docker registry2 仓库搭建与使用

docker registry2 仓库搭建与使用

docker pull registry-1.docker.io/distribution/registry:2.1

1） 以TLS证书认证启动docker registry2
产生证书

mkdir -p certs && openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt

openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Generating a 4096 bit RSA private key
.........................................................................................................................++
......++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XW
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:onecloud
Organizational Unit Name (eg, section) []:gz
Common Name (eg, your name or your server's hostname) []:host102.gzoc.xww
Email Address []:xiongww@onecloud.cn

TLS证书认证启动docker registry2

docker run -d -p 5001:5000 --restart=always --name registrywithcerts --privileged=true -v /root/data:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

2）非证书认证启动

docker run -d -p 5000:5000 --restart=always --privileged=true --name registry   -v /root/data:/var/lib/registry   registry:2

访问非证书认证启动docker registry2

1）内部访问
直接使用命令push和pull docker镜像

docker tag f753707788c5 localhost:5001/ubuntu
docker push localhost:5001/ubuntu

2）外部访问
配置use an insecure registry

Open the /etc/default/docker file or /etc/sysconfig/docker for editing.

$vi /etc/default/docker

Depending on your operating system, your Engine daemon start options.
Edit (or add) the DOCKER_OPTS line and add the –insecure-registry flag.
This flag takes the URL of your registry, for example.

DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"
ADD_REGISTRY='--add-registry 192.168.153.102:5000'

Close and save the configuration file.
Restart your Docker daemon
The command you use to restart the daemon depends on your operating system. For example, on Ubuntu, this is usually the service docker stop and service docker start command.
Repeat this configuration on every Engine host that wants to access your registry.

sudo service docker stop
sudo service docker start

操作上成功

配置证书访问
官网上说
Instruct every docker daemon to trust that certificate.This is done by copying the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.

$cp domain.crt \ /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt

domain.crt是运行registry使用的证书
Don’t forget to restart the Engine daemon.
但是操作却未成功

参考
https://docs.docker.com/registry/insecure/
https://docs.docker.com/registry/deploying/#get-a-certificate
https://docs.docker.com/registry/introduction/