Docker Registry(私有仓库) 安装配置
Docker Registry Version: 2.4
一、CA证书
CA证书可以是知名CA证书,也可以自制CA证书。
如果已有知名CA证书,忽略下面操作:
# vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName=IP:172.16.10.2
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
......................................................................................................................................................................++
...........................................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:XD
Organizational Unit Name (eg, section) []:QA
Common Name (eg, your name or your server's hostname) []:172.16.10.2
Email Address []:mahuaping@xindong.com
[root@172 ~]# mkdir -p /etc/docker/certs.d/172.26.160.24:5000
[root@172 ~]# cp certs/domain.crt /etc/docker/certs.d/172.26.160.24\:5000/ca.crt
[root@172 ~]# service docker restart
Redirecting to /bin/systemctl restart docker.service
二、启动 Secure Registry
# docker run -d -p 5000:5000 \
--restart=always --name registry \
-v `pwd`/data:/var/lib/registry \
-v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
三、push 本地 image 上传到 Registry
# docker tag jenkinsci/blueocean:latest 172.26.160.24:5000/allan/jenkinsci:latest
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
jenkinsci/blueocean latest f97f49711d3a 5 weeks ago 553MB
172.16.10.2:5000/allan/jenkinsci latest f97f49711d3a 5 weeks ago 553MB
registry 2 f32a97de94e1 8 months ago 25.8MB
# docker push 172.16.10.2:5000/allan/jenkinsci
The push refers to repository [172.26.160.24:5000/allan/jenkinsci]
d3f33b0afac2: Layer already exists
96c810f9c4e9: Layer already exists
66a1ae5946ec: Layer already exists
423c72edbbe1: Layer already exists
4ac91506b089: Layer already exists
90db6c49e92e: Layer already exists
3448873ca4d6: Layer already exists
9784bfe1a462: Layer already exists
44e40f97654f: Layer already exists
1b4bd890f41b: Layer already exists
c6599e004fb0: Layer already exists
eb30cb89ac7c: Layer already exists
ceaf9e1ebef5: Layer already exists
9b9b7f3d56a0: Layer already exists
f1b5933fe4b5: Layer already exists
latest: digest: sha256:0c197bc77b18bec3e7254363365b64fe5774dc25ea47cebdc8eee765bbf245d3 size: 3457
[root@172 ~]# docker pull 172.16.10.2:5000/allan/jenkinsci
Using default tag: latest
latest: Pulling from allan/jenkinsci
Digest: sha256:0c197bc77b18bec3e7254363365b64fe5774dc25ea47cebdc8eee765bbf245d3
Status: Image is up to date for 172.26.160.24:5000/allan/jenkinsci:latest
四、push 远程 image 上传到 Registry
# mkdir -p 172.16.10.2:5000
# cd 172.26.160.24\:5000/
# vim ca.crt
]# service docker restart
Redirecting to /bin/systemctl restart docker.service
# docker pull 172.16.10.2:5000/allan/jenkinsci
Using default tag: latest
Trying to pull repository 172.16.10.2:5000/allan/jenkinsci ...
latest: Pulling from 172.16.10.2:5000/allan/jenkinsci
e7c96db7181b: Pull complete
f910a506b6cb: Pull complete
c2274a1a0e27: Pull complete
a7d31678ca3a: Pull complete
30d982f1813e: Pull complete
4706c5573d1a: Pull complete
929c2e4c0d3a: Pull complete
a7a7c2c854b6: Pull complete
9c5a64f79aa4: Pull complete
b905b2941c33: Pull complete
b2fda4a06376: Pull complete
587300dab596: Pull complete
f47b1765c187: Pull complete
18d09a83153a: Pull complete
f2b6a8668e09: Pull complete
Digest: sha256:0c197bc77b18bec3e7254363365b64fe5774dc25ea47cebdc8eee765bbf245d3
Status: Downloaded newer image for 172.16.10.2:5000/allan/jenkinsci:latest
五、问题
# docker pull 172.26.160.24:5000/allan/jenkinsci
Using default tag: latest
Trying to pull repository 172.26.160.24:5000/allan/jenkinsci ...
Get https://172.26.160.24:5000/v1/_ping: x509: cannot validate certificate for 172.26.160.24 because it doesn't contain any IP SANs
解决办法:
# vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName=IP:172.16.10.2