1.环境:
[root@docker02 anchors]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@docker02 anchors]# docker info
Containers:
Running:
Paused:
Stopped:
Images:
Server Version: 17.03.1-ce
.....
10.60.10.39 docker01.lo -->仓库
10.60.10.40 docker02.lo -->客户端
10.60.10.41 docker03.lo -->客户端
2.仓库配置https认证
a.配置hosts文件
[root@docker01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.60.10.39 docker01.lo
10.60.10.40 docker02.lo
10.60.10.41 docker03.lo
b.生成证书
[root@docker01 ~]# cd /etc/docker/
[root@docker01 docker]# mkdir certs
#切到docker配置文件目录,新建certs目录。
[root@docker01 docker]# openssl req -newkey rsa: -nodes -sha256 -keyout certs/docker01.lo.key -x509 -days -out certs/docker01.lo.crt
Generating a bit RSA private key
..........................................................................................................................................................................................................................................................................++
..............++
writing new private key to 'certs/docker01.lo.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:ZX
Organizational Unit Name (eg, section) []:ZX
Common Name (eg, your name or your server's hostname) []:docker01.lo
Email Address []:TEST@.com
注意,以上红色字体的三处关键字要一致,这里我用得是仓库主机的主机名。
[root@docker01 docker]# ll certs/
total
-rw-r--r--. root root Jun : docker01.lo.crt
-rw-r--r--. root root Jun : docker01.lo.key
3.运行registry容器
docker run -d -P -it -p : --restart=always --name registry_https01 -v `pwd`/certs:/etc/docker/certs/ -e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/docker01.lo.crt -e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/docker01.lo.key registry
[root@docker01 docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4b10b23f3dd0 registry "/entrypoint.sh /e..." seconds ago Up seconds 0.0.0.0:->/tcp registry_https01
[root@docker01 docker]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0.0.0.0: 0.0.0.0:* LISTEN /sshd
tcp 127.0.0.1: 0.0.0.0:* LISTEN /master
tcp6 ::: :::* LISTEN /sshd
tcp6 ::: :::* LISTEN /master
tcp6 ::: :::* LISTEN /dockerd
tcp6 ::: :::* LISTEN /docker-proxy
tcp6 ::: :::* LISTEN /dockerd
tcp6 ::: :::* LISTEN /dockerd
4.配置客户端( 需要配置hosts文件如步骤2-a)
a.远程拷贝docker01.lo.crt到客户端/etc/pki/ca-trust/source/anchors目录下
[root@docker01 docker]# scp certs/docker01.lo.crt 10.60.10.40:/etc/pki/ca-trust/source/anchors
root@10.60.10.40's password:
docker01.lo.crt % .0KB/s :
[root@docker01 docker]# scp certs/docker01.lo.crt 10.60.10.41:/etc/pki/ca-trust/source/anchors
root@10.60.10.41's password:
docker01.lo.crt % .0KB/s :
b.更新证书
[root@docker02 ~]# cd /etc/pki/ca-trust/source/anchors
[root@docker02 anchors]# update-ca-trust
[root@docker03 ~]# cd /etc/pki/ca-trust/source/anchors
[root@docker03 anchors]# update-ca-trust
c.上传image
[root@docker02 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
[root@docker02 anchors]# docker tag centos:6.8 docker01.lo:/centos:6.8
[root@docker02 anchors]# docker push docker01.lo:/centos
The push refers to a repository [docker01.lo:/centos]
b1b065555b8a: Pushed
6.8: digest: sha256:c338f851dc6520fc3f7ece01e4fbe207eaa78b775a0738f2bfdd6f36144e6b8a size:
[root@docker02 anchors]# curl https://docker01.lo:5000/v2/_catalog
{"repositories":["centos"]}
-----------------------------------------------------------------------------
[root@docker03 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu latest 7b9b13f7b9c0 weeks ago MB
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
[root@docker03 anchors]# docker tag ubuntu docker01.lo:5000/ubuntu
[root@docker03 anchors]# docker push docker01.lo:/ubuntu
The push refers to a repository [docker01.lo:/ubuntu]
d8b353eb3025: Pushed
f2e85bc0b7b1: Pushed
fc9e1e5e38f7: Pushed
fe9a3f9c4559: Pushed
6a8bf8c8edbd: Pushed
latest: digest: sha256:ea1d854d38be82f54d39efe2c67000bed1b03348bcc2f3dc094f260855dff368 size:
[root@docker03 anchors]# curl https://docker01.lo:5000/v2/_catalog
{"repositories":["centos","ubuntu"]}
d.下载image
[root@docker02 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
docker01.lo:/centos 6.8 0cd976dc0a98 months ago MB
[root@docker02 anchors]# docker pull docker01.lo:/ubuntu
Using default tag: latest
latest: Pulling from ubuntu
bd97b43c27e3: Pull complete
6960dc1aba18: Pull complete
2b61829b0db5: Pull complete
1f88dc826b14: Pull complete
73b3859b1e43: Pull complete
Digest: sha256:ea1d854d38be82f54d39efe2c67000bed1b03348bcc2f3dc094f260855dff368
Status: Downloaded newer image for docker01.lo:/ubuntu:latest
[root@docker02 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker01.lo:/ubuntu latest 7b9b13f7b9c0 weeks ago MB
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
docker01.lo:/centos 6.8 0cd976dc0a98 months ago MB
-------------------------------------------------
[root@docker03 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker01.lo:/ubuntu latest 7b9b13f7b9c0 weeks ago MB
ubuntu latest 7b9b13f7b9c0 weeks ago MB
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
[root@docker03 anchors]# docker pull docker01.lo:/centos:6.8
6.8: Pulling from centos
Digest: sha256:c338f851dc6520fc3f7ece01e4fbe207eaa78b775a0738f2bfdd6f36144e6b8a
Status: Downloaded newer image for docker01.lo:/centos:6.8
[root@docker03 anchors]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker01.lo:/ubuntu latest 7b9b13f7b9c0 weeks ago MB
ubuntu latest 7b9b13f7b9c0 weeks ago MB
nginx latest 958a7ae9e569 weeks ago MB
swarm latest 36b1e23becab months ago 15.9 MB
centos 6.8 0cd976dc0a98 months ago MB
docker01.lo:/centos 6.8 0cd976dc0a98 months ago MB
5.问题解决:
[root@docker03 anchors]# docker push docker01.lo:5000/centos
The push refers to a repository [docker01.lo:5000/centos]
Get https://docker01.lo:5000/v1/_ping: x509: certificate signed by unknown authority
如碰到上述问题:
[root@docker03 anchors]# cat docker01.l.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@docker03 anchors]# update-ca-trust
[root@docker03 anchors]# systemctl restart docker