建立加密的Docker私有仓库

1 生成Docker私有仓库所需要的密钥

#!/bin/bash

NAME="docker_registry_certs"
VOLUME="$HOME/docker_data/docker_registry_certs"
SSL_IP="10.1.64.72"

# make sure volume valid 
sudo mkdir -p $VOLUME && sudo chmod -R 777 $VOLUME

# submit to swarm master node
docker ps -q -a --filter "name=$NAME" | xargs -I {} docker rm -f {}
docker run --rm \
  --name $NAME \
  -v $VOLUME:/certs \
  -e SSL_IP=$SSL_IP \
  -e SSL_DNS=registry.local \
  paulczar/omgwtfssl

2 启动docker registry服务

#!/bin/bash

NAME="docker_registry"
VOLUME="$HOME/docker_data/docker_registry"
VOLUME_REGISTRY="$VOLUME/registry"
VOLUME_CERTS="$VOLUME/certs"

# sync config
sudo mkdir -p $VOLUME_REGISTRY && sudo chmod -R 777 $VOLUME_REGISTRY

# submit to swarm master node
docker ps -q -a --filter "name=$NAME" | xargs -I {} docker rm -f {}
docker run \
    --name $NAME \
    -p 443:5000 \
    -v $VOLUME_REGISTRY:/var/lib/registry \
    -v $VOLUME_CERTS:/opt/registry/ssl \
    --env REGISTRY_STORAGE_DELETE_ENABLED=true \
    --env REGISTRY_HTTP_TLS_KEY=/opt/registry/ssl/key.pem \
    --env REGISTRY_HTTP_TLS_CERTIFICATE=/opt/registry/ssl/cert.pem \
    --env REGISTRY_HTTP_TLS_CLIENTCAS_0=/opt/registry/ssl/ca.pem \
    --detach \
    --restart always \
    registry:2.6.2

是一句,上面这个映射到443很重要,因为自签证书里,默认给的就是443端口。

3 本地(client)添加证书

截至目前,带证书的docker私有仓库已经启动了,所有想向这个仓库push镜像的客户端,都需要配置证书的密钥。

mkdir /etc/docker/certs.d/10.1.64.72
cd/etc/docker/certs.d/10.1.64.72
cp /path/ca.pem ./ca.crt

上述这个ca.pem就是之前生成的证书

4 尝试push

docker pull alpine
docker tag alpine 10.1.64.72/alpine
docker push 10.1.64.72/alpine

5 尝试pull

docker pull 10.1.64.72/alpine

6 列出所有镜像

curl --insecure 10.1.64.72/v2/_catalog
{"repositories":["alpine"]}

curl --insecure https://10.1.64.72/v2/alpine/tags/list
{"name":"alpine","tags":["latest"]}

 

 

 

Leave a Reply

Your email address will not be published.