Top

Docker-私有仓库-证书认证

搭建证书认证的私有仓库

我的环境是Centos7.4!2台服务器:Server、Client(docker版本为1.13.1)

192.168.237.130-server|192.168.237.132-server-2
↓操作

服务端:
1.创建证书.
2.在/etc/docker/certs.d/下创建仓库名称的文件夹.并将ca证书放入里面(名称要为ca.crt).
3.启动仓库时指定服务证书和私钥.
客户端:
1.在/etc/docker/certs.d/下创建服务端仓库名称的文件夹.并拷贝服务器端的ca.crt到里边.

↓原文出自

搭建一个支持HTTPS的私有DOCKER Registry:https://blog.51cto.com/as007012/2087228

1. 创建证书以及环境介绍

↓↓说明↓↓

两台服务器分别安装了docker(并下载了registry和nginx镜像).其中一台有ca证书(为了方便我放到/root/目录).
[root@server ~]# ls *.pem
cacert.pem

↓创建扩展证书的文件.

[root@server ~]# vim openssl-exts.conf
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:192.168.237.130,IP:127.0.0.1,DNS:localhost,DNS:192.168.237.130:5000


↓创建私钥.

[root@server ~]# openssl genrsa -out newreq.pem 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
.++++++
e is 65537 (0x10001)

↓创建证书请求.

[root@server ~]# openssl req -new -newkey rsa:1024 -nodes -sha256 -key newreq.pem \
-out docker.csr \
-subj "/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=192.168.237.130:5000"

↓创建证书.

[root@server ~]# openssl x509 -req -sha256 -in docker.csr \
-CA cacert.pem -CAkey cakey.pem -CAcreateserial \
-out newcert.pem -days 99999 \
-extfile ./openssl-exts.conf
Signature ok
subject=/C=CN/ST=HB/L=WH/O=DM/OU=YPT/CN=192.168.237.130:5000
Getting CA Private Key
Enter pass phrase for cakey.pem:123456

↓Docker环境.

[root@server ~]# docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      b2f74b2/1.13.1
 Built:           Wed May  1 14:55:20 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      b2f74b2/1.13.1
 Built:           Wed May  1 14:55:20 2019
 OS/Arch:         linux/amd64
 Experimental:    false
[root@server ~]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
docker.io/nginx      latest              53f3fd8007f7        5 days ago          109 MB
docker.io/registry   latest              f32a97de94e1        2 months ago        25.8 MB

2. 启动私有仓库



↓创建存放ca证书的目录.

[root@server ~]# mkdir /etc/docker/certs.d/192.168.237.130:5000

↓放入ca证书.

[root@server ~]# cp /root/cacert.pem /etc/docker/certs.d/192.168.237.130\:5000/ca.crt

↓放入认证证书.

[root@server ~]# cp /root/newcert.pem /root/newreq.pem /etc/docker/certs.d/

↓启动私有仓库.

[root@server ~]# docker run -d -p 5000:5000 --restart=always --name registry \
-v /data/registry/:/var/lib/registry \
-v /etc/docker/certs.d/:/certs.d/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs.d/newcert.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs.d/newreq.pem \
docker.io/registry
eb6cfb86567fa2483ea8d7797717435c83ec77400535af64e836fd959a88ab19

↓更改原nginx镜像标签指定到私有仓库上.

[root@server ~]# docker tag 53f3fd8007f7 192.168.237.130:5000/nginx:latest

↓上传nginx镜像到私有仓库.

[root@server ~]# docker push 192.168.237.130:5000/nginx:latest
The push refers to a repository [192.168.237.130:5000/nginx]
332fa54c5886: Pushed 
6ba094226eea: Pushed 
6270adb5794c: Pushed 
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948

3. 测试

↓创建目录.

[root@server-2 ~]# mkdir /etc/docker/certs.d/192.168.237.130:5000

↓拷贝ca证书.

[root@server-2 ~]# scp 192.168.237.130:/etc/docker/certs.d/192.168.237.130:5000/ca.crt /etc/docker/certs.d/192.168.237.130:5000
root@192.168.237.130's password: 
ca.crt                                                                        100% 4295     1.7MB/s   00:00  

↓拉取镜像.

[root@server-2 ~]# docker pull 192.168.237.130:5000/nginx:latest
Trying to pull repository 192.168.237.130:5000/nginx ... 
latest: Pulling from 192.168.237.130:5000/nginx
743f2d6c1f65: Pull complete 
6bfc4ec4420a: Pull complete 
688a776db95f: Pull complete 
Digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
Status: Downloaded newer image for 192.168.237.130:5000/nginx:latest

4. 报错

[root@localhost ~]# docker pull 192.168.8.235:5000/nginx:latest
Trying to pull repository 192.168.8.235:5000/nginx ... 
Get https://192.168.8.235:5000/v1/_ping: http: server gave HTTP response to HTTPS client
[root@localhost ~]# vim /etc/docker/daemon.json

1
{"insecure-registries":["192.168.8.235:5000"]}


        
 Centos   Docker 
 上一篇

  Centos, Docker