1 倉庫配置https認證

cd /etc/docker/

mkdir certs

[root@docker01 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/docker01.key -x509 -days 365 -out certs/docker01.crt

填好相應的簡稱及email即可

2 執行registry容器

[root@docker01 docker]# docker run -d -P -it \

-p 5000:5000 --restart=always \

--name registry -v `pwd`/certs:/etc/docker/certs/ \

-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/docker01.crt \

-e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/docker01.key registry

3 配置客戶端docker02

mkdir -p /etc/docker/certs.d/docker01:5000

scp docker01:/etc/docker/certs/docker01.crt /etc/docker/certs.d/docker01:5000/ca.crt

檢視映象

[root@docker02 docker]# docker images

REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE

swarm latest 8eadaf3525b0 2 weeks ago 15.77 MB

上傳映象

docker tag swarm docker01:5000/swarm

[root@docker02 docker]# docker push docker01:5000/swarm

docker01想上傳資料同樣需要配置證書，同docker02

4 鑑權管理

將以上的registry容器刪除乾淨，包括倉庫的本地檔案

還是在/etc/docker目錄下操作

mkdir auth

docker run --entrypoint htpasswd registry -Bbn bsoft bsoft > auth/htpasswd

[root@docker01 docker]# docker run -d -p 5000:5000 --restart=always \

--name registry -v `pwd`/certs:/etc/docker/certs/ \

-v `pwd`/auth:/auth \

-e "REGISTRY_AUTH=htpasswd" \

-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \

-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \

-v `pwd`/data:/var/lib/registry \

-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/docker01.crt \

-e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/docker01.key \

registry

啟動後即可push，push不僅需要證書還要輸入使用者、密碼和郵箱，而pull只需要有證書即可

注意pull的時候需要帶上版本號，而curl檢視是看不到版本號的

curl檢視：

curl --cacert /etc/docker/certs/docker01.crt --basic --user bsoft:bsoft https://docker01:5000/v2/_catalog

curl --cacert /etc/docker/certs.d/docker01:5000/ca.crt --basic --user bsoft:bsoft https://docker01:5000/v2/_catalog