Docker 私有仓库建立(加密和用户验证)

docker 私有registry部署(ssl加密和用户名密码)

实验环境:
操作系统centos 7.4
IP:172.16.10.64 172.16.10.65

1,在172.16.10.65上拉取docker regist镜像文件

[root@localhost home]# docker pull registry
2: Pulling from library/registry
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2

2,生成自身的CA证书
注意Common Name最好写为registry的域名

[root@localhost registry]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /home/registry/certs/domain.key -x509 -days 365 -out /home/registry/certs/domain.crt
Generating a 4096 bit RSA private key
....................................................................................................................++
...++
writing new private key to '/home/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bj
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:tl
Organizational Unit Name (eg, section) []:tl
Common Name (eg, your name or your server's hostname) []:myregistry.com
Email Address []:[email protected]

3,使用registry镜像生成用户名和密码文件

docker run --entrypoint htpasswd registry -Bbn qiulei 123456 >>/home/registry/auth/htpasswd

4,运行registry并指定参数
包括了用户密码文件和CA书位置。
--restart=always 始终自动重启

docker run -d -p 5000:5000 --restart=always --name registry   -v /home/registry/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd   -v /home/registry/certs:/certs   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key   registry

5,由于使用的是自签名的证书,所以需要添加domain.crt文件至各自的OS中
Linux:将domain.crt文件复制到 /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt每个Docker主机上。您不需要重新启动Docker。

Windows服务器:
打开Windows资源管理器,右键单击该domain.crt 文件,然后选择安装证书。出现提示时,请选择以下选项:
商店地址 本地机器
将所有证书放入下列商店 选
单击浏览器并选择受信任的根证书颁发机构。
点击完成。重新启动Docker。

6,添加域名解析,修改hosts文件或者添加DNS记录。

[root@localhost registry]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.10.65 myregistry.com

7,验证测试
172.16.10.65使用添加了hosts域名解析和ca证书而172.16.10.64则没有
在65上测试登录

[root@localhost registry]# docker login myregistry.com:5000
Username: qiulei
Password: 
Login Succeeded

登录成功

提交本地的镜像文件至myregisry服务中

[root@localhost home]# docker tag nginx:latest myregistry.com:5000/my_nginx
An image does not exist locally with the tag: myregistry.com:500/my_nginx
[root@localhost home]# docker push myregistry.com:5000/my_nginx
The push refers to repository [myregistry.com:5000/my_nginx]
a103d141fc98: Pushed 
73e2bd445514: Pushed 
2ec5c0a4cb57: Pushed 
latest: digest: sha256:926b086e1234b6ae9a11589c4cece66b267890d24d1da388c96dd8795b2ffcfb size: 948

[root@localhost home]# docker images
myregistry.com:5000/my_nginx      latest              3f8a4339aadd        5 weeks ago         108MB

在64上登录,登录失败,也无法上传文件

[root@localhost ~]# docker login myregistry.com:5000
Username: qiulei
Password: 
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority

[root@localhost ~]# docker pull myregistry.com:5000/my_ubuntu
Using default tag: latest
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority

你可能感兴趣的:(Docker 私有仓库建立(加密和用户验证))