docker搭建私有倉庫(ssl、身份認證)
環境:CentOS 7、Docker 1.13.1
CentOS 7相關:
https://www.cnblogs.com/ttkl/p/11041124.html
Docker相關(服務端):
- 安裝docker
yum -y install docker-io
- 啟動docker,並配置開機啟動
systemctl start docker
systemctl enable docker
- 拉取registry鏡像
docker pull registry:2
- 生成ssl密鑰
# 創建ssl相關目錄 mkdir ~/certs # 生成ssl密鑰 openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/test.registry.com.key -x509 -days 365 -out certs/test.registry.com.crt
- 創建用戶
# 創建registry登陸用戶文件夾 mkdir ~/auth # 創建private用戶 docker run --entrypoint htpasswd registry:2 -Bbn admin admin > ~/auth/htpasswd # 刪除運行的容器 docker stop [CONTAINER ID] docker rm [CONTAINER ID]
- 后台運行容器(私有倉庫)
docker run -d -p 5000:5000 --restart=always --name registry \ -v ~/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v ~/data:/var/lib/registry \ -v ~/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.registry.com.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/test.registry.com.key \ registry:2
可能遇到以下問題:
#1、open /certs/xx.crt: permission denied(類似問題) 解決:①chcon -Rt svirt_sandbox_file_t ~/certs/ ②禁用selinux即可(詳細請看centos7的安裝) #2、failed with status: 401 Unauthorized 解決:輸入正確的用戶名和密碼 #3、The push refers to a repository [x.x.x.x:5000/registry] Get https://x.x.x.x:5000/v1/_ping: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs 解決:*修改/etc/pki/tls/openssl.cnf配置[ v3_ca ] [ v3_ca ] # Extensions for a typical CA subjectAltName = IP:x.x.x.x *重啟docker *重新配置 #4、The push refers to a repository [x.x.x.x:5000/registry] Get https://x.x.x.x:5000/v1/_ping: x509: certificate signed by unknown authority 解決:添加私有證書到docker *在/etc/docker/certs.d/目錄下創建x.x.x.x:5000文件夾 *復制~/certs/*.crt文件到x.x.x.x:5000文件夾下即可
Docker相關(客戶端):
tls加密通訊:
- 創建文件夾
mkdir /ssl
cd /ssl
- 創建ca密鑰
openssl genrsa -aes256 -out ca-key.pem 4096
- 創建ca證書
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
- 創建服務器私鑰
openssl genrsa -out server-key.pem 4096
- 簽名私鑰
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
- 使用ca證書與私鑰證書簽名
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
- 生成客戶端密鑰
openssl genrsa -out key.pem 4096
- 簽名客戶端
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
- 創建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf
- 簽名證書
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
- 刪除多余文件
rm -rf ca.srl client.csr extfile.cnf server.csr
docker配置文件:
# 查看docker配置文件 systemctl status docker.service # 修改配置文件,添加兩行內容 ExecStart=... --tlsverify --tlscacert=/ssl/ca.pem --tlscert=/ssl/server-cert.pem --tlskey=/ssl/server-key.pem -H unix:///var/run/docker.sock -H tcp://0.0.0.0:5555 ... # 重啟docker systemctl daemon-reload systemctl restart docker.service
本機別名:
Linux:
# 配置文件位置 /etc/hosts # 添加一行內容 ip servername
Windows:
# 配置文件位置 C:\Windows\System32\drivers\etc\hosts # 添加一行內容 ip servername