这是我在内部部署Docker Registry时记录下来的笔记,操作环境是Centos 7、Docker 18.06.1-ce
1、运行registry
我当前所使用的主机的IP是192.168.1.249,工作目录在:/data/docker/registry,
-
# docker run -d -p 5000:5000 --restart always --name registry \
-
-v /data/docker/registry/data:/var/lib/registry registry:2
此时访问,http://192.168.1.249:5000/v2/_catalog ,返回正常(空json对象),证明部署成功。
2、测试提交镜像
-
# docker pull nginx:alpine
-
# docker tag nginx:alpine 192.168.1.249:5000/nginx-alpine
-
# docker push 192.168.1.249:5000/nginx-alpine
实际不成功,返回错误如下:
-
The push refers
to repository [
192.168.
1.249:
5000/nginx-alpine]
-
Get https:
//192.168.1.249:5000/v2/: http: server gave HTTP response to HTTPS client
查看文档得知,在配置文件中添加insecure-registries然后重启docker即可,如下:
-
# vim /etc/docker/daemon.json
-
{
-
"insecure-registries": [
"192.168.1.249:5000"]
-
}
-
# systemctl restart docker
此时再push果然成功,除了使用配置文件,下面来配置使用自签名证书。
3、使用自签名证书
生成证书要使用域名,我这里定为:registry.docker.local,(不用域名,直接用IP的话,要修改openssl配置文件,建议用域名)
-
# mkdir -p /data/docker/registry/certs
-
# openssl req \
-
-newkey rsa:4096 -nodes -sha256 -keyout /data/docker/registry/certs/domain.key \
-
-x509 -days 365 -out /data/docker/registry/certs/domain.crt
生成证书时要输入一些信息,注意Common Name要输入你使用的域名,其它可直接回车,如下:
-
Country
Name (
2 letter code) [XX]:
-
State
or Province
Name (full
name) []:
-
Locality
Name (eg, city) [
Default City]:
-
Organization
Name (eg, company) [
Default Company Ltd]:
-
Organizational
Unit
Name (eg, section) []:
-
Common
Name (eg, your
name
or your server
's hostname) []:registry.docker.local
-
Email Address []:
启动容器(相关参数按情况调整下,如你可使用443端口,这样在后续就不用带5000这个端口),如下:
-
# docker run -d \
-
--restart=always \
-
--name registry \
-
-v /data/docker/registry/data:/var/lib/registry \
-
-v /data/docker/registry/certs:/certs \
-
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-
-p 5000:5000 \
-
registry:2
4、测试使用
注意,由于是随便自定义的域名,记得先把域名 registry.docker.local添加到/etc/hosts文件,
-
# docker tag nginx:alpine registry.docker.local:5000/nginx-alpine
-
# docker push registry.docker.local:5000/nginx-alpine
此时报错,如下:
-
The push refers
to repository [registry.docker.
local:
5000/nginx-alpine]
-
Get https:
//registry.docker.local:5000/v2/: x509: certificate signed by unknown authority
看文档,得知要把 domain.crt 文件放到 /etc/docker/certs.d/registry.docker.local:5000/ca.crt ,(注意,你在哪台机做push操作,就放到哪台机呀)
-
# mkdir -p /etc/docker/certs.d/registry.docker.local:5000
-
# cp xxx/domain.crt /etc/docker/certs.d/registry.docker.local:5000/
这时候再push就成功了,如下:
-
# docker push registry.docker.local:5000/nginx-alpine
-
The
push refers to repository [registry.docker.local:
5000/nginx-alpine]
-
a83dbde6ba05: Layer already
exists
-
431a5c7929dd: Layer already
exists
-
39e8483b9882: Layer already
exists
-
df64d3292fd6: Layer already
exists
-
latest: digest: sha256:
57a94fc99816c6aa225678b738ac40d85422e75dbb96115f1bb9b6ed77176166 size:
1153
访问 https://registry.docker.local:5000/v2/_catalog,也看到结果,如下:
-
# curl https://registry.docker.local:5000/v2/_catalog --insecure
-
{
"repositories":[
"nginx-alpine"]}
看来自定义证书还很不方便,可以使用免费证书:https://letsencrypt.org (Let's Encrypt)
参考:
https://docs.docker.com/registry/deploying/
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
原文地址:https://blog.csdn.net/envon123/article/details/83623137