registry证书生成和发布
1.registry服务端证书生成:
[root@docker2 ~]# mkdir registry_certs root@docker2 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry_certs/domain.key -x509 -days 365 -out registry_certs/domain.crt Generating a 4096 bit RSA private key ..........................................................................................................................++ ..............++ writing new private key to 'registry_certs/domain.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:docker2 注:镜像寄存服务器主机名(也可使用IP地址) Email Address []: [root@docker2 ~]# ls registry_certs/ domain.crt domain.key
使用IP地址作为Common Name:
IP地址设置Subject Alternative Name,编辑openssl.cnf,在[v3_ca]下面添加:subjectAltName = IP:IP地址,common name为ip地址不便的地方是当镜像寄存服务器ip地址变化时得修改镜像标签。
[root@docker2 ~]# vim /etc/pki/tls/openssl.cnf 在[ v3_ca ] 添加下行: subjectAltName = IP:192.168.88.130
2.将证书颁发给访问服务器
[root@pysaber ~]# mkdir -p /etc/docker/certs.d/192.168.88.130:5000 [root@pysaber ~]# scp root@192.168.88.130:/root/registry_certs/domain.crt /etc/docker/certs.d/192.168.88.130:5000/ca.crt
3.访问服务器将生成的私有证书追加到系统的证书管理文件,docker服务重新启动
[root@pysaber ~]# cat /etc/docker/certs.d/192.168.88.130\:5000/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
4.启动镜像寄存服务器
[root@docker2 ~]# docker run -d -p 5000:5000 -v $(pwd)/registry_certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key --restart=always --name registry registry:2.2 44b26b2d474793559e9d71a499be23fdddfdd3d7f44d3db896809e102e412678
5.镜像上传
[root@pysaber ~]# docker push docker2:5000/redis:latest The push refers to a repository [docker2:5000/redis] 0ea23dbb18ab: Pushed 036b23f466ca: Pushed 23cfd5584151: Pushed 0a5fa8924bd6: Pushed 4f442ee57ce8: Pushed 6744ca1b1190: Pushed latest: digest: sha256:5266020ee7b599a5f7dd09152fc1c5840b71e2febe0c6795186854cc36dc6e30 size: 11033
