想要搭建一个Docker Registry放一些私有Images,折腾出一个docker-compose.yml
version: '3.7'
services:
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- /path/for/registory/images:/var/lib/registry
- /path/for/certs:/certs
- /path/for/auth:/auth
- 创建自签证书
必做步骤:添加subjectAltName 到openssl.cnf, 否则后面docker login会失败
sudo vim /etc/ssl/openssl.cnf
要添加在[ v3_ca ]下
[ v3_ca ]
subjectAltName=IP:X.X.X.X
创建证书, 给默认值就好
mkdir -p certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
一路回车
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
- 在Docker Registry Server和Docker Client添加自建证书
sudo mkdir -p /etc/docker/certs.d/X.X.X.X:5000
sudo cp certs/domain.crt /etc/docker/certs.d/X.X.X.X:5000/ca.crt
sudo cp certs/domain.crt /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates
- 添加用户验证
mkdir auth
docker run -it --entrypoint htpasswd -v $PWD/auth:/auth -w /auth registry:2 -Bbc /auth/htpasswd username password
- 创建Docker Registory
sudo systemctl restart docker #先重启下docker daemon
docker-compose up --build --no-start
docker-compose start
- 验证一下
docker login -u username X.X.X.X:5000
docker push X.X.X.X:5000/image:tag
docker pull X.X.X.X:5000/image:tag
docker logout
如果遇到下面这种error,基本上是因为第一步没有设置subjectAltName引起的
Error response from daemon: Get https://X.X.X.X:5000/v2/: x509: cannot validate certificate for X.X.X.X because it doesn't contain any IP SANs
