1,拉取docker registry 镜像
docker pull registry
2,创建证书存放目录
mkdir -p /home/registry
3,生成CA证书
Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:10.1.10.1 in [v3_ca] section.
一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
在redhat7系统中,openssl.cnf文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ] subjectAltName = IP:10.1.10.1
生成证书
openssl req -newkey rsa:4096 -nodes -sha256 \ -keyout /home/registry/certs/domain.key -x509 \ -days 365 -out /home/registry/certs/domain.crt
注意Common Name最好写为registry的域名
修改权限,并将认证文件添加到(客户端) /etc/docker/certs.d/10.1.10.1:5000/
chcon -Rt svirt_sandbox_file_t /home/registry/certs mkdir -p /etc/docker/certs.d/10.1.10.1:5000/ cp registry/certs/domain.crt /etc/docker/certs.d/10.1.10.1:5000/ca.crt
3,使用registry镜像生成用户名和密码文件
docker run --entrypoint htpasswd registry -Bbn test 1 > /home/registry/auth/htpasswd chcon -Rt svirt_sandbox_file_t /home/registry/
4,运行registry并指定参数。包括了用户密码文件和CA书位置。--restart=always 始终自动重启
docker run -d -p 5000:5000 --restart=always --name registry \ -v /home/registry/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /home/registry/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry
5,登陆和登出
###vim /etc/hosts
docker login 10.1.10.1:5000 -u uesr -p password docker logout 10.1.10.1:5000
6,添加用户
docker run --entrypoint htpasswd registry -Bbn Dapeng 123456 >> /home/registry/auth/htpasswd docker run --entrypoint htpasswd registry -Bbn user123 passwd123 >> /home/registry/auth/htpasswd
无需执行 docker restart registry