docker私库 registry自签证书
没有域名的话,配置hosts即可
vim /etc/hosts
192.168.1.232 dockerhub.titaxxxx.com
开始敲入命令生成证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/dockerhub.titaxxx.com.key -x509 -days 365 -out certs/dockerhub.titaxxxx.com
然后除了 倒数第二项需要填写域名外,其它都随便填即可
然后实例化 私库容器:
docker run -itd \
-v /usr/local/docker/data/registry:/var/lib/registry \
-v `pwd`/certs:/home/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/home/certs/dockerhub.titaxxx.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/home/certs/dockerhub.titaxxx.com.key \
-p 5000:5000 \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
--restart=always \
--name registry5000 \
--privileged=true \
registry
然后把生成的两个证书文件上传到客户端服务器的这个目录里:
/etc/pki/ca-trust/source/anchors
然后更新
update-ca-trust
重启客户端上的docker 服务
systemctl restart docker
然后测试,发生错误,本人一顿狂百度,,,,
(base) [root@zkhost anchors]# curl https://dockerhub.titatitaxxx.com:5000/v2/_catalog
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
最后发现是没有加参数,形成了误导,一定要使用 -k参数
(base) [root@zkhost anchors]# curl -k https://dockerhub.titatitaxxx.com:5000/v2/_catalog
{"repositories":[]}
测试ok,然后在docker私服上打tag测试
docker tag zookeeper:3.3.6 dockerhub.titatitaxxx.com:5000/zookeeper:3.3.6
然后在docker私服上push遇到错误:
docker push dockerhub.titatitaxxx.com:5000/zookeeper:3.3.6
The push refers to repository [dockerhub.titatitaxxx.com:5000/zookeeper]
Get https://dockerhub.titatitaxxx.com:5000/v2/: x509: certificate signed by unknown authority
刚开始各种猜测 ,以为是好像是没有配置 daemon.json
结果配置了还是不行
然后是还有网友的各种办法,还有诱导去掉https方式的,那我加上证书干嘛啊。。。
其实是,docker仓库是运行在容器里的,所以,在docker私服所在的机器上去push,这时候也是客户端而已,人家私服容器才是服务端嘛,,之前为了测试,没有在这个机器上的/etc/pki/ca-trust/source/anchors目录配置证书,所以当然是失败了。。。。
所以,切换到刚才配置好的另一台机器上执行 push
docker push dockerhub.titatitaxxx.com:5000/zookeeper:3.3.6
The push refers to a repository [dockerhub.titatitaxxx.com:5000/zookeeper]
2b49a050d92c: Pushed
f5042de2ec79: Pushed
ef380d9e2676: Pushed
ok 了!
然后再搞第三台机器测试是否能pull成功,为了测试准确性,刚开始不要导入证书到/etc/pki/ca-trust/source/anchors里,,,
换了台机器,果然没有配置证书现在是失败的
[root@localhost ~]# docker pull dockerhub.titatitaxxx.com:5000/zookeeper:3.3.6
Trying to pull repository dockerhub.titatitaxxx.com:5000/zookeeper ...
Get https://dockerhub.titatitaxxx.com:5000/v1/_ping: x509: certificate signed by unknown authority
然后接下来我们开始配置证书,上传两个证书文件到 /etc/pki/ca-trust/source/anchors 目录里
然后执行 update-ca-trust 再然后 重启docker服务
systemctl restart docker
最后来pull尝试是否成功
果然成功了
[root@localhost anchors]# docker pull dockerhub.titaxxx.com:5000/zookeeper:3.3.6
Trying to pull repository dockerhub.titatitaxxx.com:5000/zookeeper ...
3.3.6: Pulling from dockerhub.titatitaxxx.com:5000/zookeeper
Digest: sha256:2f28b4183d39e4c9e806ac3526f190cca4f1c7844305a7810cc86d6758d6dee1
Status: Downloaded newer image for dockerhub.titatitaxxx.com:5000/zookeeper:3.3.6
好了,到此为止。。。
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
