docker搭建私有仓库(ssl、身份认证)
环境:CentOS 7、Docker 1.13.1
CentOS 7相关:
https://www.cnblogs.com/ttkl/p/11041124.html
Docker相关(服务端):
- 安装docker
yum -y install docker-io
- 启动docker,并配置开机启动
systemctl start docker
systemctl enable docker
- 拉取registry镜像
docker pull registry:2
- 生成ssl密钥
# 创建ssl相关目录 mkdir ~/certs # 生成ssl密钥 openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/test.registry.com.key -x509 -days 365 -out certs/test.registry.com.crt
- 创建用户
# 创建registry登陆用户文件夹 mkdir ~/auth # 创建private用户 docker run --entrypoint htpasswd registry:2 -Bbn admin admin > ~/auth/htpasswd # 删除运行的容器 docker stop [CONTAINER ID] docker rm [CONTAINER ID]
- 后台运行容器(私有仓库)
docker run -d -p 5000:5000 --restart=always --name registry -v ~/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v ~/data:/var/lib/registry -v ~/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.registry.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/test.registry.com.key registry:2
可能遇到以下问题:
#1、open /certs/xx.crt: permission denied(类似问题) 解决:①chcon -Rt svirt_sandbox_file_t ~/certs/ ②禁用selinux即可(详细请看centos7的安装) #2、failed with status: 401 Unauthorized 解决:输入正确的用户名和密码 #3、The push refers to a repository [x.x.x.x:5000/registry] Get https://x.x.x.x:5000/v1/_ping: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs 解决:*修改/etc/pki/tls/openssl.cnf配置[ v3_ca ] [ v3_ca ] # Extensions for a typical CA subjectAltName = IP:x.x.x.x *重启docker *重新配置 #4、The push refers to a repository [x.x.x.x:5000/registry] Get https://x.x.x.x:5000/v1/_ping: x509: certificate signed by unknown authority 解决:添加私有证书到docker *在/etc/docker/certs.d/目录下创建x.x.x.x:5000文件夹 *复制~/certs/*.crt文件到x.x.x.x:5000文件夹下即可
Docker相关(客户端):
tls加密通讯:
- 创建文件夹
mkdir /ssl
cd /ssl
- 创建ca密钥
openssl genrsa -aes256 -out ca-key.pem 4096
- 创建ca证书
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
- 创建服务器私钥
openssl genrsa -out server-key.pem 4096
- 签名私钥
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
- 使用ca证书与私钥证书签名
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
- 生成客户端密钥
openssl genrsa -out key.pem 4096
- 签名客户端
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
- 创建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf
- 签名证书
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
- 删除多余文件
rm -rf ca.srl client.csr extfile.cnf server.csr
docker配置文件:
# 查看docker配置文件 systemctl status docker.service # 修改配置文件,添加两行内容 ExecStart=... --tlsverify --tlscacert=/ssl/ca.pem --tlscert=/ssl/server-cert.pem --tlskey=/ssl/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:5555 ... # 重启docker systemctl daemon-reload systemctl restart docker.service
本机别名:
Linux:
# 配置文件位置 /etc/hosts # 添加一行内容 ip servername
Windows:
# 配置文件位置 C:WindowsSystem32driversetchosts # 添加一行内容 ip servername