部署安全的私有Registry
步骤1 - 准备证书
安装spack与openssl
# 命令:安装spack
git clone https://github.com/spack/spack.git \
&& source spack/share/spack/setup-env.sh
# 命令:安装openssl
spack install openssl \
&& spack load openssl
# 效果
╭─root at host01 in ~ 2021/04/29 - 12:46:32
╰─○ git clone https://github.com/spack/spack.git \
&& source spack/share/spack/setup-env.sh \
&& spack install openssl \
&& spack load openssl
Cloning into 'spack'...
remote: Enumerating objects: 278335, done.
remote: Counting objects: 100% (578/578), done.
remote: Compressing objects: 100% (239/239), done.
remote: Total 278335 (delta 268), reused 530 (delta 251), pack-reused 277757
Receiving objects: 100% (278335/278335), 112.40 MiB | 11.83 MiB/s, done.
Resolving deltas: 100% (117891/117891), done.
Checking connectivity... done.
==> Installing berkeley-db-18.1.40-rx4by6ygorm52nwoguzribonn4ltu4yb
==> No binary for berkeley-db-18.1.40-rx4by6ygorm52nwoguzribonn4ltu4yb found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/0c/0cecb2ef0c67b166de93732769abdeba0555086d51de1090df325e18ee8da9c8.tar.gz
######################################################################## 100.0%
==> Applied patch /root/spack/var/spack/repos/builtin/packages/berkeley-db/drop-docs.patch
==> Ran patch() for berkeley-db
==> berkeley-db: Executing phase: 'autoreconf'
==> berkeley-db: Executing phase: 'configure'
==> berkeley-db: Executing phase: 'build'
==> berkeley-db: Executing phase: 'install'
==> berkeley-db: Successfully installed berkeley-db-18.1.40-rx4by6ygorm52nwoguzribonn4ltu4yb
Fetch: 6.92s. Build: 1m 5.04s. Total: 1m 11.96s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/berkeley-db-18.1.40-rx4by6ygorm52nwoguzribonn4ltu4yb
==> Installing pkgconf-1.7.4-4egidj4vyxkvoav4mbaetxre2xdxc3uy
==> No binary for pkgconf-1.7.4-4egidj4vyxkvoav4mbaetxre2xdxc3uy found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/d7/d73f32c248a4591139a6b17777c80d4deab6b414ec2b3d21d0a24be348c476ab.tar.xz
######################################################################## 100.0%
==> No patches needed for pkgconf
==> pkgconf: Executing phase: 'autoreconf'
==> pkgconf: Executing phase: 'configure'
==> pkgconf: Executing phase: 'build'
==> pkgconf: Executing phase: 'install'
==> pkgconf: Successfully installed pkgconf-1.7.4-4egidj4vyxkvoav4mbaetxre2xdxc3uy
Fetch: 2.76s. Build: 8.48s. Total: 11.24s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/pkgconf-1.7.4-4egidj4vyxkvoav4mbaetxre2xdxc3uy
==> Installing zlib-1.2.11-j2fbkwedsy7j4vszqjtkifwuupbdhcyh
==> No binary for zlib-1.2.11-j2fbkwedsy7j4vszqjtkifwuupbdhcyh found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/c3/c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1.tar.gz
######################################################################## 100.0%
==> No patches needed for zlib
==> zlib: Executing phase: 'install'
==> zlib: Successfully installed zlib-1.2.11-j2fbkwedsy7j4vszqjtkifwuupbdhcyh
Fetch: 2.88s. Build: 3.46s. Total: 6.34s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/zlib-1.2.11-j2fbkwedsy7j4vszqjtkifwuupbdhcyh
==> Installing ncurses-6.2-ouenzf24ut7jggyfsatxzaqb7pycoeqb
==> No binary for ncurses-6.2-ouenzf24ut7jggyfsatxzaqb7pycoeqb found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/30/30306e0c76e0f9f1f0de987cf1c82a5c21e1ce6568b9227f7da5b71cbea86c9d.tar.gz
######################################################################## 100.0%
==> No patches needed for ncurses
==> ncurses: Executing phase: 'autoreconf'
==> ncurses: Executing phase: 'configure'
