概述:超详细记录建立公司内部多用户Docker仓库,自定义CA证书,https安全认证。服务器作为远程Docker仓库,其他开发端(如server2,server3等)添加认证并登录,多开发端可以上传下载公司内部的docker仓库的镜像。公司的CI,CD用内部docker镜像仓库上传和下载方便,安全,方便统一管理公司容器镜像。
默认Docker在服务器端和开发端已经安装完毕,若没有,可参考我另一篇博文Ubuntu16.04安装Docker1.12+开发实例+hello world+web应用容器。
docker pull registry:2
mkdir -p ~/docker/certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ~/docker/certs/domain.key \
-x509 -days 365 -out ~/docker/certs/domain.crt
输出如下信息:
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:rz
Organizational Unit Name (eg, section) []:rz
Common Name (e.g. server FQDN or YOUR name) []:wangxiaolei.com
Email Address []:wov@outlook.com
注意自定域名,如wangxiaolei.comCommon Name (e.g. server FQDN or YOUR name) []:wangxiaolei.com
mkdir -p ~/docker/auth
docker run --entrypoint htpasswd registry:2 -Bbn wangxiaolei 123456 >>~/docker/auth/htpasswd
docker run --entrypoint htpasswd registry:2 -Bbn wangxiaolei1 123456 >>~/docker/auth/htpasswd
docker run --entrypoint htpasswd registry:2 -Bbn wangxiaolei2 123456 >>~/docker/auth/htpasswd
docker run --entrypoint htpasswd registry:2 -Bbn wangxiaolei3 123456 >>~/docker/auth/htpasswd
sudo service docker restart
docker run -d -p 5000:5000 --restart=always --name registry \
-v ~/docker/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v ~/docker/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2
scp ~/docker/certs/domain.crt xiaolei@192.168.148.239:~
1.6步骤的
domain.crt放到docker的对应位置。sudo mkdir -p ~/certs.d/wangxiaolei.com:5000
sudo cp ~/domain.crt /etc/docker/certs.d/wangxiaolei.com:5000/ca.crt
cp ~/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
sudo vim /etc/hosts
#在/etc/hosts添加如下内容
192.168.0.133 wangxiaolei.com
docker login wangxiaolei.com:5000
docker pull alpine
2.3.2.创建新的镜像(打标签)
docker tag alpine wangxiaolei.com:5000/alpine:v1
其中,
tag
为标签操作。alpine
为已经存在的alpine镜像,默认版本为latest。wangxiaolei.com
为域名,5000
为端口。alpine
为自定义的镜像名称,v1
为自定义的版本号。2.3.3.上传新创建的镜像到自己的远程docker仓库
docker push wangxiaolei.com:5000/alpine:v1
docker pull wangxiaolei.com:5000/alpine:v1
下载alpine镜像