TLS安全的docker registry —— 自签名证书 安装

自签名docker registry 安装 记录

安全的Docker registry， 包含Authentication， ACL， TLS 等，

不安全的， 包括， 只有签名的（TLS）的认证， 和 完全开放的。

以下是安装Docker registry 后， 利用openssl 生成一个自签名的证书， 用户信任 Registry 的站点。


1. 基本信息

系统 64位RedHat 7.2

[root@ip-172-30-0-61 ~]# hostname ip-172-30-0-61.ec2.internal [root@ip-172-30-0-61 ~]# uname -a Linux ip-172-30-0-61.ec2.internal 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux [root@ip-172-30-0-61 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@ip-172-30-0-61 ~]#

 


IP 地址： 172.30.0.61

[root@ip-172-30-0-61 ~]# echo “172.30.0.61     ip-172-30-0-61 ip-172-30-0-61.ec2.internal” >> /etc/hosts


2. 准备证书（自签名）

2.1 创建目录

[root@ip-172-30-0-61 ~]# mkdir /certs -p ; cd /certs/ [root@ip-172-30-0-61 certs]#

2.2 生成证书
openssl req     -newkey rsa:4096 -nodes -sha256 -keyout /certs/mydomain.key     -x509 -days 365 -out /certs/mydomain.crt

[root@ip-172-30-0-61 certs]# openssl req \ > -newkey rsa:4096 -nodes -sha256 -keyout /certs/mydomain.key \ > -x509 -days 365 -out /certs/mydomain.crt Generating a 4096 bit RSA private key ..........++ ................................................................................................++ writing new private key to '/certs/mydomain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:star Organizational Unit Name (eg, section) []:cloud Common Name (eg, your name or your server's hostname) []:ip-172-30-0-61.ec2.internal Email Address []:[email protected] [root@ip-172-30-0-61 certs]# ls mydomain.crt mydomain.key [root@ip-172-30-0-61 certs]#

3. 测试

以前台模式启动

<

[root@ip-172-30-0-61certs]# docker run -it --rm -p 15000:5000 --name registry \ > -v /certs:/certs \ > -eREGISTRY_HTTP_TLS_CERTIFICATE=/certs/mydomain.crt \ > -eREGISTRY_HTTP_TLS_KEY=/certs/mydomain.key \ > library/registry:2.3.0 WARN[0000]No HTTP secret provided - generated random secret. This may causeproblems with uploads if multiple registries are behind aload-balancer. To provide a shared secret, fill in http.secret inthe configuration file or set the REGISTRY_HTTP_SECRET environmentvariable. go.version=go1.5.3instance.id=3839f5d0-2749-46b5-96ee-7475fa2c292f version=v2.3.0 INFO[0000]redis not configured go.version=go1.5.3instance.id=3839f5d0-2749-46b5-96ee-7475fa2c292f version=v2.3.0 INFO[0000]using inmemory blob descriptor cache go.version=go1.5.3instance.id=3839f5d0-2749-46b5-96ee-7475fa2c292f version=v2.3.0 INFO[0000]listening on [::]:5000, tls go.version=go1.5.3instance.id=3839f5d0-2749-46b5-96ee-7475fa2c292f version=v2.3.0 INFO[0000]Starting upload purge in 57m0s go.version=go1.5.3instance.id=3839f5d0-2749-46b5-96ee-7475fa2c292f version=v2.3.0