#新建目录
root@ylm-ubuntu:~# mkdir -p /opt/docker/certs
root@ylm-ubuntu:~# cd /opt/docker/
root@ylm-ubuntu:/opt/docker# ls
certs
#添加域名解析
root@ylm-ubuntu:/opt/docker# cat /etc/hosts10.0.0.55 myrepo.com
root@ylm-ubuntu:/opt/docker# ping -w1 -c1 myrepo.com
PING myrepo.com (10.0.0.55)56(84) bytes of data.
64 bytes from myrepo.com (10.0.0.55): icmp_seq=1ttl=64time=0.017 ms
--- myrepo.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev =0.017/0.017/0.017/0.000 ms
2.生成自签发证书
root@ylm-ubuntu:/opt/docker# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/myrepo.key -x509 -days 365 -out certs/myrepo.crt
Generating a RSA private key
....................................++++
..............................................................................................................++++
writing new private key to 'certs/myrepo.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code)[AU]:CN
State or Province Name (full name)[Some-State]:BJ
Locality Name (eg, city)[]:BJ
Organization Name (eg, company)[Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section)[]:
Common Name (e.g. server FQDN or YOUR name)[]:myrepo.com #和域名保持一致
Email Address []:
3.生成鉴权密码文件
root@ylm-ubuntu:/opt/docker# mkdir auth
root@ylm-ubuntu:/opt/docker# ls
auth certs
#注意的一点是 使用2.6.2的镜像 否则会报错
root@ylm-ubuntu:/opt/docker# docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin password > auth/htpasswd#个人感觉不知道怎么用 反正用下面的密文 我没有登录上去
root@ylm-ubuntu:/opt/docker# cat auth/htpasswd
admin:$2y$05$bOES6kCFIOpNbbQw9wb9o.uTB3qR01yJhr6gqnY72ycengYTKzpu.
ps: 使用 :2 或latest的镜像 会报以下错误
docker: Error response from daemon: OCI runtime create failed: container_linux.g o:349: starting container process caused "exec: \"htpasswd\": executable file no t found in $PATH": unknown.
4.启动registry
$ docker run -d \> --restart=always \> --name registry \> -v /opt/docker/certs:/certs \> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.crt \> -e REGISTRY_HTTP_TLS_KEY=/certs/myrepo.key \> -v /opt/data/registry:/var/lib/registry \> -v /opt/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd"\> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"\> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \> -p 5000:5000 \> registry:2.6.2
#查看容器
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
67285dfdc56c registry:2.6.2 "/entrypoint.sh /etc…"3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry
#查看端口
root@ylm-ubuntu:/opt/docker# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
1526/sshd: ylm@pts/
tcp6 00 :::5000 :::* LISTEN
5.测试上传镜像
$ docker pull busybox
$ docker tag busybox:latest myrepo.com:5000/busybox
#push报错 因为本地没有ca证书
$ docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
Get https://myrepo.com:5000/v2/: x509: certificate signed by unknown authority
#解决办法 拷贝ca证书到/etc/docker/certs.d/myrepo.com:5000目录下(目录可以新建) 并改名ca.crt
root@ylm-ubuntu:/opt/docker/auth# mkdir -p /etc/docker/certs.d/myrepo.com:5000
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# cp /opt/docker/certs/myrepo.crt ./
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# ls
myrepo.crt
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# mv myrepo.crt ca.crt
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# service docker restart#再次上传镜像还是报错 出现 no basic auth credentials 因为我们设置的登录认证 所以必须先登录
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
be8b8b42328a: Preparing
no basic auth credentials
#登录出现错误 因为现在 我是用的时/opt/docker/auth/htpasswd下的密文密码
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker login myrepo.com:5000
Username: admin
Password:
Error response from daemon: login attempt to https://myrepo.com:5000/v2/ failed with status: 401 Unauthorized
#改用明文密码登录
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker login myrepo.com:5000
Username: admin
Password: password #步骤3创建的
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store#登录成功
Login Succeeded
ps:这也是我一致疑惑的地方 有大神明白的可以留言 感谢
#再次push成功
root@ylm-ubuntu:/etc/docker/certs.d/myrepo.com:5000# docker push myrepo.com:5000/busybox
The push refers to repository [myrepo.com:5000/busybox]
be8b8b42328a: Pushed
latest: digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002 size: 527
6.远端节点下载镜像
#设置域名解析[root@c7-45 myrepo.com:5000]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.55 myrepo.com
#在远端节点上新建同样的目录[root@c7-45 myrepo.com:5000]# pwd
/etc/docker/certs.d/myrepo.com:5000
[root@c7-45 myrepo.com:5000]# ls
ca.crt #使用scp命令将证书拷贝
ps:
#server主机上执行scp命令(server是ubuntu20.04 无法用root直接登录 所以这样拷贝输入centos的密码 比较方便)scp /etc/docker certs.d/myrepo.com:5000/ca.crt root@10.0.0.45:/etc/docker/certs.d/myrepo.com:5000
#登录镜像服务器[root@c7-45 myrepo.com:5000]# docker login myrepo.com:5000
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#下载镜像[root@c7-45 myrepo.com:5000]# docker pull myrepo.com:5000/busybox
Using default tag: latest
latest: Pulling from busybox
Digest: sha256:2ca5e69e244d2da7368f7088ea3ad0653c3ce7aaccd0b8823d11b0d5de956002
Status: Downloaded newer image for myrepo.com:5000/busybox:latest
myrepo.com:5000/busybox:latest
#查看镜像[root@c7-45 myrepo.com:5000]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myrepo.com:5000/busybox latest 6858809bf669 2 weeks ago 1.23MB