1、在docker容器中部署registry(主机IP:172.18.89.144):
镜像目录授权:
chcon -Rt svirt_sandbox_file_t /home/docker
下载并启动registry容器:
docker run -d -p 5000:5000 -v /home/docker/data/registry:/tmp/registry --name registry -e GUNICORN_OPTS=["--preload"] --restart=always registry
2、安装并配置nginx:
server {
listen 443;
server_name 172.18.89.145 dev8;
ssl on;
ssl_certificate /etc/nginx/registryCA.crt;
ssl_certificate_key /etc/nginx/registryCA.key;
location / {
proxy_pass http://172.18.89.144:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /usr/local/nginx/logs/registry.log;
}
3、生成ssl证书:
配置文件参考:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BeiJing
localityName = Locality Name (eg, city)
localityName_default = BeiJing
organizationName = Organization Name (eg, company)
organizationName_default = dev
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = dev
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = *.dev.com
commonName_max = 64
[v3_req]
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
IP.1 = 172.18.89.145
IP.2 = 172.18.89.144
生成证书的命令:
openssl genrsa -out registryCA.key 2048
openssl req -x509 -new -nodes -key registryCA.key -days 36500 -out registryCA.crt -extensions v3_req -config openssl.cnf
查看证书:
openssl x509 -in registryCA.crt -noout -text