==> ncurses: Executing phase: 'build'
==> ncurses: Executing phase: 'install'
==> ncurses: Successfully installed ncurses-6.2-ouenzf24ut7jggyfsatxzaqb7pycoeqb
Fetch: 3.28s. Build: 2m 0.92s. Total: 2m 4.20s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/ncurses-6.2-ouenzf24ut7jggyfsatxzaqb7pycoeqb
==> Installing readline-8.1-x2u5yn6vfnntzuifmkbgtm7v7gwmpgyq
==> No binary for readline-8.1-x2u5yn6vfnntzuifmkbgtm7v7gwmpgyq found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/f8/f8ceb4ee131e3232226a17f51b164afc46cd0b9e6cef344be87c65962cb82b02.tar.gz
######################################################################## 100.0%
==> Ran patch() for readline
==> readline: Executing phase: 'autoreconf'
==> readline: Executing phase: 'configure'
==> readline: Executing phase: 'build'
==> readline: Executing phase: 'install'
==> readline: Successfully installed readline-8.1-x2u5yn6vfnntzuifmkbgtm7v7gwmpgyq
Fetch: 3.24s. Build: 15.82s. Total: 19.06s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/readline-8.1-x2u5yn6vfnntzuifmkbgtm7v7gwmpgyq
==> Installing gdbm-1.19-l4rdqlchwz7urvgn6xjp3ydropzj64qk
==> No binary for gdbm-1.19-l4rdqlchwz7urvgn6xjp3ydropzj64qk found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/37/37ed12214122b972e18a0d94995039e57748191939ef74115b1d41d8811364bc.tar.gz
######################################################################## 100.0%
==> No patches needed for gdbm
==> gdbm: Executing phase: 'autoreconf'
==> gdbm: Executing phase: 'configure'
==> gdbm: Executing phase: 'build'
==> gdbm: Executing phase: 'install'
==> gdbm: Successfully installed gdbm-1.19-l4rdqlchwz7urvgn6xjp3ydropzj64qk
Fetch: 2.98s. Build: 13.75s. Total: 16.73s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/gdbm-1.19-l4rdqlchwz7urvgn6xjp3ydropzj64qk
==> Installing perl-5.32.1-clwala2ibysictiqqcflumjsnfez5ayw
==> No binary for perl-5.32.1-clwala2ibysictiqqcflumjsnfez5ayw found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/03/03b693901cd8ae807231b1787798cf1f2e0b8a56218d07b7da44f784a7caeb2c.tar.gz
######################################################################## 100.0%
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/9d/9da50e155df72bce55cb69f51f1dbb4b62d23740fb99f6178bb27f22ebdf8a46.tar.gz
######################################################################## 100.0%
==> Moving resource stage
source : /tmp/root/spack-stage/resource-cpanm-clwala2ibysictiqqcflumjsnfez5ayw/spack-src/
destination : /tmp/root/spack-stage/spack-stage-perl-5.32.1-clwala2ibysictiqqcflumjsnfez5ayw/spack-src/cpanm/cpanm
==> No patches needed for perl
==> perl: Executing phase: 'configure'
==> perl: Executing phase: 'build'
==> perl: Executing phase: 'install'
==> perl: Successfully installed perl-5.32.1-clwala2ibysictiqqcflumjsnfez5ayw
Fetch: 7.49s. Build: 3m 19.05s. Total: 3m 26.54s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/perl-5.32.1-clwala2ibysictiqqcflumjsnfez5ayw
==> Installing openssl-1.1.1k-2qeae42h2b2manouufpqlwctyzmwncvj
==> No binary for openssl-1.1.1k-2qeae42h2b2manouufpqlwctyzmwncvj found: installing from source
==> Fetching https://spack-llnl-mirror.s3-us-west-2.amazonaws.com/_source-cache/archive/89/892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5.tar.gz
######################################################################## 100.0%
==> Ran patch() for openssl
==> openssl: Executing phase: 'install'
==> openssl: Successfully installed openssl-1.1.1k-2qeae42h2b2manouufpqlwctyzmwncvj
Fetch: 4.17s. Build: 1m 31.46s. Total: 1m 35.63s.
