CentOs中docker 安装私有仓库,并通过https方式上传镜像
安装仓库registry, Tag为2
[weshzhu@weshzhu ~]$ docker pull registry:2 2: Pulling from library/registry Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 Status: Image is up to date for registry:2查看仓库,此时先不启动容器。
[weshzhu@weshzhu certs]$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 d1fd7d86a825 4 weeks ago 33.3MB
通过OpenSSL工具生成自签名的证书,后面将用于对请求进行校验
对于证书以及OpenSSL, 请移目那些证书相关的玩意儿
首先找到OpenSSL工具配置文件openssl.cnf,对于Centos,目录在/etc/pki/tls/中
[weshzhu@weshzhu ~]$ cd /etc/pki/tls/ [weshzhu@weshzhu tls]$ ll total 12 lrwxrwxrwx. 1 root root 49 Jan 26 19:10 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem drwxr-xr-x. 2 root root 193 Feb 7 21:42 certs drwxr-xr-x. 2 root root 74 Jan 26 19:10 misc -rw-r--r--. 1 root root 10955 Feb 7 20:12 openssl.cnf drwxr-xr-x. 2 root root 6 Aug 4 2017 private编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:域名|IP地址
[ v3_ca ] subjectAltName = IP:172.10.15.110否则将会报错:
x509: cannot validate certificate for <ipaddress> because it doesn't contain any IP SANs这是因为在证书中,要包含一些信息,比如国家、机构等等,好像访问的私有仓库ip或者域名必须要有,否则不予通过,就会报上面的错误。如果有读者发现此处有错误,请在下方提出。谢谢!
修改完openssl配置文件后,可以生产私有证书,要记住生成证书的目录,后面会用到。
[weshzhu@weshzhu certs]$ sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt [sudo] password for weshzhu: Generating a 2048 bit RSA private key .................................................................................................................................................+++ .........................................................................................................................................................+++ writing new private key to 'registry.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: #该处让交互输入国家、省等,可以直接Enter跳过 State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:172.10.15.110 #该处输入私有仓库的ip地址或者域名 Email Address []:当然,上面私有证书生成,可以通过
-subj指定证书信息:sudo openssl req -subj '/C=CN/ST=BeiJing/L=HaiDian/CN=<Ipaddress> ' -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out # -subj 通过C指定国家、ST指定省份、L指定区、CN指定域名或者IP此方法并没有经过试验,请感兴趣的童靴验证一下。
可以看到在当前目录中,有.crt 和 .key文件
[weshzhu@weshzhu certs]$ ll total 8 -rw-r--r--. 1 root root 1306 Feb 8 15:04 registry.crt -rw-r--r--. 1 root root 1704 Feb 8 15:04 registry.key
将生成的私有证书追加到系统的证书管理文件中,否则后面push和login和pull时会报如下错误:
[weshzhu@weshzhu certs]# cat ./registry.crt >> /etc/pki/tls/certs/ca-bundle.crt未cat到系统的crt文件中 [weshzhu@weshzhu ~]$ docker push 192.168.0.123/rabbitmq:3.7 The push refers to repository [192.168.0.123/rabbitmq] Get https://<IpAddress>/v2/: x509: certificate signed by unknown authority
- 重启docker, 该步骤一定不要省略,否则有可能加载私钥失败
systemctl restart docker
- 启动私有仓库镜像 registry
注意:在启动时,有参数需要配置
docker run -d -p 443:443 --name registry -v /deploy/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key registry:2
-d 后台运行
-p 443:443 将容器的端口443映射到主机的443端口
–name 给容器起个名字 registry
-v /deploy/certs:/certs 主机的目录/deploy/certs映射到容器的/certs ,目的是将生成的私有证书映射到容器中
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt 指定TLS协议验证的证书目录:该目录为容器的registry.crt所在的目录
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key 指定TLS协议使用的key的目录:该目录为容器的registry.key所在的目录
上面的步骤按顺序操作完成后,可以尝试docker push一个镜像到私有仓库中。
查看docker安装了哪些镜像:[weshzhu@weshzhu certs]$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 d1fd7d86a825 4 weeks ago 33.3MB nginx latest 3f8a4339aadd 6 weeks ago 108MB将上传的镜像重新Tag一下:
docker tag nginx[:tag] [ipaddress]/nginx #:tag 为镜像的tag,如果该镜像的tag为latest,则可以省略 #[ipaddress] 为私有仓库的ip地址或域名,也就是上面步骤在openssl中添加的`subjectAltName = IP:172.10.15.110`地址或域名查看镜像,发现多了一个以ip地址为开头的image
[weshzhu@weshzhu certs]$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2 d1fd7d86a825 4 weeks ago 33.3MB 192.168.0.123/nginx latest 3f8a4339aadd 6 weeks ago 108MB nginx latest 3f8a4339aadd 6 weeks ago 108MB此时push该带ip地址的镜像到私有仓库中
[weshzhu@weshzhu certs]# docker push 172.10.15.110/nginx The push refers to repository [172.10.15.110/nginx] a103d141fc98: Pushed 73e2bd445514: Pushed 2ec5c0a4cb57: Pushing [===========================================> ] 48.2MB/55.26MB[weshzhu@weshzhu certs]# docker push 172.10.15.110/nginx The push refers to repository [172.10.15.110/nginx] a103d141fc98: Pushed 73e2bd445514: Pushed 2ec5c0a4cb57: Pushed latest: digest: sha256:926b086e1234b6ae9a11589c4cece66b267890d24d1da388c96dd8795b2ffcfb size: 948
8179
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
