加密功能
[root@server9 yum.repos.d]# systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-05-30 16:16:25 CST; 1h 30min ago
设置的docker 引擎开机自启
–restart=always 官方的文档中 当你的docker 引擎启动的时你的容器自动起来
仓库的认证功能
[root@server9 ~]# mkdir -p certs
[root@server9 ~]# ls
certs
[root@server9 ~]# cd certs/
[root@server9 certs]# ls
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/yan.org.key -addext "subjectAltName = DNS:reg.yan.org" -x509 -days 365 -out certs/domain.crt/yan.org.crt
unknown option -addext
这个代码用不成
版本不同 没有这个-addext这个选项
删掉,因为都是自签名证书
[root@server9 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
用这个代码
Generating a 4096 bit RSA private key
.......................................................++
........................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:2441477086@qq.com
[root@server9 ~]# ls
certs
[root@server9 ~]# cd certs
[root@server9 certs]# ls
westos.org.crt westos.org.key
自签名证书生成了
-v 一定要写绝对路径
/opt/registry:/var/lib/registry 挂载这个目录是因为这个目录是我们的仓库目录,仓库里的数据都在这个目录上
-p 443:443 -v /opt/registry:/var/lib/registry registry 告诉它这个仓库通过这个镜像运行起来
[root@server9 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server9 ~]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 -v /opt/registry:/var/lib/registry registry
e76e3d22283be4aa504326b72a45a2ed0448e72e060729e819ebdd190921e7e2
仓库已经已容器的方式起来了
-v "$(pwd)"/certs:/certs 把当前目录挂载到容器内的目录
-v /opt/registry:/var/lib/registry 把容器里的仓库目录挂出来
registry仓库的镜像通过这个镜像运行
[root@server9 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e76e3d22283b registry "/entrypoint.sh /etc…" 11 seconds ago Up 10 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
参数说明
-v “$(pwd)”/certs:/certs 显示当前目录底下的certs
可以改成绝对路径,写死这个目录。添加链接描述参考这个
/opt/registry自动创建
加了-v以后docker不会自动给你创建一个卷(自动创建会创建名字很长的卷不便于访问)挂载到这个目录上,会覆盖这个目录
-p 443:443 -v /opt/registry:/var/lib/registry registry 把这个宿主机上的/opt/registry挂载到容器里的/opt/registry
:后面都是容器
访问这个仓库
这个仓库已经做了443端口映射了,不管远端还是本地访问,都要做一个解析
vim /etc/hosts
172.25.138.9 server9 reg.westos.org
客户端用法上传
docker tag nginx:latest reg.westos.org/nginx:latest
docker push reg.westos.org/nginx
The push refers to repository [reg.westos.org/nginx]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
[root@server9 certs]# cd /etc/docker/ 运行容器时自动扫描这个文件
[root@server9 docker]# mkdir certs.d
[root@server9 docker]# cd certs.d
[root@server9 certs.d]# mkdir reg.westos.org
[root@server9 certs.d]# cd reg.westos.org/
[root@server9 reg.westos.org]# cp ~/certs/westos.org.crt ca.crt
如果想访问其它仓库的话
/etc/docker/certs.d/仓库名 然后在这个目录里面放入证书
当访问这个仓库就会到这个/etc/docker/certs.d/仓库名这个目录
[root@server9 reg.westos.org]# docker push reg.westos.org/rhel7
The push refers to repository [reg.westos.org/rhel7]
An image does not exist locally with the tag: reg.westos.org/rhel7
[root@server9 reg.westos.org]# docker push reg.westos.org/nginx
The push refers to repository [reg.westos.org/nginx]
075508cf8f04: Pushed
5c865c78bc96: Pushed
134e19b2fac5: Pushed
83634f76e732: Pushed
766fe2c3fc08: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa size: 1570
客户端上传成功
[root@server9 certs]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 -v /opt/registry:/var/lib/registry registry
a104df364489a595572f2ec0f3b19a9808bbf921027268e9a097566cf0c1f46e
[root@server9 certs]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a104df364489 registry "/entrypoint.sh /etc…" 15 seconds ago Restarting (1) 4 seconds ago registry
[root@server9 certs]# docker push reg.westos.org/nginx
The push refers to repository [reg.westos.org/nginx]
Get https://reg.westos.org/v2/: dial tcp 172.25.138.9:443: connect: connection refused
这个问题是容器没有网络问题,在docker ps 没有5000和443
重启系统让它分配一个ip