搭建一个支持HTTPS的私有DOCKER Registry

搭建一个支持HTTP的私有DOCKER Registry 可参考文章：

http://blog.csdn.net/fgf00/article/details/52040492

测试能够用HTTP访问一下：

http://IP:PORT/v2/

若是要搭建一个支持HTTPS的私有DOCKER Registry，可参考文章：

http://www.cnblogs.com/xcloudbiz/articles/5526262.html

1. 制做证书，可采用OPENSSL

在ROOT下执行，把证书保存在/root/certs目录下

openssl req -newkey rsa:2048 -nodes -sha256 -keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

本实验采用的域名是：mydockerhub.com

2. 把证书COPY到：

自签名证书，使用Docker Registry的Docker机须要将domain.crt拷贝到 /etc/docker/certs.d/[docker_registry_domain]/ca.crt，

cp certs/domain.crt /etc/docker/certs.d/mydockerhub.com:5000/ca.crt
将domain.crt内容放入系统的CA bundle文件当中，使操做系统信任咱们的自签名证书。

CentOS 6 / 7中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt：

cat domain.crt >> /etc/pki/tls/certs/ca-bundle.crt
Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt

具体可参考： https://deepzz.com/post/secure-docker-registry.html

3. 启动DOCKER REGISTRY

docker run -d -p 5000:5000 --privileged=true -v /opt/registry:/tmp/registry -v ~/certs/:/root/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry

5. 测试

须要用域名，直接用IP地址会报错：

[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull 139.224.66.172:5000/centos00

Using defaulttag: latest

Error responsefrom daemon: unable to ping registry endpoint https://139.224.66.172:5000/v0/

v2 pingattempt failed with error: Get https://139.224.66.172:5000/v2/: x509: cannotvalidate certificate for 139.224.66.172 because it doesn't contain any IP SANs

v1 ping attempt failed with error: Gethttps://139.224.66.172:5000/v1/_ping: x509: cannot validate certificate for139.224.66.172 because it doesn't contain any IP SANs

[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull

mydockerhub
.com:5000/vvv
Using defaulttag: latest

latest:Pulling from vvv

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status:Downloaded newer image for mydockerhub.com:5000/vvv:latest

[root@xcjdocker-occs-wkr-2opc]#

若是要想支持IP方式

若是Docker registry要想支持https, 须要生成证书。这里咱们采用openssl生成证书，通常状况下，证书只支持域名访问，要使其支持IP地址访问，须要修改配置文件openssl.cnf。

修改openssl.cnf，支持IP地址方式，HTTPS访问
在Redhat7或者Centos系统中，文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分，添加subjectAltName选项：

[ v3_ca ]

subjectAltName= IP:129.144.150.111

用openssl生成自签名的证书：
咱们直接在root用户下操做，建立一个目录： /root/certs

而后执行：

openssl req -newkey rsa:2048 -nodes -sha256-keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [DefaultCompany Ltd]:mycom

Organizational Unit Name (eg, section)[]:it

Common Name (eg, your name or your server'shostname) []:129.144.150.111

Email Address []:xcjing@yeah.Net

执行成功后会生成：domain.key 和domain.crt 两个文件

COPY证书
使用Docker Registry的Docker机须要将domain.crt拷贝到 /etc/docker/certs.d/[docker_registry_domain:端口或者IP:端口]/ca.crt，

cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

将domain.crt内容放入系统的CA bundle文件当中，使操做系统信任咱们的自签名证书。

CentOS 6 / 7或者REDHAT中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt：

cat domain.crt >>/etc/pki/tls/certs/ca-bundle.crt

Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt

cat domain.crt >> /etc/ssl/certs/ca-certificates.crt

注意，若是以前已经有cat过一样的IP, 须要到ca-bundle.crt中把它删除，再作cat操做。不然后面PUSH时会报：

Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

重启DOCKER Daemon, Registry
systemctl restart docker

启动REGITRY

docker run -d -p 5000:5000--privileged=true -v /opt/registry:/tmp/registry -v ~/certs/:/root/certs -eREGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -eREGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry:2

验证测试
确认HTTPS OK: curl -i -k -v https://129.144.150.111:5000

或者直接浏览器访问 https://129.144.150.111:5000/v2 显示{} 表示正常

[root@bf278c certs]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

centos latest a8493f5f50ff 12 days ago 192MB

129.144.150.111:5000/c latest a8493f5f50ff 12 days ago 192MB

registry 2 136c8b16df20 12 days ago 33.2MB

registry latest 136c8b16df20 12 days ago 33.2MB

hello-world latest 48b5124b2768 3 months ago 1.84kB

[[root@bf278c certs]# docker push129.144.150.111:5000/c

The push refers to a repository[129.144.150.111:5000/c]

36018b5e9787: Pushing 28.9MB/192.5MB

成功

在别的机器上访问
若是要在另外一台机器上访问，须要把CERT文件 COPY过去,一样放在/etc/docker/certs.d下面，建一个目录：/129.144.150.111:5000，而后

[opc@xcjdocker-occs-wkr-2 ~]$ cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt

不然报：Error: API error (500): unable to ping registry endpointhttps://129.144.150.111:5000/v0/ v2 ping attempt failed with error: Gethttps://129.144.150.111:5000/v2/: x509: certificate signed by unknown authorityv1 ping attempt failed with error: Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority

测试：

[root@xcjdocker-occs-wkr-2 opc]# sudodocker pull 129.144.150.111:5000/c

Using default tag: latest

latest: Pulling from c

Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3

Status: Image is up to date for129.144.150.111:5000/c:latest