2019独角兽企业重金招聘Python工程师标准>>>
1 仓库配置https认证
cd /etc/docker/
mkdir certs
[root@docker01 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/docker01.key -x509 -days 365 -out certs/docker01.crt
填好相应的简称及email即可
2 运行registry容器
[root@docker01 docker]# docker run -d -P -it \
-p 5000:5000 --restart=always \
--name registry -v `pwd`/certs:/etc/docker/certs/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/docker01.crt \
-e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/docker01.key registry
3 配置客户端docker02
mkdir -p /etc/docker/certs.d/docker01:5000
scp docker01:/etc/docker/certs/docker01.crt /etc/docker/certs.d/docker01:5000/ca.crt
查看镜像
[root@docker02 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
swarm latest 8eadaf3525b0 2 weeks ago 15.77 MB
上传镜像
docker tag swarm docker01:5000/swarm
[root@docker02 docker]# docker push docker01:5000/swarm
docker01想上传数据同样需要配置证书,同docker02
4 鉴权管理
将以上的registry容器删除干净,包括仓库的本地文件
还是在/etc/docker目录下操作
mkdir auth
docker run --entrypoint htpasswd registry -Bbn bsoft bsoft > auth/htpasswd
[root@docker01 docker]# docker run -d -p 5000:5000 --restart=always \
--name registry -v `pwd`/certs:/etc/docker/certs/ \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/data:/var/lib/registry \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/certs/docker01.crt \
-e REGISTRY_HTTP_TLS_KEY=/etc/docker/certs/docker01.key \
registry
启动后即可push,push不仅需要证书还要输入用户、密码和邮箱,而pull只需要有证书即可
注意pull的时候需要带上版本号,而curl查看是看不到版本号的
curl查看:
curl --cacert /etc/docker/certs/docker01.crt --basic --user bsoft:bsoft https://docker01:5000/v2/_catalog
curl --cacert /etc/docker/certs.d/docker01:5000/ca.crt --basic --user bsoft:bsoft https://docker01:5000/v2/_catalog