docker搭建registry私有仓库

|

生成私有ssl证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mkdir -p ~/registry/certs
 cd ~/registry/certs
 openssl genrsa -out registry.wting.com.key 1024
 openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry.wting.com.key -x509 -days 365 -out registry.wting.com.crt
 Generating a 4096 bit RSA private key
.........................++
.....................................................................................................................++
writing new private key to 'registry.wting.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn //← 国家代号
State or Province Name (full name) [Some-State]:sc \\← 省的全名
Locality Name (eg, city) []:cd \\ ← 市的全名
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wt \\公司英文
Organizational Unit Name (eg, section) []:it \\
Common Name (e.g. server FQDN or YOUR name) []:it \\
Email Address []:123@123.com //← 电子邮箱

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 docker pull registry:2
 2: Pulling from library/registry
df28cf470b38: Pull complete 
577446ca4af0: Pull complete 
14ff94bd0849: Pull complete 
fcb894e0bfb0: Pull complete 
e6d123ba30d0: Pull complete 
a4165aa6bf51: Pull complete 
7d1c600724ef: Pull complete 
7d1c600724ef: Pulling fs layer 
34c9deb8b2e3: Already exists 
b24f937674dc: Already exists 
Digest: sha256:528f8f97656ccba4284fdd27fff053a838b84163ed7aa5c5065cccf4a93c64cb
Status: Downloaded newer image for registry:2
-------------------
 docker run -d -p 443:5000 --restart=always --name registry \
  -v /home/docker/registry/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.wting.com.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/registry.wting.com.key \
  registry:2

docker ps -a
CONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS                           PORTS                               NAMES
87f8017a225b        registry:2                  "/entrypoint.sh /etc/"   3 minutes ago       Up 3 minutes                     0.0.0.0:443->5000/tcp               registry

Push到Registry:

1
2
3
4
5
6
7
8
docker push   registry.wting.com/nginx:test
The push refers to a repository [registry.wting.com/nginx] (len: 1)
unable to ping registry endpoint https://registry.wting.com/v0/
v2 ping attempt failed with error: Get https://registry.wting.com/v2/: x509: certificate is valid for it, not registry.wting.com
 v1 ping attempt failed with error: Get https://registry.wting.com/v1/_ping: x509: certificate is valid for it, not registry.wting.com
push失败了!docker client认为server传输过来的证书的签署方是一个unknown authority(未知的CA),因此验证失败。我们需要让docker client安装我们的CA证书:
sudo mkdir -p /etc/docker/certs.d/registry.wting.com
sudo cp registry.wting.com.crt  /etc/docker/certs.d/registry.wting.com/ca.crt

重启Docker Daemon
认证方式

1
2
3
4
5
6
7
8
9
10
11
12
cd ~/registry/
mkdir auth
docker run --entrypoint htpasswd registry:2.2 -Bbn docker 1233 > auth/htpasswd;
ocker run -d -p 443:5000 --restart=always --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v /home/docker/registry/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.wting.com.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/registry.wting.com.key \
  registry:2

登录

1
2
docker login registry.wting.com
   ----