共计 1718 个字符,预计需要花费 5 分钟才能阅读完成。
最近使用 Golang 开发一个自动化的 docker 镜像拉取工具,在工具开发使用过程中发现了个别镜像节点在个别系统主机上面无法下载拉取镜像的问题。
主要报错如下:
{"errorDetail":{"message":"error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-01-12T02:06:27-05:00 is after 2021-09-30T14:01:15Z"},"error":"error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-01-12T02:06:27-05:00 is after 2021-09-30T14:01:15Z"}
{"level":"ERROR","ts":"2024-01-12T02:06:27.402-0500","msg":"error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-01-12T02:06:27-05:00 is after 2021-09-30T14:01:15Z"}
拉取的镜像为: quay.io/jetstack/cert-manager-controller:v1.13.3
这个镜像在阿里云的机器上拉取没问题,但是在搬瓦工的日本软银机房拉取就有问题。这个问题产生的原因是因为证书的问题,在 Docker 官方 SDK 文档中是有关于跳过 TLS 认证的具体方法。
// EnvTLSVerify is the name of the environment variable that can be used to // enable or disable TLS certificate verification. When set to a non-empty // value, TLS certificate verification is enabled, and the client is configured // to use a TLS connection, using certificates from the default directories // (within `~/.docker`); refer to EnvOverrideCertPath above for additional // details.
https://pkg.go.dev/github.com/docker/docker/client@v24.0.7+incompatible#EnvTLSVerify
EnvTLSVerify 是可用于 启用或禁用 TLS 证书验证的环境变量的名称。当设置为非空 值时,启用 TLS 证书验证,
可以看代码中的逻辑判断为获取环境变量 EnvTLSVerify , 为空时则为 true
在 shell 中设置环境变量
export EnvTLSVerify=""
但是这样设置之后仅仅是当前 shell 下生效,运行客户端脚本会生效,但是拉取镜像走的是本地 docker 服务,所以 docker 服务也需要设置 EnvTLSVerify 环境变量
编辑配置文件: /usr/lib/systemd/system/docker.service
添加 ENV
[Service]
Type=notify
Environment=EnvTLSVerify=””
重启 Docker
systemctl daemon-reload
systemct restart docker
这样再次调用镜像同步程序就没有 TLS 证书错误的问题了。