關于docker的安裝:
CENTOS7二進制安裝DOCKER-CE
CENTOS7 安裝DOCKER-CE,并且配置 ALIYUN 加速
-
覆寫掉目錄/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (對于剛拿到的系統,一定要先備份,切記!本教程适用于 循環建立Docker支援https的私有倉庫)
cp /home/zsd/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-
修改openssl.cnf檔案
vi /etc/pki/tls/openssl.cnf
在[v3_ca]下面添加 subjectAltName = IP:192.168.0.11
-
openssl生成私有證書
openssl req [-subj “/C=CN/ST=BeiJing/L=Dongcheng/CN=192.168.0.11”] -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
-
将生成證書内容追加到該伺服器上的證書存放目錄的内置信任的證書
cat /certs/registry.crt >> /etc/pki/tls/certs/ca-bundle.crt
-
重新開機docker
systemctl restart docker
-
運作registry
docker run -d -p 443:443 --name registry -v /deploy/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key registry:2
-
push鏡像到registry
docker push 192.168.0.11/nginx
常見錯誤
a. Get https://192.168.0.11/v2/: x509: cannot validate certificate for 192.168.0.11 because it doesn’t contain any IP SANs 未操作第4步
b. Get https:///v2/: x509: certificate signed by unknown authority #未操作第6步
具體教程可參考x509: cannot validate certificate because of not containing any IP SANs