王海庆的云笔记

自己采用https 创建私有仓库,不用写 --insecure-registry 啦


申请证书,不能用openssl之类签名的,否则还是需要在docker daemon里面配置 --insecure-registry

腾讯云免费TrustAsia DV SSL证书申请 


安装Docker

yum install docker -y

echo OPTIONS=\"--registry-mirror=https://s9c0jp37.mirror.aliyuncs.com -H unix:///var/run/docker.sock -H=tcp://0.0.0.0:2375\" >> /etc/sysconfig/docker

systemctl start docker

systemctl enable docker


创建认证密码

mkdir /opt/auth/  
docker run --entrypoint htpasswd docker.io/registry:latest -Bbn admin 123456  > /opt/auth/htpasswd


将证书文件夹复制到 /opt 目录下


运行容器,证书一定要采用Nginx的,不能使用Apache。否则还是报错

Error response from daemon: Get https://haiqing.wang/v1/users/: x509: certificate signed by unknown authority


采用如下方式启动

docker run -itd  --restart=always \
                -v /opt/auth:/auth \
                -v /opt:/var/lib/registry \
                -v /opt/certs/:/certs \
                -e "REGISTRY_AUTH=htpasswd" \
                -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
                -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
                -e "REGISTRY_STORAGE_DELETE_ENABLED=true" \
                -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/www.wanghaiqing.com/Nginx/1_www.wanghaiqing.com_bundle.crt \
                -e REGISTRY_HTTP_TLS_KEY=/certs/www.wanghaiqing.com/Nginx/2_www.wanghaiqing.com.key \
                -p 5000:5000 \
                docker.io/registry:latest
                
docker run -itd  --restart=always \
                -v /opt/auth:/auth \
                -v /opt:/var/lib/registry \
                -v /opt/certs/:/certs \
                -e "REGISTRY_AUTH=htpasswd" \
                -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
                -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
                -e "REGISTRY_STORAGE_DELETE_ENABLED=true" \
                -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/www.haiqing.wang/Nginx/1_www.haiqing.wang_bundle.crt \
                -e REGISTRY_HTTP_TLS_KEY=/certs/www.haiqing.wang/Nginx/2_www.haiqing.wang.key \
                -p 5000:5000 \
                docker.io/registry:latest


 在另外一台机器上面 执行登录

[root@one ~]# docker login -u admin -p 123456 www.haiqing.wang:5000

Login Succeeded

[root@one ~]# docker login -u admin -p 123456 www.wanghaiqing.com:5000
Login Succeeded


查看站点证书,如果采用Apache的证书,这个命令的前几行,会有下面截图报错。

openssl s_client -showcerts -verify 32 -connect www.haiqing.wang:5000


使用 curl 来测试 TLS 是否工作正常

curl -i -k -v https://www.haiqing.wang:5000


Apache  


Nnginx







文章最后更新时间: 2018-06-26 22:38:14