部署Docker Registry v2服务
生成自签名证书
因为没有公网ip和域名,所以这里修改/etc/pki/tls/openssl.cnf以生成带SAN 扩展的证书。 在openssl.cnf文件中修改以下内容:
1[ v3_ca ]
2#指定ip
3subjectAltName=IP:192.168.61.100
创建证书目录:
1mkdir -p /home/registry/certs
2mkdir -p /home/registry/data
生成自签名证书:
1cd /home/registry/certs
2
3openssl req \
4 -newkey rsa:2048 -nodes -keyout domain.key \
5 -x509 -days 3650 -out domain.crt
根据提示引导,输入信息创建证书:
1You are about to be asked to enter information that will be incorporated
2into your certificate request.
3What you are about to enter is what is called a Distinguished Name or a DN.
4There are quite a few fields but you can leave some blank
5For some fields there will be a default value,
6If you enter '.', the field will be left blank.
7-----
8Country Name (2 letter code) [XX]:CN
9State or Province Name (full name) []:Beijing
10Locality Name (eg, city) [Default City]:Beijing
11Organization Name (eg, company) [Default Company Ltd]:
12Organizational Unit Name (eg, section) []:
13Common Name (eg, your name or your server's hostname) []:192.168.61.100
查看创建的证书和私钥:
1ls
2domain.crt domain.key
3
4openssl x509 -text -noout -in domain.crt
运行registry容器
1docker run -d -p 5000:5000 --restart=always --name registry \
2 -v /home/registry/certs:/certs \
3 -v /home/registry/data:/var/lib/registry \
4 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
5 -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
6 registry:2
将domain.cert拷贝到每个docker所在主机的/etc/docker/certs.d/192.168.61.100:5000/ca.crt
1mkdir -p /etc/docker/certs.d/192.168.61.100:5000
2cp domain.crt /etc/docker/certs.d/192.168.61.100:5000/ca.crt
重启docker:
1systemctl restart docker
测试pull和push:
1docker pull alpine
2docker tag alpine 192.168.61.100:5000/alpine
3
4docker push 192.168.61.100:5000/alpine
5
6docker rmi 192.168.61.100:5000/alpine
7docker rmi alpine
8
9docker pull 192.168.61.100:5000/alpine
开启basic认证
1mkdir -p /home/registry/auth
2cd /home/registry/auth
3
4docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > htpasswd
5
6docker stop registry
7docker rm registry
8
9docker run -d -p 5000:5000 --restart=always --name registry \
10 -v /home/registry/auth:/auth \
11 -e "REGISTRY_AUTH=htpasswd" \
12 -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
13 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
14 -v /home/registry/certs:/certs \
15 -v /home/registry/data:/var/lib/registry \
16 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
17 -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
18 registry:2
验证login,push
1docker login 192.168.61.100:5000
2Username: testuser
3Password:
4Login Succeeded
5
6docker push 192.168.61.100:5000/alpine