[Docker]docker搭建私有仓库(ssl、身份认证)

docker搭建私有仓库(ssl、身份认证)

环境:CentOS 7、Docker 1.13.1

CentOS 7相关:

 https://www.cnblogs.com/ttkl/p/11041124.html

Docker相关(服务端):

  • 安装docker
yum -y install docker-io
  • 启动docker,并配置开机启动
systemctl start docker
systemctl enable docker
  • 拉取registry镜像
docker pull registry:2
  • 生成ssl密钥
# 创建ssl相关目录
mkdir ~/certs
# 生成ssl密钥
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/test.registry.com.key -x509 -days 365 -out certs/test.registry.com.crt
  • 创建用户
# 创建registry登陆用户文件夹
mkdir ~/auth
# 创建private用户
docker run --entrypoint htpasswd registry:2 -Bbn admin admin > ~/auth/htpasswd
# 删除运行的容器
docker stop [CONTAINER ID]
docker rm [CONTAINER ID]
  • 后台运行容器(私有仓库)
docker run -d -p 5000:5000 --restart=always --name registry \
           -v ~/auth:/auth \
           -e "REGISTRY_AUTH=htpasswd" \
           -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
           -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
           -v ~/data:/var/lib/registry \
           -v ~/certs:/certs \
           -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.registry.com.crt \
           -e REGISTRY_HTTP_TLS_KEY=/certs/test.registry.com.key \
           registry:2

 可能遇到以下问题:

#1、open /certs/xx.crt: permission denied(类似问题)
    解决:①chcon -Rt svirt_sandbox_file_t ~/certs/
         ②禁用selinux即可(详细请看centos7的安装)
#2、failed with status: 401 Unauthorized
    解决:输入正确的用户名和密码
#3、The push refers to a repository [x.x.x.x:5000/registry]
    Get https://x.x.x.x:5000/v1/_ping: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
    解决:*修改/etc/pki/tls/openssl.cnf配置[ v3_ca ]
              [ v3_ca ]
              # Extensions for a typical CA
              subjectAltName = IP:x.x.x.x
            *重启docker
            *重新配置
#4、The push refers to a repository [x.x.x.x:5000/registry]
    Get https://x.x.x.x:5000/v1/_ping: x509: certificate signed by unknown authority
    解决:添加私有证书到docker
            *在/etc/docker/certs.d/目录下创建x.x.x.x:5000文件夹
            *复制~/certs/*.crt文件到x.x.x.x:5000文件夹下即可

 

 

Docker相关(客户端):

tls加密通讯:

  • 创建文件夹
mkdir /ssl
cd /ssl
  • 创建ca密钥
openssl genrsa -aes256 -out ca-key.pem 4096
  • 创建ca证书
openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pem
  • 创建服务器私钥
openssl genrsa -out server-key.pem 4096
  • 签名私钥
openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
  • 使用ca证书与私钥证书签名
openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
  • 生成客户端密钥
openssl genrsa -out key.pem 4096
  • 签名客户端
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
  • 创建配置文件
echo extendedKeyUsage=clientAuth > extfile.cnf
  • 签名证书
openssl x509 -req -days 1000 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
  • 删除多余文件
rm -rf ca.srl client.csr extfile.cnf server.csr

 

docker配置文件:

# 查看docker配置文件
systemctl status docker.service
# 修改配置文件,添加两行内容
ExecStart=...
          --tlsverify --tlscacert=/ssl/ca.pem --tlscert=/ssl/server-cert.pem --tlskey=/ssl/server-key.pem
          -H unix:///var/run/docker.sock -H tcp://0.0.0.0:5555
          ...
# 重启docker
systemctl daemon-reload
systemctl restart docker.service

 

本机别名:

Linux:

# 配置文件位置
/etc/hosts
# 添加一行内容
ip    servername

Windows:

# 配置文件位置
C:\Windows\System32\drivers\etc\hosts
# 添加一行内容
ip    servername

 

posted @ 2019-06-17 18:01  行走的DT  阅读(2639)  评论(0编辑  收藏  举报