主要参考:http://blog.csdn.net/gqtcgq/article/details/51163558
假设我们在1.1.1.1:5000上搭建私人仓库,并在2.2.2.2上访问这个私人仓库,开启tls认证。
1. 在1.1.1.1上打开/etc/pki/tls/openssl.cnf,里面[ v3_ca ]上添加选项
[ v3_ca ] subjectAltName = IP:1.1.1.1
2. 在1.1.1.1生成证书
mkdir -p /opt/docker/registry/certs openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /opt/docker/registry/certs/1_1_1_1.key -out /opt/docker/registry/certs/1_1_1_1.crt ... Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:1.1.1.1:5000 Email Address []:
3. 创建私人仓库容器
docker run -d --name docker-registry-no-proxy --restart=always -v /opt/docker/registry/data:/var/lib/registry -u root -p 1.1.1.1:5000:5000 -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/1_1_1_1.crt -e REGISTRY_HTTP_TLS_KEY=/certs/1_1_1_1.key registry
4. 拷贝证书到指定位置, 1.1.1.1和2.2.2.2上都要做 (有这个证书的机器才能访问搭建的私人仓库)
mkdir -p /etc/docker/certs.d/1.1.1.1:5000/ cp /opt/docker/registry/certs/1_1_1_1.crt /etc/docker/certs.d/1.1.1.1:5000/
5. 上传镜像my_image,先将镜像打上带仓库地址的标签,然后push
docker tag my_image 1.1.1.1:5000/my_image docker push 1.1.1.1:5000/my_image
6. 下载镜像
docker pull 1.1.1.1:5000/my_image