win10使用代理docker拉取外网镜像

 2025/02/24 

问题难点

外网镜像

现在需要拉取一个registry.k8s.io的镜像registry.k8s.io/ingress-nginx/controller:v1.8.2
使用常规的镜像加速器无法拉取到

windows系统使用docker

win10如果要使用docker是需要安装docker desktop的，如果要安装docker desktop，和VMware Workstation冲突的，不值当

网络结构

Linux主机需要与windows主机能够直接访问，也就是通过下图的接口进行访问：

zerotier使用的是大二层的通信，我这里的网口端点并不是对面网段能够访问的，所以不能使用
VMnet是VMware的虚拟网卡，并且是NAT类型的，可以使用

也就是在VMware中创建Linux虚机，使其使用windows的代理来对外网进行访问

Clush配置

可见windows的端口是http://192.168.8.1:7899

Linux配置

sudo tee /etc/systemd/system/docker.service.d/proxy.conf <<EOF
[Service]
Environment="HTTP_PROXY=http://192.168.8.1:7899"
Environment="HTTPS_PROXY=http://192.168.8.1:7899"
Environment="NO_PROXY=localhost,127.0.0.1,.example.com"
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

# 查看当前配置
systemctl show docker --property Environment
Environment=HTTP_PROXY=http://192.168.8.1:7899 HTTPS_PROXY=http://192.168.8.1:7899 NO_PROXY=localhost,127.0.0.1,.example.com

排查步骤

**拉取失败**
docker pull [registry.k8s.io/ingress-nginx/controller:v1.8.2](http://registry.k8s.io/ingress-nginx/controller:v1.8.2)
Error response from daemon: Head "https://us-west2-docker.pkg.dev/v2/k8s-artifacts-prod/images/ingress-nginx/controller/manifests/v1.8.2": dial tcp 142.250.99.82:443: i/o timeout
可见直接获取失败了，连不上外网

**检查解析**
dig registry.k8s.io
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> registry.k8s.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4000
;; QUESTION SECTION:
;registry.k8s.io. IN A
;; ANSWER SECTION:
registry.k8s.io. 5 IN A 34.96.108.209
;; Query time: 15 msec
;; SERVER: 192.168.8.2#53(192.168.8.2)
;; WHEN: Mon Feb 24 00:45:00 EST 2025
;; MSG SIZE rcvd: 60

检查[**registry.k8s.io](https://registry.k8s.io/v2/)**
curl -v -x [http://192.168.8.1:7899](http://192.168.8.1:7899/) https://registry.k8s.io/v2/

About to connect() to proxy 192.168.8.1 port 7899 (#0)
Trying 192.168.8.1...
Connected to 192.168.8.1 (192.168.8.1) port 7899 (#0)
Establish HTTP proxy tunnel to [registry.k8s.io:443](http://registry.k8s.io:443/)
CONNECT registry.k8s.io:443 HTTP/1.1
Host: registry.k8s.io:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established

检查代理——连接仓库
curl -v https://us-west2-docker.pkg.dev
* About to connect() to us-west2-docker.pkg.dev port 443 (#0)
*   Trying 108.177.98.82...

[root@test ~]#
[root@test ~]# curl -v -x http://192.168.8.1:7899 https://us-west2-docker.pkg.dev
* About to connect() to proxy 192.168.8.1 port 7899 (#0)
*   Trying 192.168.8.1...
* Connected to 192.168.8.1 (192.168.8.1) port 7899 (#0)
* Establish HTTP proxy tunnel to us-west2-docker.pkg.dev:443
> CONNECT us-west2-docker.pkg.dev:443 HTTP/1.1
> Host: us-west2-docker.pkg.dev:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.googlecode.com
*       start date: Feb 03 08:37:03 2025 GMT
*       expire date: Apr 28 08:37:02 2025 GMT
*       common name: *.googlecode.com
*       issuer: CN=WR2,O=Google Trust Services,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: us-west2-docker.pkg.dev
> Accept: */*