Docker部署註冊中心、Docker建立私有映象庫、自簽名證書、Deploy a registry server
這是我在內部部署Docker Registry時記錄下來的筆記,操作環境是Centos 7、Docker 18.06.1-ce
1、執行registry
我當前所使用的主機的IP是192.168.1.249,工作目錄在:/data/docker/registry,
# docker run -d -p 5000:5000 --restart always --name registry \
-v /data/docker/registry/data:/var/lib/registry registry:2此時訪問,http://192.168.1.249:5000/v2/_catalog ,返回正常(空json物件),證明部署成功。
2、測試提交映象
# docker pull nginx:alpine
# docker tag nginx:alpine 192.168.1.249:5000/nginx-alpine
# docker push 192.168.1.249:5000/nginx-alpine實際不成功,返回錯誤如下:
The push refers to repository [192.168.1.249:5000/nginx-alpine]
Get https://192.168.1.249:5000/v2/: http: server gave HTTP response to HTTPS client檢視文件得知,在配置檔案中新增insecure-registries然後重啟docker即可,如下:
# vim /etc/docker/daemon.json
{
"insecure-registries": [ "192.168.1.249:5000"]
}
# systemctl restart docker此時再push果然成功,除了使用配置檔案,下面來配置使用自簽名證書。
3、使用自簽名證書
生成證書要使用域名,我這裡定為:registry.docker.local,(不用域名,直接用IP的話,要修改openssl配置檔案,建議用域名)
# mkdir -p /data/docker/registry/certs # openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout /data/docker/registry/certs/domain.key \ -x509 -days 365 -out /data/docker/registry/certs/domain.crt
生成證書時要輸入一些資訊,注意Common Name要輸入你使用的域名,其它可直接回車,如下:
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.docker.local
Email Address []:啟動容器(相關引數按情況調整下,如你可使用443埠,這樣在後續就不用帶5000這個埠),如下:
# docker run -d \
--restart=always \
--name registry \
-v /data/docker/registry/data:/var/lib/registry \
-v /data/docker/registry/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 5000:5000 \
registry:24、測試使用
注意,由於是隨便自定義的域名,記得先把域名 registry.docker.local新增到/etc/hosts檔案,
# docker tag nginx:alpine registry.docker.local:5000/nginx-alpine
# docker push registry.docker.local:5000/nginx-alpine此時報錯,如下:
The push refers to repository [registry.docker.local:5000/nginx-alpine]
Get https://registry.docker.local:5000/v2/: x509: certificate signed by unknown authority看文件,得知要把 domain.crt 檔案放到 /etc/docker/certs.d/registry.docker.local:5000/ca.crt ,(注意,你在哪臺機做push操作,就放到哪臺機呀)
# mkdir -p /etc/docker/certs.d/registry.docker.local:5000
# cp xxx/domain.crt /etc/docker/certs.d/registry.docker.local:5000/這時候再push就成功了,如下:
# docker push registry.docker.local:5000/nginx-alpine
The push refers to repository [registry.docker.local:5000/nginx-alpine]
a83dbde6ba05: Layer already exists
431a5c7929dd: Layer already exists
39e8483b9882: Layer already exists
df64d3292fd6: Layer already exists
latest: digest: sha256:57a94fc99816c6aa225678b738ac40d85422e75dbb96115f1bb9b6ed77176166 size: 1153訪問 https://registry.docker.local:5000/v2/_catalog,也看到結果,如下:
# curl https://registry.docker.local:5000/v2/_catalog --insecure
{"repositories":["nginx-alpine"]}看來自定義證書還很不方便,可以使用免費證書:https://letsencrypt.org (Let's Encrypt)
(完)