建立 docker 私有倉庫

注冊不安全的鏡像源

vim /etc/docker/daemon.json

添加：

"insecure-registries":["鏡像源ip：端口"]

{
        "registry-mirrors": ["https://njrds9qc.mirror.aliyuncs.com"],
        "insecure-registries":["192.168.1.111:5000"]
}
           

重新開機docker服務：

systemctl daemon-reload
systemctl restart docker
           

支援 https 的docker私有倉庫

1 . 使用 openssl 生成自簽名證書：

編輯

/etc/ssl/openssl.cnf

， 在

[v3_ca]

下面添加一行

subjectAltName = IP:192.168.1.111

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout cakey.pem -out cacert.pem
           

req

是證書請求的自指令，

-newkey rsa:2048

-keyout private_key.key

表示生成私鑰，

-nodes

表示私鑰不加密，若不帶會提示輸入密碼，

-x509

表示輸出證書，

-day

為有效期

回車後根據提示輸入證書擁有者的資訊；

若要一步輸入可使用 -subj 選項：

-subj “/C=CN/ST=BeiJing/L=HaiDian/CN=registry.hunyxv.cn”

# CN這裡不能直接用ip，不然會報的錯誤

Get https://192.168.1.111:5000/v2/: x509: cannot validate certificate for 192.168.1.111 because it doesn't contain any IP SANs
           

• 把私鑰和秘鑰都放到

  ～/certs/

  下，以友善下面使用。
• 将cacert.pem拷貝到

  /etc/docker/certs.d/[docker_registry_domain]/ca.crt

• 把證書内容複制到系統的 CA 檔案中，使系統信任我們的系統。

cd /etc/ssl
sudo cp ~/crets/cacert.pem certs/
sudo cp ~/crets/cakey.pem private/
           

2 . 為使用者建立登入密碼（可跳過）

mkdir auth
docker run --entrypoint htpasswd \
registry:2.0 -Bbn username password > auth/htpasswd
           

3 . 建立倉庫

# 如果跳過了第二步，那這裡也要去掉驗證的參數
docker run -d \
  -p 5000:5000
  --restart=always \
  --name registry \
  -v `pwd`/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cacert.pem \
  -e REGISTRY_HTTP_TLS_KEY=/crer/cakey.pem \
  registry:2.0
           

4 . push pull

docker tag registry:latest registry.hunyxv.cn:5000/registry:latest 
docker push registry.hongyu.cn:5000/registry:latest
The push refers to repository [registry.hunyxv.cn:5000/registry]
    6b263b6e9ced: Pushed 
    dead8a13b621: Pushed 
    00a8ff67f927: Pushed 
    2b7bd2eefde2: Pushed 
    a120b7c9a693: Pushed 
latest: digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390 size: 1364

docker pull registry.hunyxv.cn:5000/registry
    Using default tag: latest
    latest: Pulling from registry
    Digest: sha256:a25e4660ed5226bdb59a5e555083e08ded157b1218282840e55d25add0223390
Status: Downloaded newer image for registry.hongyu.cn:5000/registry:latest
           

5 . 登入倉庫

$ docker login kq.hub.io
Username (testuser): username
Password: password
Login Succeeded
           

6 . 還可以在浏覽器中檢視鏡像

https:/registry.hunyxv.cn/v2/_catalog

另外一種辦法

從docker1.3.2版本開始預設docker registry使用的是https，當你用docker pull 非https的docker regsitry的時候會報下面錯誤：

Error: Invalid registry endpoint ... Get ... If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add '--insecure-registry 192.168.1.103:5000' to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.1.103:5000/ca.crt 
           

vim /usr/lib/systemd/system/docker.service

[Unit]  
Description=Docker Application Container Engine  
Documentation=http://docs.docker.com  
After=network.target docker.socket  
Requires=docker.socket  

[Service]  
Type=notify  
EnvironmentFile=-/etc/sysconfig/docker  
EnvironmentFile=-/etc/sysconfig/docker-storage  
ExecStart=/usr/bin/docker -d --insecure-registry 192.168.1.103:5000 -H fd:// $OPTIONS $DOCKER_STORAGE_OPTIONS  
LimitNOFILE=1048576  
LimitNPROC=1048576  

[Install]  
WantedBy=multi-user.target