docker-machine regenerate-certs 问题

Question

系统环境：
win10 + virtualbox5.0.24
docker,docker-machine版本

JYC103@Fanne MINGW64 ~
$ docker-machine.exe -version
docker-machine.exe version 0.7.0, build a650a40

JYC103@Fanne MINGW64 ~
$ docker version
Client:
 Version:      1.12.0
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   8eab29e
 Built:        Thu Jul 28 23:54:00 2016
 OS/Arch:      windows/amd64
An error occurred trying to connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/version: open //./pipe/docker_engine: The system cannot find the file specified.

现在docker-machine上有一台docker主机

$ docker-machine.exe ls
NAME            ACTIVE   DRIVER      STATE     URL                         SWARM   DOCKER    ERRORS
docker.20.127   -        none        Running   tcp://192.168.20.127:2375           Unknown   Unable to query docker version: Unable to read TLS config: open C:\Users\JYC103\.docker\machine\machines\docker.20.127\server.pem: The system cannot find the file specified.

直接docker info 这台docker主机

$ docker -H 192.168.20.127:2375 info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 1.12.0
Storage Driver: devicemapper
 Pool Name: docker-253:1-101251423-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 11.73 MB
 Data Space Total: 107.4 GB
 Data Space Available: 14.84 GB
 Metadata Space Used: 581.6 kB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.147 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-123.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 987.2 MiB
Name: localhost.localdomain
ID: FMPB:NCHQ:ERTQ:YQMK:WUSA:QA2T:FCQO:TL7L:IHOH:3Z3Z:EXTV:3YMY
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8

问题开始了
现在要docker-machine env查看一下docke.20.127主机的变量，出现以下提示

$ docker-machine.exe env docker.20.127
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.20.127:2375": open C:\Users\JYC103\.docker\machine\machines\docker.20.127\server.pem: The system cannot find the file specified.
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which will stop running containers.

server.pem不存在，按照它的提示创建一个

$ docker-machine.exe regenerate-certs docker.20.127
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Waiting for SSH to be available...
Too many retries waiting for SSH to be available.  Last error: Maximum number of retries (60) exceeded

但是等了几分钟后，没创建成功，打开debug调试

$ docker-machine.exe -D regenerate-certs docker.20.127
Docker Machine Version:  0.7.0, build a650a40
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Found binary path at C:\Users\JYC103\bin\docker-machine.exe
Launching plugin server for driver none
Plugin server listening at address 127.0.0.1:58959
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
command=configureAuth machine=docker.20.127
Waiting for SSH to be available...
Getting to WaitForSSH function...
(docker.20.127) Calling .GetSSHHostname
(docker.20.127) Calling .GetSSHPort
(docker.20.127) Calling .GetSSHKeyPath
(docker.20.127) Calling .GetSSHUsername
Using SSH client type: external
&{[-F /dev/null -o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=no -o ControlPath=none @ -p 0] C:\Program Files\Git\usr\bin\ssh.exe <nil>}
About to run SSH command:
exit 0
SSH cmd err, output: exit status 255: usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

Error getting ssh command 'exit 0' : Something went wrong running an SSH command!
command : exit 0
err     : exit status 255
output  : usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

报ssh链接错误。
这问题要如何解决，要如何才能生成server.pem这个文件的？

Answer 1

추가하신 호스트는 --driver none이므로 Docker Remote API를 통해서만 동작이 가능합니다. SSH는 불가능합니다. docker-machine regenerate-certs 을 사용하려면 SSH가 필요합니다. 따라서 지원되지 않습니다. SSH가 필요한 경우 처음에는 Docker 설치 및 구성을 담당하는 --driver generic 드라이버를 사용해야 합니다.

docker-machine env이 TLS 오류를 보고하는 것은 --driver none의 생성된 Docker 호스트가 docker-machine의 기록에 기본적으로 TLS가 구성 및 활성화되어 있는 것으로 간주되기 때문입니다(결국 이것이 기본 보안입니다). 방법), 호스트를 생성할 때 매개변수를 통해 특정 키 파일을 제공하거나 구성 파일을 직접 수정해야 합니다.

앞서 보여드린 포트2375에서 보면 Docker 호스트에 TLS 보호 기능이 없어 레코드에서 활성화된 TLS와 일치하지 않는 것 같습니다. 따라서 docker-machine이 이 API에 연결을 시도하면 로컬 인증서가 없고 원격 장치에는 TLS가 활성화되어 있지 않습니다. 당연히 오류가 보고됩니다. 구성에서 TLS가 활성화되어 있으므로 인증서 생성에 문제가 있는 것으로 추측되며 인증서를 다시 생성하는 것이 좋습니다.

해결책은 TLS 인증서 구성을 생성하거나 ~/.docker/machine/machines/<NAME>/config.json을 수정하고 TlsVerify을 false으로 변경하는 것입니다.