IT码农

搭建docker私有仓库

2019/09/12 docker

搭建docker私有仓库

docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v `pwd`/auth:/auth \
  -v `pwd`/certs:/certs \
  -e REGISTRY_AUTH="htpasswd" \
  -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

  openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -out certs/domain.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=website Inc./OU=Web Security/CN=192.168.50.128"

version: "3"
services:
	docker-registry:
		restart: always
		image: registry:2
		ports:
			- 5000:5000
		environment:
			REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
			REGISTRY_HTTP_TLS_KEY: /certs/domain.key
			REGISTRY_AUTH: htpasswd
			REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
			REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
		volumes:
			- /data/webserver/docker-registry/data:/var/lib/registry
			- /data/webserver/docker-registry/conf/certs:/certs
			- /data/webserver/docker-registry/conf/auth:/auth

证书问题

私有证书不受信任解决方案

假设registry域名为registry.17173.com 使用的私有证书为registry.crt

执行如下操作: docker push registry.17173.com/myfirstimage

error:

x509: certificate signed by unknown authority

1.在/etc/docker/daemon.js文件中加入,解决

{
	"insecure-registries" : ["registry.17173.com"]
}

此时测试 curl -XGET https://registry.17173.com/v2/_catalog

提示错误

curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

如果使用-k 或者 –insecure参数的话可以访问到registry的相应内容。 curl -k -XGET https://registry.17173.com/v2/_catalog

2.将证书放在以下目录/etc/docker/certs.d/registry.17173.com/

mkdir -p /etc/docker/certs.d/registry.17173.com/ cp conf/certs/registry.crt /etc/docker/certs.d/registry.17173.com/

curl –cacert /etc/docker/certs.d/registry.17173.com/registry.crt -XGET https://registry.17173.com/v2/_catalog

3.centos7系统级别证书信任

cp conf/certs/registry.crt /etc/pki/ca-trust/source/anchors/registry.17173.com.crt

更新证书 update-ca-trust

4. ubuntn系统级别证书信任

cp conf/certs/registry.crt /usr/local/share/ca-certificates/registry.17173.com.crt update-ca-certificates

一般ca-certificate路径有: /etc/ca-certificates /usr/share/ca-certificates /usr/share/doc/ca-certificates /usr/local/share/ca-certificates

Search

    Table of Contents