search

ciiiii / cloudflare-docker-proxy

A docker registry proxy run on cloudflare worker.
1.17k stars 2.36k forks source link

大佬帮忙看下为什么又 401 了 #62

Closed liuweiGL closed 1 week ago

liuweiGL commented 1 week ago

k8s 使用 containerd 拉取镜像一直都是好好的,忽然就开始报错了。

containerd 日志:

time="2024-09-13T10:44:52.762605809+08:00" level=info msg="trying next host" error="failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%3Alibrary%2Fredis%3Apull&service=registry.docker.io\": dial tcp 199.96.62.75:443: i/o timeout" host=docker.eastcoal.tech

time="2024-09-13T10:48:04.953565547+08:00" level=error msg="PullImage \"docker.io/redis:latest\" failed" error="rpc error: code = DeadlineExceeded desc = failed to pull and unpack image \"docker.io/library/redis:latest\": failed to resolve reference \"docker.io/library/redis:latest\": failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%!A(MISSING)library%!F(MISSING)redis%!A(MISSING)pull&service=registry.docker.io\": dial tcp 108.160.165.48:443: i/o timeout"

cloudflare 日志:

{
  "truncated": false,
  "outcome": "ok",
  "scriptVersion": {
    "id": "36c2896f-c2bc-42e6-b9a2-aa99e1625470"
  },
  "scriptName": "cloudflare-docker-proxy",
  "diagnosticsChannelEvents": [],
  "exceptions": [],
  "logs": [],
  "eventTimestamp": 1726195666003,
  "event": {
    "request": {
      "url": "https://docker.eastcoal.tech/v2/library/redis/manifests/latest?ns=docker.io",
      "method": "GET",
      "headers": {
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
        "accept-encoding": "gzip, br",
        "accept-language": "zh-CN,zh;q=0.9,en;q=0.8",
        "cf-connecting-ip": "115.153.148.141",
        "cf-ipcountry": "CN",
        "cf-ray": "8c24d0807821beaa",
        "cf-visitor": "{\"scheme\":\"https\"}",
        "connection": "Keep-Alive",
        "dnt": "1",
        "host": "docker.eastcoal.tech",
        "priority": "u=0, i",
        "sec-ch-ua": "\"Chromium\";v=\"128\", \"Not;A=Brand\";v=\"24\", \"Google Chrome\";v=\"128\"",
        "sec-ch-ua-mobile": "?0",
        "sec-ch-ua-platform": "\"Windows\"",
        "sec-fetch-dest": "document",
        "sec-fetch-mode": "navigate",
        "sec-fetch-site": "cross-site",
        "sec-fetch-user": "?1",
        "upgrade-insecure-requests": "1",
        "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
        "x-forwarded-proto": "https",
        "x-real-ip": "115.153.148.141"
      },
      "cf": {
        "longitude": "115.93160",
        "httpProtocol": "HTTP/3",
        "tlsCipher": "AEAD-AES128-GCM-SHA256",
        "continent": "AS",
        "asn": 4134,
        "clientAcceptEncoding": "gzip, deflate, br, zstd",
        "country": "CN",
        "tlsClientAuth": {
          "certIssuerDNLegacy": "",
          "certIssuerSKI": "",
          "certSubjectDNRFC2253": "",
          "certSubjectDNLegacy": "",
          "certFingerprintSHA256": "",
          "certNotBefore": "",
          "certSKI": "",
          "certSerial": "",
          "certIssuerDN": "",
          "certVerified": "NONE",
          "certNotAfter": "",
          "certSubjectDN": "",
          "certPresented": "0",
          "certRevoked": "0",
          "certIssuerSerial": "",
          "certIssuerDNRFC2253": "",
          "certFingerprintSHA1": ""
        },
        "tlsExportedAuthenticator": {
          "clientFinished": "d107293ff660e6152c4e3cec99fa218373b4a0fe79165ddcbb410b708de24949",
          "clientHandshake": "8142a34c27f7a1d59b72859ac72b7f0d01700d2a1fd0ffb1e0321cb7be9dbfab",
          "serverHandshake": "d107ba6be89149f0a8a584b77a2118a8fad28069f9f4e8e71b8bb8d3d2f7b414",
          "serverFinished": "1287aad774c68276b98cb72effc740197f8f472c5de671c270d0fd4eafff5ba5"
        },
        "tlsVersion": "TLSv1.3",
        "colo": "LHR",
        "timezone": "Asia/Shanghai",
        "verifiedBotCategory": "",
        "edgeRequestKeepAliveStatus": 1,
        "tlsClientRandom": "FA1x47jQm0abOdih6IXc0Plal7KpmqrDF+9k4PBLHMo=",
        "tlsClientExtensionsSha1": "YNV0JdDtoDefLpTY9dKRckt+GaQ=",
        "tlsClientHelloLength": "2006",
        "region": "Jiangxi",
        "regionCode": "JX",
        "asOrganization": "China Telecom",
        "requestPriority": "",
        "latitude": "28.55010"
      }
    },
    "response": {
      "status": 401
    }
  },
  "id": 4
}

请问拉取 anonymous token 的地址为什么是 https://auth.docker.io/token 而不是我配置的代理地址 docker.eastcoal.tech 呢?

liuweiGL commented 1 week ago

我在本地 debug 发现 containerd 只会请求 http://192.168.31.119:8787/v2/library/redis/manifests/latest?ns=docker.iourl.pathname == "/v2/" 这个分支根本不会进啊怎么回事... https://github.com/ciiiii/cloudflare-docker-proxy/blob/aa61ad58cfe6fda4c53cd011d952d8654d5445ad/src/index.js#L47-L59

liuweiGL commented 1 week ago

containerd 跟 docker 授权的流程不一样,不会触发 /v2 逻辑

LanceYuan commented 1 week ago

containerd 跟 docker 授权的流程不一样,不会触发 /v2 逻辑

@liuweiGL 请问解决了吗? 我也同样的问题。

liuweiGL commented 1 week ago

@LanceYuan 我重写了,你可以看下我的仓库 https://github.com/liuweigl/cloudflare-docker-proxy