搭建一個支持HTTPS的私有DOCKER Registry

搭建一個支持HTTP的私有DOCKER Registry 可參考文章：

http://blog.csdn.net/fgf00/article/details/52040492

測試能夠用HTTP訪問一下：

http://IP:PORT/v2/

若是要搭建一個支持HTTPS的私有DOCKER Registry，可參考文章：

http://www.cnblogs.com/xcloudbiz/articles/5526262.html

1. 製做證書，可採用OPENSSL

在ROOT下執行，把證書保存在/root/certs目錄下

openssl req -newkey rsa:2048 -nodes -sha256 -keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

本實驗採用的域名是：mydockerhub.com

2. 把證書COPY到：

自簽名證書，使用Docker Registry的Docker機須要將domain.crt拷貝到 /etc/docker/certs.d/[docker_registry_domain]/ca.crt，

cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt
將domain.crt內容放入系統的CA bundle文件當中，使操做系統信任咱們的自簽名證書。

CentOS 6 / 7中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt：

cat domain.crt >> /etc/pki/tls/certs/ca-bundle.crt
Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt

具體可參考： https://deepzz.com/post/secure-docker-registry.html

3. 啓動DOCKER REGISTRY

docker run -d -p 5000:5000 --privileged=true -v /opt/registry:/tmp/registry -v ~/certs/:/root/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry

5. 測試

須要用域名，直接用IP地址會報錯：

[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull 139.224.66.172:5000/centos00

Using defaulttag: latest

Error responsefrom daemon: unable to ping registry endpoint https://139.224.66.172:5000/v0/

v2 pingattempt failed with error: Get https://139.224.66.172:5000/v2/: x509: cannotvalidate certificate for 139.224.66.172 because it doesn't contain any IP SANs

v1 ping attempt failed with error: Gethttps://139.224.66.172:5000/v1/_ping: x509: cannot validate certificate for139.224.66.172 because it doesn't contain any IP SANs

[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull

mydockerhub
.com:5000/vvv
Using defaulttag: latest

latest:Pulling from vvv

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status:Downloaded newer image for mydockerhub.com:5000/vvv:latest

[root@xcjdocker-occs-wkr-2opc]#

若是要想支持IP方式

若是Docker registry要想支持https, 須要生成證書。這裏咱們採用openssl生成證書，通常狀況下，證書只支持域名訪問，要使其支持IP地址訪問，須要修改配置文件openssl.cnf。

修改openssl.cnf，支持IP地址方式，HTTPS訪問
在Redhat7或者Centos系統中，文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分，添加subjectAltName選項：

[ v3_ca ]

subjectAltName= IP:129.144.150.111

用openssl生成自簽名的證書：
咱們直接在root用戶下操做，建立一個目錄： /root/certs

而後執行：

openssl req -newkey rsa:2048 -nodes -sha256-keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [DefaultCompany Ltd]:mycom

Organizational Unit Name (eg, section)[]:it

Common Name (eg, your name or your server'shostname) []:129.144.150.111

Email Address []:xcjing@yeah.Net

執行成功後會生成：domain.key 和domain.crt 兩個文件

COPY證書
使用Docker Registry的Docker機須要將domain.crt拷貝到 /etc/docker/certs.d/[docker_registry_domain:端口或者IP:端口]/ca.crt，

cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

將domain.crt內容放入系統的CA bundle文件當中，使操做系統信任咱們的自簽名證書。

CentOS 6 / 7或者REDHAT中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt：

cat domain.crt >>/etc/pki/tls/certs/ca-bundle.crt

Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt

注意，若是以前已經有cat過一樣的IP, 須要到ca-bundle.crt中把它刪除，再作cat操做。不然後面PUSH時會報：

Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

重啓DOCKER Daemon, Registry
systemctl restart docker

啓動REGITRY

docker run -d -p 5000:5000--privileged=true -v /opt/registry:/tmp/registry -v ~/certs/:/root/certs -eREGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -eREGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry:2

驗證測試
確認HTTPS OK: curl -i -k -v https://129.144.150.111:5000

或者直接瀏覽器訪問 https://129.144.150.111:5000/v2 顯示{} 表示正常

[root@bf278c certs]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

centos latest a8493f5f50ff 12 days ago 192MB

129.144.150.111:5000/c latest a8493f5f50ff 12 days ago 192MB

registry 2 136c8b16df20 12 days ago 33.2MB

registry latest 136c8b16df20 12 days ago 33.2MB

hello-world latest 48b5124b2768 3 months ago 1.84kB

[[root@bf278c certs]# docker push129.144.150.111:5000/c

The push refers to a repository[129.144.150.111:5000/c]

36018b5e9787: Pushing 28.9MB/192.5MB

成功

在別的機器上訪問
若是要在另外一臺機器上訪問，須要把CERT文件 COPY過去,一樣放在/etc/docker/certs.d下面，建一個目錄：/129.144.150.111:5000，而後

[opc@xcjdocker-occs-wkr-2 ~]$ cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

不然報：Error: API error (500): unable to ping registry endpointhttps://129.144.150.111:5000/v0/ v2 ping attempt failed with error: Gethttps://129.144.150.111:5000/v2/: x509: certificate signed by unknown authorityv1 ping attempt failed with error: Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

測試：

[root@xcjdocker-occs-wkr-2 opc]# sudodocker pull 129.144.150.111:5000/c

Using default tag: latest

latest: Pulling from c

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status: Image is up to date for129.144.150.111:5000/c:latest