版权声明:可以胡乱转载。 https://blog.csdn.net/hunyxv/article/details/84752294
关闭https传输
vim /etc/docker/daemon.json
添加
"insecure-registries":["本机ip:端口"]
{
"registry-mirrors": ["https://njrds9qc.mirror.aliyuncs.com"],
"insecure-registries":["192.168.1.111:5000"]
}
重启docker服务:
systemctl daemon-reload
systemctl restart docker
支持 https 的docker私有仓库
1 . 使用 openssl 生成自签名证书:
编辑/etc/ssl/openssl.cnf, 在 [v3_ca] 下面添加一行 subjectAltName = IP:192.168.1.111
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout cakey.pem -out cacert.pem
req 是证书请求的自命令,
-newkey rsa:2048 -keyout private_key.key 表示生成私钥,
-nodes 表示私钥不加密,若不带会提示输入密码,
-x509 表示输出证书,
-day 为有效期
回车后根据提示输入证书拥有者的信息;
若要一步输入可使用 -subj 选项:
-subj “/C=CN/ST=BeiJing/L=HaiDian/CN=registry.hunyxv.cn” # CN这里不能直接用ip,不然会报的错误
Get https://192.168.1.111:5000/v2/: x509: cannot validate certificate for 192.168.1.111 because it doesn't contain any IP SANs
- 把私钥和秘钥都放到
~/certs/下,以方便下面使用。 - 将cacert.pem拷贝到
/etc/docker/certs.d/[docker_registry_domain]/ca.crt - 把证书内容复制到系统的 CA 文件中,使系统信任我们的系统。
cd /etc/ssl
sudo cp ~/crets/cacert.pem certs/
sudo cp ~/crets/cakey.pem private/
2 . 为用户创建登录密码(可跳过)
mkdir auth
docker run --entrypoint htpasswd \
registry:2.0 -Bbn username password > auth/htpasswd
3 . 创建仓库
# 如果跳过了第二步,那这里也要去掉验证的参数
docker run -d \
-p 5000:5000
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cacert.pem \
-e REGISTRY_HTTP_TLS_KEY=/crer/cakey.pem \
registry:2.0
4 . push pull
docker tag registry:latest registry.hunyxv.cn:5000/registry:latest
docker push registry.hongyu.cn:5000/registry:latest
The push refers to repository [registry.hunyxv.cn:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364
docker pull registry.hunyxv.cn:5000/registry
Using default tag: latest
latest: Pulling from registry
Digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390
Status: Downloaded newer image for registry.hongyu.cn:5000/registry:latest
5 . 登录仓库
$ docker login kq.hub.io
Username (testuser): username
Password: password
Login Succeeded
6 . 还可以在浏览器中查看镜像
https:/registry.hunyxv.cn/v2/_catalog
另外一种办法
从docker1.3.2版本开始默认docker registry使用的是https,当你用docker pull 非https的docker regsitry的时候会报下面错误:
Error: Invalid registry endpoint ... Get ... If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add '--insecure-registry 192.168.1.103:5000' to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.1.103:5000/ca.crt
vim /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
ExecStart=/usr/bin/docker -d --insecure-registry 192.168.1.103:5000 -H fd:// $OPTIONS $DOCKER_STORAGE_OPTIONS
LimitNOFILE=1048576
LimitNPROC=1048576
[Install]
WantedBy=multi-user.target