本文主要使用openssl+registry:2,在centos7.2上部署,docker版本为v17.06
搭建步骤:
1. 生成自签名证书
证书默认只支持域名访问,所以需要修改/etc/pki/tls/openssl.cnf来支持ip访问
[root@registry certs]# vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName = IP:10.10.84.110
创建证书
[root@registry ~]# mkdir /etc/docker/certs.d/10.10.84.110:5000
[root@registry ~]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 \
-keyout /opt/docker/registry/certs/domain.key \
-out /opt/docker/registry/certs/domain.crt
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:citycloud
Organizational Unit Name (eg, section) []:noc
Common Name (eg, your name or your server's hostname) []:10.10.84.110:5000
Email Address []:zt@citycloud.com.cn
注意CN名字10.10.84.110:5000
2. 创建带有TLS认证的registry容器
[root@registry ~]# docker pull registry:2
[root@registry ~]# docker run -d --name registry2.0 --restart always \
-v /opt/docker/registry/data:/var/lib/registry \
-p 10.10.84.110:5000:5000 \
-v /opt/docker/registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
3. 测试
[root@registry ~]# cp /opt/docker/registry/certs/domain.crt /etc/docker/certs.d/10.10.84.110:5000/ca.crt
[root@registry ~]# docker tag hello-world 10.10.84.110:5000/hello-world
[root@registry certs]# docker push 10.10.84.110:5000/hello-world
其他客户端需要使用此私有仓库,需要创建目录/etc/docker/certs.d/10.10.84.110:5000/,并将ca.crt文件放在此目录下
参考文章:
http://blog.csdn.net/gqtcgq/article/details/51163558
https://docs.docker.com/registry/deploying/#support-for-lets-encrypt