docker 私有registry部署（ssl加密和用户名密码）

实验环境：
操作系统centos 7.4
IP：172.16.10.64 172.16.10.65

1，在172.16.10.65上拉取docker regist镜像文件

[root@localhost home]# docker pull registry
2: Pulling from library/registry
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2

2，生成自身的CA证书
注意Common Name最好写为registry的域名

[root@localhost registry]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /home/registry/certs/domain.key -x509 -days 365 -out /home/registry/certs/domain.crt
Generating a 4096 bit RSA private key
....................................................................................................................++
...++
writing new private key to '/home/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bj
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:tl
Organizational Unit Name (eg, section) []:tl
Common Name (eg, your name or your server's hostname) []:myregistry.com
Email Address []:mail@example.cn

3，使用registry镜像生成用户名和密码文件

docker run --entrypoint htpasswd registry -Bbn qiulei 123456 >>/home/registry/auth/htpasswd

4，运行registry并指定参数
包括了用户密码文件和CA书位置。
--restart=always 始终自动重启

docker run -d -p 5000:5000 --restart=always --name registry   -v /home/registry/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd   -v /home/registry/certs:/certs   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key   registry

5，由于使用的是自签名的证书，所以需要添加domain.crt文件至各自的OS中
Linux：将domain.crt文件复制到 /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt每个Docker主机上。您不需要重新启动Docker。

Windows服务器：
打开Windows资源管理器，右键单击该domain.crt 文件，然后选择安装证书。出现提示时，请选择以下选项：
商店地址 本地机器
将所有证书放入下列商店 选
单击浏览器并选择受信任的根证书颁发机构。
点击完成。重新启动Docker。

6，添加域名解析，修改hosts文件或者添加DNS记录。

[root@localhost registry]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.10.65 myregistry.com

7，验证测试
172.16.10.65使用添加了hosts域名解析和ca证书而172.16.10.64则没有
在65上测试登录

[root@localhost registry]# docker login myregistry.com:5000
Username: qiulei
Password: 
Login Succeeded

登录成功

提交本地的镜像文件至myregisry服务中

[root@localhost home]# docker tag nginx:latest myregistry.com:5000/my_nginx
An image does not exist locally with the tag: myregistry.com:500/my_nginx
[root@localhost home]# docker push myregistry.com:5000/my_nginx
The push refers to repository [myregistry.com:5000/my_nginx]
a103d141fc98: Pushed 
73e2bd445514: Pushed 
2ec5c0a4cb57: Pushed 
latest: digest: sha256:926b086e1234b6ae9a11589c4cece66b267890d24d1da388c96dd8795b2ffcfb size: 948

[root@localhost home]# docker images
myregistry.com:5000/my_nginx      latest              3f8a4339aadd        5 weeks ago         108MB

在64上登录，登录失败，也无法上传文件

[root@localhost ~]# docker login myregistry.com:5000
Username: qiulei
Password: 
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority

[root@localhost ~]# docker pull myregistry.com:5000/my_ubuntu
Using default tag: latest
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority