docker build private warehouse (ssl, authentication)
Environment: CentOS 7, Docker 1.13.1
CentOS 7 Related:
https://www.cnblogs.com/ttkl/p/11041124.html
Docker related (server):
- Installation docker
yum -y install docker-io
- Start docker, and configure the boot
systemctl start docker
systemctl enable docker
- Pulling registry mirror
docker pull registry:2
- Ssl key generation
# Create a directory ssl related mkdir ~ / certs # generate ssl key openssl req -newkey rsa: 2048 -nodes -sha256 -keyout certs / test.registry.com.key -x509 -days 365 -out certs / test.registry.com .crt
- Create a user
# Create a registry login user folder mkdir ~ / auth # Create a private user Docker RUN --entrypoint htpasswd registry: 2-BBN ADMIN ADMIN> ~ / auth / htpasswd # container delete run Docker STOP [CONTAINER ID] Docker RM [ID CONTAINER ]
- Background container (private warehouse)
docker run -d -p 5000:5000 --restart=always --name registry \ -v ~/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v ~/data:/var/lib/registry \ -v ~/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.registry.com.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/test.registry.com.key \ registry:2
Docker relevant (client):
tls encrypted communications:
- Create a folder
mkdir /ssl
cd /ssl
- Create a key ca
openssl genrsa -aes256 -out ca-key.pem 4096
- Create a ca certificate
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
- Creating a server private key
openssl genrsa -out server-key.pem 4096
- Signature private key
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
- Use ca certificate and private key certificate signing
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
- Generate a client key
openssl genrsa -out key.pem 4096
- Signature Client
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
- Create a profile
echo extendedKeyUsage=clientAuth > extfile.cnf
- Signing Certificate
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
- Delete unnecessary files
rm -rf ca.srl client.csr extfile.cnf server.csr
docker profile:
# View docker profile systemctl Status docker.service # modify the configuration file, add two lines ExecStart = ... --tlsverify --tlscacert = / ssl / ca.pem --tlscert = / ssl / Server-cert.pem - = -tlskey / ssl / Server- key.pem -H UNIX: ///var/run/docker.sock -H tcp: //0.0.0.0: 5555 ... # restart Docker systemctl daemon- reload systemctl restart Docker. service
Native Alias:
Linux:
# Configuration file location / etc / hosts # add a line ip servername
Windows:
# Configuration file location C: \ Windows \ System32 \ the Drivers \ etc \ hosts # add a line ip servername