docker version: 20.10.3
1. Certificate related
- The information mainly refers to the domain name (ip)
unit |
needed file |
The main content of the certificate (the certification authority signs the following content with a secret key ) |
server |
Server certificate, secret key |
Server basic information, server public key + certification center information |
user |
Certification authority certificate |
Certification center basic information, certification center public key + certification center information |
CA Certification Center |
Secret |
|
0. Install openssl tool
yum install -y openssl
yum install -y openssl-devel
1. Create two sets of public and private keys
Openssl genrsa is used to generate the RSA private key, there is only one file, because the public key is extracted from the private key.
Openssl rsa is used to view the public key.
- For the sake of simplicity, the private key is not encrypted with a password.
openssl genrsa -out ca-private-key.pem 4096
openssl rsa -in ca-private-key.pem -pubout -out ca-public-key.pem
Certification Center:
openssl genrsa -out ca.key 4096
server:
openssl genrsa -out server.key 4096
2. Obtain the certificate of the certification authority (self-signed certificate, root certificate)
openssl req -new -x509 -subj "/CN=192.168.1.102" -days 36500 -key ca.key -out ca.crt
- subj refers to the information of the certification center, CN=domain name or ip (Common Name)
3. Obtain the server's certificate
(1) First generate the request file (including server information and server public key)
openssl req -new -subj "/CN=192.168.1.102" -key server.key -out server.csr
(2) Reprocessed into a certificate
Certificate additional information
echo subjectAltName = IP:192.168.1.102,IP:0.0.0.0 >> extfile.cnf
- There will be problems with CN directly using ip (it doesn't contain any IP SANs), so the extended information about ip is added
- For domain name, use DNS: domain name
Generate certificate
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile extfile.cnf
The first 4 files
Two, deploy docker private warehouse
1. Run the container
docker run -itd --name hub \
-p 5000:5000 \
-v /a_soft/ca/hub:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/hub.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/hub.key \
--restart always \
registry
-- cp server.crt ./hub/hub.crt
-- cp server.key ./hub/hub.key
- REGISTRY_HTTP_ADDR defaults to 5000
- Test address: https://192.168.1.102:5000/v2/_catalog
- Do not write these two, just use http access: REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY
2. Configuration related
(1) The client places the CA root certificate
mkdir -p /etc/docker/certs.d/192.168.1.102:5000
cp ca.crt /etc/docker/certs.d/192.168.1.9:5000
- The suffix must be .crt
(2) Allow unsafe warehouses
Edit the configuration file: /etc/docker/daemon.json
添加:"insecure-registries": ["192.168.1.102:5000"]
Restart docker
systemctl restart docker
3. Test
docker pull lingtony/goweb
docker tag lingtony/goweb 192.168.1.102:5000/goweb:1.0
docker push 192.168.1.102:5000/goweb:1.0
Three, configure docker remote access
1. Unconditionally allow access
(1) Modify the configuration file: /lib/systemd/system/docker.service
Search for ExecStart, add: -H tcp://0.0.0.0: 2375 -H unix:///var/run/docker.sock
(2) Restart docker
systemctl daemon-reload
systemctl restart docker
(3) Test
Connection word: tcp://192.168.102.135:2375
2. Add certificate verification
(1) Modify the configuration file: /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock \
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock \
--tlsverify \
--tlscacert=/a_soft/ca/ca.crt \
--tlscert=/a_soft/ca/server.crt \
--tlskey=/a_soft/ca/server.key
(2) Restart docker
(3) Generate client certificate
- As long as it is a certificate issued by ca.key (even directly using ca.crt as a client certificate)
openssl genrsa -out client.key 4096
openssl req -new -subj "/CN=client" -key client.key -out client.csr
openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
The client needs the three files on the left,
The idea is mandatory to be renamed to the right picture
Connection word: https://192.168.102.135:2375 (Need to specify the certificate folder)
k8s install registry
Create a namespace: kubectl create namespace a-env
Edit the file: vi a-env-docker-hub.yml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-hub
namespace: a-env
spec:
selector:
matchLabels:
app: docker-hub
replicas: 1
template:
metadata:
labels:
app: docker-hub
spec:
# 限定为master节点
nodeName: master
containers:
- name: docker-hub
image: registry
imagePullPolicy: IfNotPresent
ports:
- name: hubssl
containerPort: 5000
protocol: TCP
env:
- name: REGISTRY_HTTP_ADDR
value: "0.0.0.0:5000"
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/hub.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/hub.key"
volumeMounts:
- name: data
mountPath: /var/lib/registry
- name: certs
mountPath: /certs
restartPolicy: Always
volumes:
- name: data
hostPath:
path: /a_soft/docker-hub/data
type: DirectoryOrCreate
- name: conf
hostPath:
path: /a_soft/docker-hub/conf
type: DirectoryOrCreate
- name: certs
hostPath:
path: /a_soft/ca/docker-hub
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
metadata:
name: docker-hub
namespace: a-env
spec:
selector:
app: docker-hub
ports:
- name: hubssl
targetPort: hubssl
protocol: TCP
port: 5000
nodePort: 5000
type: NodePort
Application file: kubectl apply -f a-env-docker-hub.yml
Catalog: https://blog.csdn.net/u013595395/article/details/114527658