运维实操——docker容器(三)搭建本地容器仓库registry证书加密
搭建本地容器仓库registry证书加密
- 1证书与密钥
- 2认证
- 3测试
搭建本地容器仓库registry
1证书与密钥
生成证书和密钥
首先生成证书和密钥
[root@server1 ~]# mkdir certs
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
...................................................................................................................................................................++
................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org
[root@server1 ~]# ls
busybox.tar certs harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# cd certs/
[root@server1 certs]# ls %可以看到生成了证书和密钥
westos.org.crt westos.org.key
[root@server1 certs]# cat /etc/hosts %修改地址解析文件
172.25.11.1 reg.westos.org
[root@server1 ~]# docker load -i registry2.tar %加载registrg镜像
[root@server1 ~]# docker tag registry:2 registry:latest %把registry:2标记重命名为registry:latest
[root@server1 ~]# docker images %查看镜像
[root@server1 ~]# docker run -d --name registry -v /opt/registry:/var/lib/registry -p 443:443 -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry %后台运行,拉起容器
查看容器状态与端口映射
[root@server1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest %标记重命名nginx并归类到本地reg.westos.org仓库中
[root@server1 ~]# docker push reg.westos.org/nginx:latest %上传reg.westos.org/nginx:latest镜像
如果出现下面的问题,说明docker无法识别证书,这是因为我们就没给他证书。
给证书:
[root@server1 ~]# mkdir -p /etc/docker/certs.d/reg.westos.org %创建docker下的证书目录下的reg.westos.org子目录
[root@server1 ~]# ls
busybox.tar certs
[root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt %复制证书到docker下证书目录
[root@server1 ~]# cd /etc/docker/certs.d/reg.westos.org/
[root@server1 reg.westos.org]# ls
ca.crt
测试查看上传的内容,测试成功
[root@server1 reg.westos.org]# curl -k https://reg.westos.org/v2/game2048/tags/list
[root@server1 reg.westos.org]# curl -k https://reg.westos.org/v2/_catalog
2认证
[root@server1 ~]# mkdir auth %家目录下创建认证目录
[root@server1 ~]# cd auth/ %进入认证目录
[root@server1 auth]# yum install -y httpd-tools %安装
[root@server1 auth]# htpasswd --help %查看用法
[root@server1 auth]# cd
[root@server1 ~]# htpasswd -Bc auth/htpasswd admin %创建admin用户认证信息和密码(注意第一次加参数c,之后不加,否则会覆盖原来的)
[root@server1 ~]# htpasswd -B auth/htpasswd lyb %创建lyb用户认证信息和密码
cat auth/htpasswd查看已经生成的认证
[root@server1 ~]# docker rm -f registry %删除上面的仓库信息
[root@server1 ~]# docker run -d --name registry -v /opt/registry:/var/lib/registry -p 443:443 -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
%重新拉起仓库容器
docker ps查看容器进程是否开启,docker logs registry查看日志是否异常
仓库认证后,上传和下载前都需要登陆,如果不登陆,会报错,如下
login后可以拉取和推送
cat /root/.docker/config.json可以查看认证
退出登陆后,就查看不到认证信息了
3测试
server2:远程拉取server1本地仓库的内容
和之前配置server1的操作一样,给server2配置
yum install -y docker-ce %安装docker-ce
systemctl enable --now docker %开启docker
docker info %查看docker信息
vim /etc/hosts #修改地址解析文件,添加172.25.11.1 reg.westos.org
把server1中的证书传给server2
[root@server2 docker]# docker login reg.westos.org %登陆login
[root@server2 docker]# docker pull reg.westos.org/nginx %拉取,成功
