原文地址:https://www.cnblogs.com/zhaojiankai/p/7813969.html
主要摘要,基于TLS认证registry容器
官方文档:https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry
Running a registry only accessible on localhost has limited usefulness. In order to make your registry accessible to external hosts, you must first secure it using TLS.
使用TLS认证registry容器时,必须有证书。一般情况下,是要去认证机构购买签名证书。这里使用openssl生成自签名的证书。
环境信息:172.16.206.32 CentOS 7.0 主机名:spark32
1.生成自签名证书
[root@spark32 ~]# mkdir -p /opt/docker/registry/certs [root@spark32 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/docker/registry/certs/domain.key -x509 -days 365 -out /opt/docker/registry/certs/domain.crt Generating a 4096 bit RSA private key ... Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JiangSu Locality Name (eg, city) [Default City]:NanJing Organization Name (eg, company) [Default Company Ltd]:wisedu Organizational Unit Name (eg, section) []:edu Common Name (eg, your name or your server's hostname) []:registry.docker.com Email Address []:01115004@wisedu.com
2.创建带有TLS认证的registry容器
[root@spark32 ~]# docker run -d --name registry2 -p 5000:5000 -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
3.创建与这个registry服务器域名一致的目录
[root@node1 ~]# cd /etc/docker/certs.d/ [root@node1 certs.d]# mkdir registry.docker.com:5000
4.将证书 domain.crt 复制到每一个docker客户端宿主机/etc/docker/certs.d/registry.docker.com:5000/ca.crt,不需要重启docker
[root@spark32 ~]# scp -p /opt/docker/registry/certs/domain.crt root@172.16.7.151:/etc/docker/certs.d/registry.docker.com\:5000/ca.crt
5.push镜像到registry
另找一个客户机node1,push镜像到registry。
[root@node1 certs.d]# docker tag ubuntu:16.04 registry.docker.com:5000/my-ubuntu:v1 [root@node1 certs.d]# docker push registry.docker.com:5000/my-ubuntu:v1 The push refers to a repository [registry.docker.com:5000/my-ubuntu] a09947e71dc0: Pushed 9c42c2077cde: Pushed 625c7a2a783b: Pushed 25e0901a71b8: Pushed 8aa4fcad5eeb: Pushed v1: digest: sha256:634a341aa83f32b48949ef428db8fefcd897dbacfdac26f044b60c14d1b5e972 size: 1357
6.列出私有仓库中的所有镜像
[root@node1 certs.d]# curl -X GET https://registry.docker.com:5000/v2/_catalog -k {"repositories":["my-ubuntu"]}
7.查看存储在registry:2宿主机上的镜像
在registry:2创建的私有仓库中,上传的镜像保存在容器的/var/lib/registry目录下。创建registry:2的容器时,会自动创建一个数据卷(Data Volumes),数据卷对应的宿主机下的目录一般为:/var/lib/docker/volumes/XXX/_data。
[root@spark32 ~]# ls /var/lib/docker/volumes/91a0091963fa6d107dc988a60b61790bba843a115573e331db967921d5e83372/_data/docker/registry/v2/repositories/my-ubuntu/ _layers _manifests _uploads
可以在创建registry:2的容器时,通过-v参数,修改这种数据卷关系:
–v /opt/docker/registry/data:/var/lib/registry
除了可以将数据保存在当前主机的文件系统上,registry也支持其他基于云的存储系统,比如S3,Microsoft Azure, Ceph Rados, OpenStack Swift and Aliyun OSS等。可以在配置文件中进行配置:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
【补充】:
一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
在Redhat7系统中,文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ] subjectAltName = IP:192.168.1.104
生成证书:
... Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:172.16.206.32:5000 Email Address []: