docker搭建RegistryHTTPS协议私有仓库

搭建企业私有的镜像仓库，满足从开发环境推送和拉取镜像。当我们使用k8s来编排和调度容器时，操作的基本单位是镜像，所以需要从仓库去拉取镜像到当前的工作节点。本来使用公共的docker hub完全可以满足我们的需求，也非常方便，但是上传的镜像任何人都可以访问，其次docker hub的私有仓库又是收费的，所以从安全和商业两方面考虑，企业必须搭建自己的私有镜像仓库

为了保证镜像传输安全，从开发环境向私有仓库推送和拉取镜像时，一般使用https的方式

由于没有购买真实的域名，无法和第三方证书颁发机构进行交互性验证，所以决定自己生产一个自签名证书，添加到私有仓库，然后让docker客户端信任此证书。
创建一个用于存储证书和私钥的目录certs

[root@Docker-Registry ~]# mkdir -p certs


[root@Docker-Registry ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
> -x509 -days 365 -out certs/domain.crt 

注意提前想好域名(如：docker.ehaofang.net)，并将其作为CN

Generating a 4096 bit RSA private key
..................++
......................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:xiaohuixing
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.ehaofang.net
Email Address []:

运行容器，启动镜像仓库

使用docker开源的Registry:2镜像

[root@Docker-Registry ~]# docker run -d \
>   --restart=always \
>   --name docker.ehaofang.net \
>   -v `pwd`/certs:/certs \
>   -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
>   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
>   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
>   -p 443:443 \
>   registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
c87736221ed0: Pull complete 
1cc8e0bb44df: Pull complete 
54d33bcb37f5: Pull complete 
e8afc091c171: Pull complete 
b4541f6d3db6: Pull complete 
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:2
786a9a6b15255acc3e4301904a9d8a16cdd733a7df401a8c89933c995172029c

参数	说明
-d	后台静默运行容器。
-restart	设置容器重启策略。
-name	命名容器。
-v	挂载host的certs/目录到容器的/certs/目录。
-e REGISTRY_HTTP_ADDR	设置仓库主机地址格式。
-e REGISTRY_HTTP_TLS_CERTIFICATE	设置环境变量告诉容器证书的位置。
-e REGISTRY_HTTP_TLS_KEY	设置环境变量告诉容器私钥的位置。
-p	将容器的 443 端口映射到Host的 443 端口。

添加客户端信任
在每台客户端上创建存放证书目录

mkdir -p /etc/docker/certs.d/docker.ehaofang.net

上传证书文件domain.crt到证书目录里

验证push和pull

推送镜像到仓库

[root@k8s-node1-2 ~]# docker push docker.ehaofang.net/images/nginx:v1
The push refers to repository [docker.ehaofang.net/images/nginx]
cf2436e84ea8: Pushed 
ed4a4820ee08: Pushed 
b67d19e65ef6: Pushed 
v1: digest: sha256:224f1b76ad5d6d5878c2dccba5b3dcc8e9a263ff04efdf0f8e0ef8f68c208a44 size: 948

删除本地镜像方便后续验证
                      
[root@k8s-node1-2 ~]# docker rmi docker.ehaofang.net/images/nginx:v1 
Untagged: docker.ehaofang.net/images/nginx:v1
Untagged: docker.ehaofang.net/images/nginx@sha256:224f1b76ad5d6d5878c2dccba5b3dcc8e9a263ff04efdf0f8e0ef8f68c208a44

确认删除镜像
[root@k8s-node1-2 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              5a9061639d0a        5 days ago          126MB

再次从私有镜像仓库拉取           
[root@k8s-node1-2 ~]# docker pull docker.ehaofang.net/images/nginx:v1
v1: Pulling from images/nginx
Digest: sha256:224f1b76ad5d6d5878c2dccba5b3dcc8e9a263ff04efdf0f8e0ef8f68c208a44
Status: Downloaded newer image for docker.ehaofang.net/images/nginx:v1

验证pull是否成功
[root@k8s-node1-2 ~]# docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
docker.ehaofang.net/images/nginx   v1                  5a9061639d0a        5 days ago          126MB
nginx                              latest              5a9061639d0a        5 days ago          126MB