回答