[+] /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/openssl-1.1.1k-2qeae42h2b2manouufpqlwctyzmwncvj
准备openssl的配置文件
# 命令:拷贝openssl的配置文件到刚安装的openssl目录下
cp -i `locate openssl.cnf|grep /etc` $(dirname `which openssl`)/../etc/openssl/
# 效果
╭─root at host01 in ~ 2021/04/29 - 12:59:28
╰─○ cp -i `locate openssl.cnf|grep /etc` $(dirname `which openssl`)/../etc/openssl/
╭─root at host01 in ~ 2021/04/29 - 12:59:51
╰─○ ls -al /root/spack/opt/spack/linux-ubuntu16.04-haswell/gcc-5.4.0/openssl-1.1.1k-2qeae42h2b2manouufpqlwctyzmwncvj/etc/openssl
total 20
drwxr-sr-x 2 root root 4096 Apr 29 12:59 .
drwxr-sr-x 3 root root 4096 Apr 29 12:56 ..
lrwxrwxrwx 1 root root 18 Apr 29 12:56 certs -> /usr/lib/ssl/certs
-rw-r--r-- 1 root root 10835 Apr 29 12:59 openssl.cnf
使用openssl生成证书与秘钥
# 命令:使用openssl 1.1.1k生成。使用旧版本的可能不支持-addext选项。
mkdir -p certs \
&& openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/thesre.cn.key \
-addext "subjectAltName = DNS:thesre.cn" \
-subj "/C=US/ST=New Sweden/L=Stockholm/O=.../OU=.../CN=thesre.cn/emailAddress=..." \
-x509 -days 365 -out certs/thesre.cn.crt
# 效果
╭─root at host01 in ~ 2021/04/29 - 13:00:27
╰─○ mkdir -p certs \
&& openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/thesre.cn.key \
-addext "subjectAltName = DNS:thesre.cn" \
-subj "/C=US/ST=New Sweden/L=Stockholm/O=.../OU=.../CN=thesre.cn/emailAddress=..." \
-x509 -days 365 -out certs/thesre.cn.crt
Generating a RSA private key
...........................++++
...........++++
writing new private key to 'certs/thesre.cn.key'
-----
# 命令:将生成的证书,拷贝到/etc/docker/certs.d/thesre.cn位置,使得每台docker主机都信任这个证书。
mkdir -p /etc/docker/certs.d/thesre.cn \
&& cp certs/thesre.cn.crt /etc/docker/certs.d/thesre.cn/ca.crt \
&& cat certs/thesre.cn.crt >> /etc/ssl/certs/ca-certificates.crt \
systemctl restart docker
步骤2 - 修改/etc/hosts模拟DNS解析
修改/etc/hosts文件,增加<容器IP> thesre.cn记录
# 命令
echo '<容器IP> thesre.cn' >> /etc/hosts
# 效果
╭─root at host01 in ~ 2021/04/29 - 13:02:56
╰─○ echo '<容器IP> thesre.cn' >> /etc/hosts
╭─root at host01 in ~ 2021/04/29 - 13:03:03
╰─○ ping -c 3 thesre.cn
PING thesre.cn (172.0.0.2) 56(84) bytes of data.
64 bytes from localhost (172.0.0.2): icmp_seq=1 ttl=64 time=0.047 ms
步骤3 - 部署Registry
运行容器
# 命令:运行容器
docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/thesre.cn.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/thesre.cn.key \
-p 443:443 \
registry:2
# 效果
╭─root at host01 in ~ 2021/04/29 - 13:00:37
╰─○ docker run -d \
--restart=always \
--name registry \
-v "$(pwd)"/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/thesre.cn.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/thesre.cn.key \
-p 443:443 \
registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
ddad3d7c1e96: Pull complete
6eda6749503f: Pull complete
363ab70c2143: Pull complete
5b94580856e6: Pull complete
12008541203a: Pull complete
Digest: sha256:bac2d7050dc4826516650267fe7dc6627e9e11ad653daca0641437abdf18df27
Status: Downloaded newer image for registry:2
86b61be845f5948c1d0f391569c30340f62b8f6e9617f5663ddf2fda6c95cf3e
步骤4 - 验证
# 命令
docker pull ubuntu \
&& docker tag ubuntu thesre.cn/ubuntu \
&& docker rmi ubuntu thesre.cn/ubuntu \
&& docker images | grep ubuntu \
&& docker pull thesre.cn/ubuntu
# 效果
╭─root at host01 in ~ 2021/04/29 - 13:01:07
╰─○ docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
345e3491a907: Pull complete
57671312ef6f: Pull complete
5e9250ddb7d0: Pull complete
Digest: sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88eb681d93
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest
