创建证书存储目录
mkdir -p /usr/local/registry/certs
生成自签名证书命令
openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt
-
openssl req 创建证书签名请求等功能;
-
-newkey 创建CSR签名文件和RSA私钥文件;
-
rsa:2048 指定创建的RSA私钥长度为2048;
-
-nodes 对私钥不进行加密
-
-sha254 使用SHA254算法
-
-keyout 创建的私钥文件名称及位置
-
-x509 自签发证书格式
-
-days 证书有效期
-
-out 指定CSR文件名称及位置
10.1 生成自签名证书
结果如下,其中只有common Name这个要填私有仓库地址,其他随意。(注:回退命令ctrl+u)
[root@localhost ~]# openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt Generating a 2048 bit RSA private key ...........................................................................+++ ......................................................+++ writing new private key to '/usr/local/registry/certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:guizhou Locality Name (eg, city) [Default City]:guiyang Organization Name (eg, company) [Default Company Ltd]:meicheng Organizational Unit Name (eg, section) []:meicheng Common Name (eg, your name or your server's hostname) []:192.168.146.124 Email Address []:jingjingwin5@163.com
10.2 生成鉴权密码文件
# 创建存储梨树密码文件目录 mkdir -p /usr/local/registry/auth # 如果没有htpasswd功能需安装httpd yum install -y httpd # 创建用户名和密码 htpasswd -Bbn root 1234 > /usr/local/registry/auth/htpasswd
htpasswd是 apache http的基础认证文件,使用htpasswd命令可以生成用户及密码文件
10.3 创建私有仓库容器
#删除旧的没有认证功能的私有仓库 cd ~ #回到根目录,不重要 docker stop registry #停止名为"registry"的容器,即我们的私有仓库 docker rm registry rm /mydata/docker_registry/docker -rf #删除文件夹 #创建私有仓库 docker run -di --name registry -p 5000:5000 \ -v /mydata/docker_registry:/var/lib/registry \ -v /usr/local/registry/certs:/certs \ -v /usr/local/registry/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry
10.4 推送到私有仓库
# 重新tag一个镜像 docker tag hello-world:latest 192.168.146.124:5000/test-hello-world:1 # 登录 docker login 192.168.146.124:5000 Username:root Password:1234 # 推送 docker push 192.168.146.124:5000/test-hello-world:1 # 退出账号 docker logout 192.168.146.124:5000