docker registry2 仓库搭建与使用
docker pull registry-1.docker.io/distribution/registry:2.1
1) 以TLS证书认证启动docker registry2
产生证书
mkdir -p certs && openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Generating a 4096 bit RSA private key
.........................................................................................................................++
......++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:XW
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:onecloud
Organizational Unit Name (eg, section) []:gz
Common Name (eg, your name or your server's hostname) []:host102.gzoc.xww
Email Address []:xiongww@onecloud.cn
TLS证书认证启动docker registry2
docker run -d -p 5001:5000 --restart=always --name registrywithcerts --privileged=true -v /root/data:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
2)非证书认证启动
docker run -d -p 5000:5000 --restart=always --privileged=true --name registry -v /root/data:/var/lib/registry registry:2
访问非证书认证启动docker registry2
1)内部访问
直接使用命令push和pull docker镜像
docker tag f753707788c5 localhost:5001/ubuntu
docker push localhost:5001/ubuntu
2)外部访问
配置use an insecure registry
Open the /etc/default/docker file or /etc/sysconfig/docker for editing.
$vi /etc/default/docker
Depending on your operating system, your Engine daemon start options.
Edit (or add) the DOCKER_OPTS line and add the –insecure-registry flag.
This flag takes the URL of your registry, for example.
DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"
ADD_REGISTRY='--add-registry 192.168.153.102:5000'
Close and save the configuration file.
Restart your Docker daemon
The command you use to restart the daemon depends on your operating system. For example, on Ubuntu, this is usually the service docker stop and service docker start command.
Repeat this configuration on every Engine host that wants to access your registry.
sudo service docker stop
sudo service docker start
操作上成功
配置证书访问
官网上说
Instruct every docker daemon to trust that certificate.This is done by copying the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.
$cp domain.crt \ /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
domain.crt是运行registry使用的证书
Don’t forget to restart the Engine daemon.
但是操作却未成功
参考
https://docs.docker.com/registry/insecure/
https://docs.docker.com/registry/deploying/#get-a-certificate
https://docs.docker.com/registry/introduction/