1、搭建docker私有仓库,线上使用的话必须要保证安全,需要做认证+https
创建目录:
# mkdir -p /data/registry/ && cd /data/registry/ && mkdir auth certs
创建密码文件:
#cd /data/registry/
#docker run --entrypoint htpasswd daocloud.io/registry -Bbn huoqiu huoqiu123> auth/htpasswd
创建证书:
# openssl req -x509 -days 3650 -subj '/CN=huoqiu.oo.com/' -nodes -newkey rsa:2048 -keyout certs/registry.key -out certs/registry.crt
创建容器:
#cd /data/registry/
cat tt.sh
#!/bin/bash
dir=$(cd `dirname $0`;pwd)
docker stop registry && docker rm registry
docker run -d -p 443:5000 --restart=always \
--name registry \
-v $dir/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on huoqiu.oo.com" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v $dir/certs:/certs \
-v $dir/data:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
daocloud.io/registry
#sh tt.sh
创建存放证书的目录:
#mkdir -p /etc/docker/certs.d/huoqiu.oo.com/
#cp /data/registry/certs/registry.crt /etc/docker/certs.d/huoqiu.oo.com/
设置nginx代理:
首先将创建的证书copy到nginx服务器上面,
#scp /data/registry/certs/* nginx:/root/oo
#cat sb.conf
server {
client_max_body_size 0;
server_name huoqiu.oo.com;
listen 443;
ssl on;
ssl_certificate /root/oo/registry.crt;
ssl_certificate_key /root/oo/registry.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://10.10.9.3:443;
}
}
登陆:
docker login huoqiu.oo.com
输入用户名、密码。此时会生成/root/.docker/config.json文件,记录认证信息。