搭建 docker https 私有仓库

创建私有仓库配置目录
mkdir -p /opt/docker/registry/config/ && cd /opt/docker/registry/config/
生成自签名证书

修改配置文件openssl.cnf

# 一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
# 在Redhat7、CentOS系统中,文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ]
subjectAltName = IP:192.168.238.104

生成证书

openssl req -x509 -days 36500 -nodes -newkey rsa:2048 \
-keyout /opt/docker/registry/config/domain.key \
-out /opt/docker/registry/config/domain.crt

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.238.104:5000
Email Address []:
添加信任证书
mkdir -p /etc/docker/certs.d/192.168.238.104:5000
cp /opt/docker/registry/config/domain.crt  /etc/docker/certs.d/192.168.238.104\:5000/ca.crt
cat /opt/docker/registry/config/domain.crt >> /etc/pki/tls/certs/ca-bundle.crt 
创建私有仓库
docker run -d --name my-docker-registry  --restart=always \ 
-v /opt/docker/registry/data:/var/lib/registry \  
-v /opt/docker/registry/certs:/certs \ 
-e REGISTRY_HTTP_TLS_CERTIFICATE=/opt/docker/registry/config/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=ll /opt/docker/registry/config/domain.key \  
registry
其他机器访问
# 将证书分发到其他机器即可
ssh 192.168.238.105 "mkdir -p /etc/docker/certs.d/192.168.238.104:5000"
scp /opt/docker/registry/config/domain.crt 192.168.238.105:/etc/docker/certs.d/192.168.238.104\:5000/ca.crt
测试
# 清屏
[root@worker1 config]# clear

# 查看docker镜像
[root@worker1 config]# docker images
REPOSITORY                              TAG                 IMAGE ID            CREATED             SIZE
hello                                   1.0                 e56a8c5efc41        8 days ago          615 MB
registry                                latest              33fbbf4a24e5        2 weeks ago         24.2 MB
quay.io/calico/node                     v3.1.3              7eca10056c8e        7 months ago        248 MB
quay.io/calico/typha                    v0.7.4              c8f53c1b7957        7 months ago        56.9 MB
quay.io/calico/cni                      v3.1.3              9f355e076ea7        7 months ago        68.8 MB
k8s.gcr.io/coredns                      1.1.3               b3b94275d97c        7 months ago        45.6 MB
k8s.gcr.io/kubernetes-dashboard-amd64   v1.8.3              0c60bcf89900        11 months ago       102 MB
k8s.gcr.io/pause-amd64                  3.1                 da86e6ba6ca1        13 months ago       742 kB
nginx                                   1.7.9               84581e99d807        3 years ago         91.6 MB

# 将hello:1.0打标签
[root@worker1 config]# docker tag hello:1.0 192.168.238.104:5000/hello:1.0

# 推送192.168.238.104:5000/hello:1.0,下面结果是因为私有仓库已经有了那个镜像
[root@worker1 config]# docker push 192.168.238.104:5000/hello:1.0
The push refers to a repository [192.168.238.104:5000/hello]
5830a2665ff3: Layer already exists 
a8d9117e971d: Layer already exists 
071d8bd76517: Layer already exists 
1.0: digest: sha256:a427ca567336983fb392184959021510e637e641d1d00c126b8856647b575c66 size: 954

# 删除本地镜像
[root@worker1 config]# docker rmi 192.168.238.104:5000/hello:1.0
Untagged: 192.168.238.104:5000/hello:1.0
Untagged: 192.168.238.104:5000/hello@sha256:a427ca567336983fb392184959021510e637e641d1d00c126b8856647b575c66

# 拉取仓库镜像
[root@worker1 config]# docker pull 192.168.238.104:5000/hello:1.0
1.0: Pulling from hello
Digest: sha256:a427ca567336983fb392184959021510e637e641d1d00c126b8856647b575c66
Status: Downloaded newer image for 192.168.238.104:5000/hello:1.0

你可能感兴趣的:(docker)