上一个实验:非加密的形式在企业中是不被允许的。
示例:【为Registry 提供加密传输】
因为传输也是https,所以与ssh一样的加密。
## 这种方式就不用写这个了。
[root@docker ~]# cat /etc/docker/daemon.json
#{
# "insecure-registries" : ["http://172.25.254.5:5000"]
#}
#{
# "insecure-registries" : ["http://172.25.254.5:5000"]
#}
[root@docker ~]# systemctl restart docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xeu docker.service" for details.
[root@docker ~]#
[root@docker ~]# docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
[root@docker ~]# docker status docker
docker: 'status' is not a docker command.
See 'docker --help'
[root@docker ~]#
[root@docker ~]# systemctl status docker
× docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset:>
Active: failed
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xeu docker.service" for details.
[root@docker ~]#
[root@docker ~]# docker ps
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
[root@docker ~]# docker status docker
docker: 'status' is not a docker command.
See 'docker --help'
[root@docker ~]#
[root@docker ~]# systemctl status docker
× docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset:>
Active: failed
# 重启时遇到报错,停止后重启又好了
[root@docker ~]# systemctl stop docker
[root@docker ~]# systemctl restart docker
[root@docker ~]#
[root@docker ~]# systemctl restart docker
[root@docker ~]#
## 加密
# 生成认证 key 和证书
#建立目录,在目录里建立生成加密文件
# 必须要有解析,不然用不了;
[root@docker ~]# mkdir certs
[root@docker ~]#
[root@docker ~]# vim /etc/hosts
[root@docker ~]# tail -n 1 /etc/hosts
172.25.254.5 reg.folian.org #仓库名为 reg.folian.org
[root@docker ~]#
[root@docker ~]# vim /etc/hosts
[root@docker ~]# tail -n 1 /etc/hosts
172.25.254.5 reg.folian.org #仓库名为 reg.folian.org
[root@docker ~]# openssl req -newkey rsa:4096 \
> -nodes -sha256 -keyout certs/folian.org.key \
> -addext "subjectAltName = DNS:reg.folian.org" \
> -x509 -days 365 -out certs/folian.org.crt
> -nodes -sha256 -keyout certs/folian.org.key \
> -addext "subjectAltName = DNS:reg.folian.org" \
> -x509 -days 365 -out certs/folian.org.crt
# 生成了证书和key
[root@docker ~]# ls certs/
folian.org.crt folian.org.key
[root@docker ~]#
folian.org.crt folian.org.key
[root@docker ~]#
# 建立仓库
[root@docker ~]# docker run -d -p 443:443 --restart=always \
> -v /root/certs:/certs \ #表示把本机的目录挂载到镜像的哪个目录下
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ # 监控端口443
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/folian.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/folian.org.key registry
> -v /root/certs:/certs \ #表示把本机的目录挂载到镜像的哪个目录下
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ # 监控端口443
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/folian.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/folian.org.key registry
## 现在还进行不了镜像推送
# 建立:与仓库名一样
[root@docker ~]# mkdir -p /etc/docker/certs.d/reg.folian.org
[root@docker ~]# cp /root/certs/folian.org.crt /etc/docker/certs.d/reg.folian.org/ca.crt
[root@docker ~]# ls /etc/docker/certs.d/reg.folian.org/ca.crt
/etc/docker/certs.d/reg.folian.org/ca.crt
[root@docker ~]# systemctl restart docker
[root@docker ~]# cp /root/certs/folian.org.crt /etc/docker/certs.d/reg.folian.org/ca.crt
[root@docker ~]# ls /etc/docker/certs.d/reg.folian.org/ca.crt
/etc/docker/certs.d/reg.folian.org/ca.crt
[root@docker ~]# systemctl restart docker
# 推镜像
[root@docker ~]# docker tag nginx:v2 reg.folian.org/nginx:v2
[root@docker ~]# docker push reg.folian.org/nginx:v2
The push refers to repository [reg.folian.org/nginx]
54a2c5fcea1c: Pushed
a8df99e45168: Pushed
174f56854903: Pushed
v2: digest: sha256:2d45824da0f28c4087c7a2c009cc4dba14efc637fdd8bef91fd49a1dcbda8b8c size: 947
[root@docker ~]# 成功!!
[root@docker ~]# docker push reg.folian.org/nginx:v2
The push refers to repository [reg.folian.org/nginx]
54a2c5fcea1c: Pushed
a8df99e45168: Pushed
174f56854903: Pushed
v2: digest: sha256:2d45824da0f28c4087c7a2c009cc4dba14efc637fdd8bef91fd49a1dcbda8b8c size: 947
[root@docker ~]# 成功!!
# 如果其他主机想使用这个镜像仓库,也必须得有镜像证书,而且位置必须是这样。
安全较量,摆脱“麻瓜”标签)
)
)
)
)
