本地私有仓库，自签证书https，及账号密码双重验证

2018年6月24日 0条评论 1,598次阅读 0人点赞

关于搭建一个普通的私有仓库，不使用https协议及账号密码验证可以参考上篇文章
搭建本地私有仓库


本篇博文主要是对本地私有仓库申请自签证书,及账号密码双层严重
假设registry的域名为：registry.baiyongjie.com

registry服务端:192.168.1.102
registry客户端:192.168.1.103

1.生成自签发证书
[root@baiyongjie ~]# mkdir -p /etc/docker/certs; cd /etc/docker/certs
[root@baiyongjie certs]# openssl req -newkey rsa:2048 -nodes -sha256 -keyout baiyongjie.key -x509 -days 365 -out baiyongjie.crt
Generating a 2048 bit RSA private key
...................................+++
..............+++
writing new private key to 'baiyongjie.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家  
State or Province Name (full name) []:beijing #身份
Locality Name (eg, city) [Default City]:beijing #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.baiyongjie.com #域名
Email Address []:misterbyj@163.com #邮箱地址

2.生成鉴权密码文件
username,password替换为自己的用户名密码
[root@baiyongjie certs]# mkdir auth
[root@baiyongjie certs]# docker run --entrypoint htpasswd registry:2 -Bbn username password > auth/htpasswd
Unable to find image 'registry:2' locally
Trying to pull repository docker.io/library/registry ...
2: Pulling from docker.io/library/registry
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for docker.io/registry:2
[root@baiyongjie certs]# tree
.
├── auth
│   └── htpasswd
├── baiyongjie.crt
└── baiyongjie.key

3.启动registry
docker run -d -p 443:5000 --name registry \
-v /etc/docker/certs/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /data/docker/registry:/var/lib/registry \
-v /etc/docker/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/baiyongjie.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/baiyongjie.key \
registry:2
bde5daf7b7b6ec13669e3cd06711c975132b2105353be10df13947894b7df43f
[root@baiyongjie certs]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bde5daf7b7b6 registry:2 "/entrypoint.sh /e..." 37 seconds ago Up 36 seconds 0.0.0.0:443->5000/tcp registry

4.在服务端上传镜像到私有仓库
1)查看现有镜像
[root@baiyongjie certs]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest cd5239a0906a Less than a second ago 109 MB
docker.io/registry 2 d1fd7d86a825 4 months ago 33.3 MB

2)给nginx重新打标签
[root@baiyongjie certs]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest cd5239a0906a Less than a second ago 109 MB
registry.baiyongjie.com/baiyongjie/nginx 0.1 cd5239a0906a Less than a second ago 109 MB
docker.io/registry 2 d1fd7d86a825 4 months ago 33.3 MB

3)登陆私有仓库
[root@baiyongjie certs]# echo "192.168.1.102 registry.baiyongjie.com" >> /etc/hosts
[root@baiyongjie certs]# docker login registry.baiyongjie.com
Username: username
Password: password
Error response from daemon: Get https://registry.baiyongjie.com/v1/users/: x509: certificate signed by unknown authority
登陆失败了！从错误日志来看，docker client认为server传输过来的证书的签署方是一个unknown authority（未知的CA），因此验证失败。
我们需要让docker client安装我们的CA证书：
[root@baiyongjie certs]# mkdir -p /etc/docker/certs.d/registry.baiyongjie.com
[root@baiyongjie certs]# cp baiyongjie.crt /etc/docker/certs.d/registry.baiyongjie.com/baiyongjie.crt
[root@baiyongjie certs]# systemctl restart docker
[root@baiyongjie certs]# docker start registry
[root@baiyongjie certs]# docker login registry.baiyongjie.com
Username: username
Password: password
Login Succeeded
登陆成功了,现在可以上传镜像到仓库了

4)上传镜像到私有仓库
[root@baiyongjie certs]# docker push registry.baiyongjie.com/baiyongjie/nginx:0.1
The push refers to a repository [registry.baiyongjie.com/baiyongjie/nginx]
3ff93588120e: Pushed
24ee0a3fd4b9: Pushed
d626a8ad97a1: Pushed
0.1: digest: sha256:1f9c00b4c95ef931afa097823d902e7602aebc3ec5532e907e066978075ca3e0 size: 948

5.客户端下载镜像测试
1)证书配置
[root@localhost ~]# mkdir -p /etc/docker/certs.d/registry.baiyongjie.com
[root@localhost ~]# cd /etc/docker/certs.d/registry.baiyongjie.com
[root@localhost registry.baiyongjie.com]# scp root@192.168.1.102:/etc/docker/certs.d/registry.baiyongjie.com/baiyongjie.crt .
root@192.168.1.102's password:
baiyongjie.crt 100% 1440 1.5MB/s 00:00

2)登陆仓库
[root@localhost ~]# echo "192.168.1.102 registry.baiyongjie.com" >> /etc/hosts
[root@localhost ~]# docker login registry.baiyongjie.com
Username: baiyongjie
Password:
Login Succeeded

3)下载镜像
[root@localhost ~]# docker pull registry.baiyongjie.com/baiyongjie/nginx:0.1
Trying to pull repository registry.baiyongjie.com/baiyongjie/nginx ...
0.1: Pulling from registry.baiyongjie.com/baiyongjie/nginx
f2aa67a397c4: Pull complete
1cd0975d4f45: Pull complete
72fd2d3be09a: Pull complete
Digest: sha256:1f9c00b4c95ef931afa097823d902e7602aebc3ec5532e907e066978075ca3e0
Status: Downloaded newer image for registry.baiyongjie.com/baiyongjie/nginx:0.1
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.baiyongjie.com/baiyongjie/nginx 0.1 cd5239a0906a 2 weeks ago 109 MB