docker 私有registry部署(ssl加密和用户名密码)
实验环境:
操作系统centos 7.4
IP:172.16.10.64 172.16.10.65
1,在172.16.10.65上拉取docker regist镜像文件
[root@localhost home]# docker pull registry
2: Pulling from library/registry
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2
2,生成自身的CA证书
注意Common Name最好写为registry的域名
[root@localhost registry]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /home/registry/certs/domain.key -x509 -days 365 -out /home/registry/certs/domain.crt
Generating a 4096 bit RSA private key
....................................................................................................................++
...++
writing new private key to '/home/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bj
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:tl
Organizational Unit Name (eg, section) []:tl
Common Name (eg, your name or your server's hostname) []:myregistry.com
Email Address []:[email protected]
3,使用registry镜像生成用户名和密码文件
docker run --entrypoint htpasswd registry -Bbn qiulei 123456 >>/home/registry/auth/htpasswd
4,运行registry并指定参数
包括了用户密码文件和CA书位置。
--restart=always 始终自动重启
docker run -d -p 5000:5000 --restart=always --name registry -v /home/registry/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /home/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
5,由于使用的是自签名的证书,所以需要添加domain.crt文件至各自的OS中
Linux:将domain.crt文件复制到 /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt每个Docker主机上。您不需要重新启动Docker。
Windows服务器:
打开Windows资源管理器,右键单击该domain.crt 文件,然后选择安装证书。出现提示时,请选择以下选项:
商店地址 本地机器
将所有证书放入下列商店 选
单击浏览器并选择受信任的根证书颁发机构。
点击完成。重新启动Docker。
6,添加域名解析,修改hosts文件或者添加DNS记录。
[root@localhost registry]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.10.65 myregistry.com
7,验证测试
172.16.10.65使用添加了hosts域名解析和ca证书而172.16.10.64则没有
在65上测试登录
[root@localhost registry]# docker login myregistry.com:5000
Username: qiulei
Password:
Login Succeeded
登录成功
提交本地的镜像文件至myregisry服务中
[root@localhost home]# docker tag nginx:latest myregistry.com:5000/my_nginx
An image does not exist locally with the tag: myregistry.com:500/my_nginx
[root@localhost home]# docker push myregistry.com:5000/my_nginx
The push refers to repository [myregistry.com:5000/my_nginx]
a103d141fc98: Pushed
73e2bd445514: Pushed
2ec5c0a4cb57: Pushed
latest: digest: sha256:926b086e1234b6ae9a11589c4cece66b267890d24d1da388c96dd8795b2ffcfb size: 948
[root@localhost home]# docker images
myregistry.com:5000/my_nginx latest 3f8a4339aadd 5 weeks ago 108MB
在64上登录,登录失败,也无法上传文件
[root@localhost ~]# docker login myregistry.com:5000
Username: qiulei
Password:
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority
[root@localhost ~]# docker pull myregistry.com:5000/my_ubuntu
Using default tag: latest
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority