码农崛起

脚踏实地,一个脚步一个印

搭建一个支持HTTPS的私有DOCKER Registry

https://blog.csdn.net/xcjing/article/details/70238273

搭建一个支持HTTP的私有DOCKER Registry 可参考文章:

http://blog.csdn.net/fgf00/article/details/52040492

测试可以用HTTP访问一下:

http://IP:PORT/v2/



如果要搭建一个支持HTTPS的私有DOCKER Registry,可参考文章:

http://www.cnblogs.com/xcloudbiz/articles/5526262.html


1. 制作证书,可采用OPENSSL

在ROOT下执行,把证书保存在/root/certs目录下

openssl req -newkey rsa:2048 -nodes -sha256 -keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

本实验采用的域名是:mydockerhub.com


2.  把证书COPY到:

自签名证书,使用Docker Registry的Docker机需要将domain.crt拷贝到 /etc/docker/certs.d/[docker_registry_domain]/ca.crt,

cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt

将domain.crt内容放入系统的CA bundle文件当中,使操作系统信任我们的自签名证书。

CentOS 6 / 7中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt:

cat domain.crt >> /etc/pki/tls/certs/ca-bundle.crt

Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt


具体可参考: https://deepzz.com/post/secure-docker-registry.html



3. 启动DOCKER REGISTRY

docker run -d -p 5000:5000 --privileged=true -v /opt/registry:/tmp/registry-dev -v ~/certs/:/root/certs  -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry


5. 测试

需要用域名,直接用IP地址会报错:

 

[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull  139.224.66.172:5000/centos00

Using defaulttag: latest

Error responsefrom daemon: unable to ping registry endpoint https://139.224.66.172:5000/v0/

v2 pingattempt failed with error: Get https://139.224.66.172:5000/v2/: x509: cannotvalidate certificate for 139.224.66.172 because it doesn't contain any IP SANs

 v1 ping attempt failed with error: Gethttps://139.224.66.172:5000/v1/_ping: x509: cannot validate certificate for139.224.66.172 because it doesn't contain any IP SANs

 [root@xcjdocker-occs-wkr-2 opc]# sudo docker pull

mydockerhub.com:5000/vvv

Using defaulttag: latest

latest:Pulling from vvv

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status:Downloaded newer image for mydockerhub.com:5000/vvv:latest

[root@xcjdocker-occs-wkr-2opc]#


如果要想支持IP方式

如果Docker registry要想支持https, 需要生成证书。这里我们采用openssl生成证书,一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。

 

修改openssl.cnf,支持IP地址方式,HTTPS访问

在Redhat7或者Centos系统中,文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:

[ v3_ca ] 

subjectAltName= IP:129.144.150.111

 

用openssl生成自签名的证书:

我们直接在root用户下操作,创建一个目录: /root/certs

然后执行:

openssl req -newkey rsa:2048 -nodes -sha256-keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

 

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [DefaultCompany Ltd]:mycom

Organizational Unit Name (eg, section)[]:it

Common Name (eg, your name or your server'shostname) []:129.144.150.111

Email Address []:xcjing@yeah.Net

执行成功后会生成:domain.key 和domain.crt 两个文件

 

COPY证书

使用Docker Registry的Docker机需要将domain.crt拷贝到 /etc/docker/certs.d/[docker_registry_domain:端口或者IP:端口]/ca.crt,

cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

 

将domain.crt内容放入系统的CA bundle文件当中,使操作系统信任我们的自签名证书。

CentOS 6 / 7或者REDHAT中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt:

cat domain.crt >>/etc/pki/tls/certs/ca-bundle.crt

 

Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt

 

 

注意,如果之前已经有cat过同样的IP, 需要到ca-bundle.crt中把它删除,再做cat操作。否则后面PUSH时会报:

Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

 

重启DOCKER Daemon, Registry

systemctl restart docker

启动REGITRY

docker run -d -p 5000:5000--privileged=true -v /opt/registry:/tmp/registry-dev -v ~/certs/:/root/certs  -eREGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -eREGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry:2

 

验证测试

确认HTTPS OK: curl -i -k -v https://129.144.150.111:5000

或者直接浏览器访问 https://129.144.150.111:5000/v2 显示{} 表示正常

 

[root@bf278c certs]# docker images

REPOSITORY               TAG                 IMAGE ID            CREATED             SIZE

centos                   latest              a8493f5f50ff        12 days ago         192MB

129.144.150.111:5000/c   latest              a8493f5f50ff        12 days ago         192MB

registry                 2                   136c8b16df20        12 days ago         33.2MB

registry                 latest              136c8b16df20        12 days ago         33.2MB

hello-world              latest              48b5124b2768        3 months ago        1.84kB

 

[[root@bf278c certs]# docker push129.144.150.111:5000/c

The push refers to a repository[129.144.150.111:5000/c]

36018b5e9787: Pushing   28.9MB/192.5MB

成功

在别的机器上访问

如果要在另一台机器上访问,需要把CERT文件 COPY过去,同样放在/etc/docker/certs.d下面,建一个目录:/129.144.150.111:5000,然后

[opc@xcjdocker-occs-wkr-2 ~]$ cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

否则报:Error: API error (500): unable to ping registry endpointhttps://129.144.150.111:5000/v0/ v2 ping attempt failed with error: Gethttps://129.144.150.111:5000/v2/: x509: certificate signed by unknown authorityv1 ping attempt failed with error: Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

 

测试:

[root@xcjdocker-occs-wkr-2 opc]# sudodocker pull 129.144.150.111:5000/c

Using default tag: latest

latest: Pulling from c

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status: Image is up to date for129.144.150.111:5000/c:latest

阅读更多
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