╭─root at host01 in ~ 2021/04/29 - 13:01:16
╰─○ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 7e0aa2d69a15 5 days ago 72.7MB
registry 2 1fd8e1b0bb7e 2 weeks ago 26.2MB
mariadb 10 1b3986d60f13 5 months ago 414MB
mariadb latest 1b3986d60f13 5 months ago 414MB
redis latest 62f1d3402b78 6 months ago 104MB
ubuntu <none> d70eaf7277ea 6 months ago 72.9MB
mysql 8 db2b37ec6181 6 months ago 545MB
mysql latest db2b37ec6181 6 months ago 545MB
alpine latest d6e46aa2470d 6 months ago 5.57MB
postgres 12 492fb9ae4e7a 6 months ago 314MB
postgres latest c96f8b6bc0d9 6 months ago 314MB
mongo latest ba0c2ff8d362 7 months ago 492MB
weaveworks/scope 1.11.4 a082d48f0b39 21 months ago 78.5MB
quay.io/ansible/molecule 2.20 1171569d6ba4 2 years ago 704MB
╭─root at host01 in ~ 2021/04/29 - 13:01:57
╰─○ docker tag ubuntu thesre.cn/ubuntu
╭─root at host01 in ~ 2021/04/29 - 13:02:05
╰─○ docker push thesre.cn/ubuntu
The push refers to repository [thesre.cn/ubuntu]
2f140462f3bc: Pushed
63c99163f472: Pushed
ccdbb80308cc: Pushed
latest: digest: sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 size: 943
╭─root at host01 in ~ 2021/04/29 - 13:02:17
╰─○ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 7e0aa2d69a15 5 days ago 72.7MB
thesre.cn/ubuntu latest 7e0aa2d69a15 5 days ago 72.7MB
registry 2 1fd8e1b0bb7e 2 weeks ago 26.2MB
mariadb 10 1b3986d60f13 5 months ago 414MB
mariadb latest 1b3986d60f13 5 months ago 414MB
redis latest 62f1d3402b78 6 months ago 104MB
ubuntu <none> d70eaf7277ea 6 months ago 72.9MB
mysql 8 db2b37ec6181 6 months ago 545MB
mysql latest db2b37ec6181 6 months ago 545MB
alpine latest d6e46aa2470d 6 months ago 5.57MB
postgres 12 492fb9ae4e7a 6 months ago 314MB
postgres latest c96f8b6bc0d9 6 months ago 314MB
mongo latest ba0c2ff8d362 7 months ago 492MB
weaveworks/scope 1.11.4 a082d48f0b39 21 months ago 78.5MB
quay.io/ansible/molecule 2.20 1171569d6ba4 2 years ago 704MB
╭─root at host01 in ~ 2021/04/29 - 13:02:27
╰─○ docker rmi -f 7e0aa2d69a15
Untagged: ubuntu:latest
Untagged: ubuntu@sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88eb681d93
Untagged: thesre.cn/ubuntu:latest
Untagged: thesre.cn/ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9
Deleted: sha256:7e0aa2d69a153215c790488ed1fcec162015e973e49962d438e18249d16fa9bd
Deleted: sha256:3dd8c8d4fd5b59d543c8f75a67cdfaab30aef5a6d99aea3fe74d8cc69d4e7bf2
Deleted: sha256:8d8dceacec7085abcab1f93ac1128765bc6cf0caac334c821e01546bd96eb741
Deleted: sha256:ccdbb80308cc5ef43b605ac28fac29c6a597f89f5a169bbedbb8dec29c987439
╭─root at host01 in ~ 2021/04/29 - 13:02:36
╰─○ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 1fd8e1b0bb7e 2 weeks ago 26.2MB
mariadb 10 1b3986d60f13 5 months ago 414MB
mariadb latest 1b3986d60f13 5 months ago 414MB
redis latest 62f1d3402b78 6 months ago 104MB
ubuntu <none> d70eaf7277ea 6 months ago 72.9MB
mysql 8 db2b37ec6181 6 months ago 545MB
mysql latest db2b37ec6181 6 months ago 545MB
alpine latest d6e46aa2470d 6 months ago 5.57MB
postgres 12 492fb9ae4e7a 6 months ago 314MB
postgres latest c96f8b6bc0d9 6 months ago 314MB
mongo latest ba0c2ff8d362 7 months ago 492MB
weaveworks/scope 1.11.4 a082d48f0b39 21 months ago 78.5MB
quay.io/ansible/molecule 2.20 1171569d6ba4 2 years ago 704MB
╭─root at host01 in ~ 2021/04/29 - 13:02:45
╰─○ docker pull thesre.cn/ubuntu
Using default tag: latest
latest: Pulling from ubuntu
345e3491a907: Pull complete
57671312ef6f: Pull complete
5e9250ddb7d0: Pull complete
Digest: sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9
Status: Downloaded newer image for thesre.cn/ubuntu:latest
thesre.cn/ubuntu:latest