注冊不安全的鏡像源
vim /etc/docker/daemon.json
添加:
"insecure-registries":["鏡像源ip:端口"]
{
"registry-mirrors": ["https://njrds9qc.mirror.aliyuncs.com"],
"insecure-registries":["192.168.1.111:5000"]
}
重新開機docker服務:
systemctl daemon-reload
systemctl restart docker
支援 https 的docker私有倉庫
1 . 使用 openssl 生成自簽名證書:
編輯
/etc/ssl/openssl.cnf
, 在
[v3_ca]
下面添加一行
subjectAltName = IP:192.168.1.111
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout cakey.pem -out cacert.pem
req
是證書請求的自指令,
-newkey rsa:2048
-keyout private_key.key
表示生成私鑰,
-nodes
表示私鑰不加密,若不帶會提示輸入密碼,
-x509
表示輸出證書,
-day
為有效期
回車後根據提示輸入證書擁有者的資訊;
若要一步輸入可使用 -subj 選項:
-subj “/C=CN/ST=BeiJing/L=HaiDian/CN=registry.hunyxv.cn”
# CN這裡不能直接用ip,不然會報的錯誤
Get https://192.168.1.111:5000/v2/: x509: cannot validate certificate for 192.168.1.111 because it doesn't contain any IP SANs
- 把私鑰和秘鑰都放到
下,以友善下面使用。~/certs/
- 将cacert.pem拷貝到
/etc/docker/certs.d/[docker_registry_domain]/ca.crt
- 把證書内容複制到系統的 CA 檔案中,使系統信任我們的系統。
cd /etc/ssl
sudo cp ~/crets/cacert.pem certs/
sudo cp ~/crets/cakey.pem private/
2 . 為使用者建立登入密碼(可跳過)
mkdir auth
docker run --entrypoint htpasswd \
registry:2.0 -Bbn username password > auth/htpasswd
3 . 建立倉庫
# 如果跳過了第二步,那這裡也要去掉驗證的參數
docker run -d \
-p 5000:5000
--restart=always \
--name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cacert.pem \
-e REGISTRY_HTTP_TLS_KEY=/crer/cakey.pem \
registry:2.0
4 . push pull
docker tag registry:latest registry.hunyxv.cn:5000/registry:latest
docker push registry.hongyu.cn:5000/registry:latest
The push refers to repository [registry.hunyxv.cn:5000/registry]
6b263b6e9ced: Pushed
dead8a13b621: Pushed
00a8ff67f927: Pushed
2b7bd2eefde2: Pushed
a120b7c9a693: Pushed
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364
docker pull registry.hunyxv.cn:5000/registry
Using default tag: latest
latest: Pulling from registry
Digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390
Status: Downloaded newer image for registry.hongyu.cn:5000/registry:latest
5 . 登入倉庫
$ docker login kq.hub.io
Username (testuser): username
Password: password
Login Succeeded
6 . 還可以在浏覽器中檢視鏡像
https:/registry.hunyxv.cn/v2/_catalog
另外一種辦法
從docker1.3.2版本開始預設docker registry使用的是https,當你用docker pull 非https的docker regsitry的時候會報下面錯誤:
Error: Invalid registry endpoint ... Get ... If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add '--insecure-registry 192.168.1.103:5000' to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.1.103:5000/ca.crt
vim /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
ExecStart=/usr/bin/docker -d --insecure-registry 192.168.1.103:5000 -H fd:// $OPTIONS $DOCKER_STORAGE_OPTIONS
LimitNOFILE=1048576
LimitNPROC=1048576
[Install]
WantedBy=multi-user.target