nexus3权限配置
请参照上面的流程图,按照以下步骤进行检查:
-
确认
Docker Bearer Token Realm已激活- 路径 :Nexus 控制台 → Security → Realms
- 检查 :确保
Docker Bearer Token Realm出现在右侧的 Active 栏中。这是实现Docker仓库认证的关键安全模块,即使勾选了"Allow anonymous docker pull",如果此项未激活,匿名访问也会失败。
-
检查匿名用户访问权限
- 路径 :Nexus 控制台 → Security → Anonymous Access
- 检查 :确保选择了 Allow anonymous users to access the server。这样,未登录的客户端才被允许与仓库交互。
-
特别注意Podman客户端的差异
- 你已经在使用
--tls-verify=false来绕过HTTPS验证,这是正确的。因为Nexus仓库默认使用HTTP,而Podman对安全性的要求可能比Docker更严格。
- 你已经在使用
创建docker(proxy)仓库
Name: docker-proxy
Repository Connectors:
HTTP: 8090
勾选:Allow anonymous docker pull ( Docker Bearer Token Realm required )
勾选:Allow clients to use the V1 API to interact with this repository
Proxy
Remote Storage:https://docker.1ms.run
Docker Index: Use proxy registry(specified above)
客户端使用(HTTP协议)
podman客户端
[root@10-2-0-4 ~]# podman pull --tls-verify=false 10.2.0.100:8090/library/nginx:latest
Trying to pull 10.2.0.100:8090/library/nginx:latest...
Getting image source signatures
Copying blob 8da8ed3552af done
Copying blob b459da543435 done
Copying blob 5d8ea9f4c626 done
Copying blob 58d144c4badd done
Copying blob 54e822d8ee0c done
Copying blob 250b90fb2b9a done
Copying blob 8c7716127147 done
Copying config 07ccdb7838 done
Writing manifest to image destination
Storing signatures
07ccdb7838758e758a4d52a9761636c385125a327355c0c94a6acff9babff938Docker客户端
配置/etc/docker/daemon.json
参考以下registry-mirrors、insecure-registries两项配置。
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["http://10.2.0.100:8090"],
"insecure-registries": ["http://10.2.0.100:8090"],
"max-concurrent-downloads": 10,
"log-driver": "json-file",
"log-level": "warn",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"data-root": "/var/lib/docker"
}重启
systemctl restart docker查看dockerinfo
[root@10-2-0-4 ~]# docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 18.09.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: systemd
Hugetlb Pagesize: 2MB, 2MB (default is 2MB)
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 871075eb7cc979944ba2d987719cb534bbb87e5c
runc version: N/A
init version: N/A (expected: )
Security Options:
seccomp
Profile: default
Kernel Version: 5.10.0-216.0.0.115.oe2203sp4.x86_64
Operating System: openEuler 22.03 (LTS-SP4)
OSType: linux
Architecture: x86_64
CPUs: 20
Total Memory: 14.8GiB
Name: 10-2-0-4
ID: 4DKE:4SMB:KYOE:DA4F:7QCU:CBK5:FL7D:WJFC:BIIA:EVBG:ZGI2:GQWR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
10.2.0.100:8090
127.0.0.0/8
Registry Mirrors:
http://10.2.0.100:8090/
Live Restore Enabled: true拉取镜像
[root@10-2-0-4 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
8c7716127147: Pull complete
250b90fb2b9a: Pull complete
5d8ea9f4c626: Pull complete
58d144c4badd: Pull complete
b459da543435: Pull complete
8da8ed3552af: Pull complete
54e822d8ee0c: Pull complete
Digest: sha256:3b7732505933ca591ce4a6d860cb713ad96a3176b82f7979a8dfa9973486a0d6
Status: Downloaded newer image for nginx:latest