docker 私有registry部署（ssl加密和用戶名密碼）

實驗環(huán)境：
操作系統(tǒng)centos 7.4
IP：172.16.10.64 172.16.10.65

1，在172.16.10.65上拉取docker regist鏡像文件

[root@localhost home]# docker pull registry
2: Pulling from library/registry
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2

2纵散，生成自身的CA證書
注意Common Name最好寫為registry的域名

[root@localhost registry]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /home/registry/certs/domain.key -x509 -days 365 -out /home/registry/certs/domain.crt
Generating a 4096 bit RSA private key
....................................................................................................................++
...++
writing new private key to '/home/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:bj
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:tl
Organizational Unit Name (eg, section) []:tl
Common Name (eg, your name or your server's hostname) []:myregistry.com
Email Address []:mail@example.cn

3伍伤，使用registry鏡像生成用戶名和密碼文件

docker run --entrypoint htpasswd registry -Bbn qiulei 123456 >>/home/registry/auth/htpasswd

4圈膏，運行registry并指定參數(shù)
包括了用戶密碼文件和CA書位置倔矾。
--restart=always 始終自動重啟

docker run -d -p 5000:5000 --restart=always --name registry   -v /home/registry/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd   -v /home/registry/certs:/certs   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key   registry

5驼抹，由于使用的是自簽名的證書浮还，所以需要添加domain.crt文件至各自的OS中
Linux：將domain.crt文件復制到 /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt每個Docker主機上竟坛。您不需要重新啟動Docker。

Windows服務器：
打開Windows資源管理器钧舌，右鍵單擊該domain.crt 文件担汤，然后選擇安裝證書。出現(xiàn)提示時洼冻，請選擇以下選項：
商店地址 本地機器
將所有證書放入下列商店 選
單擊瀏覽器并選擇受信任的根證書頒發(fā)機構(gòu)崭歧。
點擊完成。重新啟動Docker撞牢。

6率碾，添加域名解析叔营，修改hosts文件或者添加DNS記錄。

[root@localhost registry]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.10.65 myregistry.com

7所宰，驗證測試
172.16.10.65使用添加了hosts域名解析和ca證書而172.16.10.64則沒有
在65上測試登錄

[root@localhost registry]# docker login myregistry.com:5000
Username: qiulei
Password: 
Login Succeeded

登錄成功

提交本地的鏡像文件至myregisry服務中

[root@localhost home]# docker tag nginx:latest myregistry.com:5000/my_nginx
An image does not exist locally with the tag: myregistry.com:500/my_nginx
[root@localhost home]# docker push myregistry.com:5000/my_nginx
The push refers to repository [myregistry.com:5000/my_nginx]
a103d141fc98: Pushed 
73e2bd445514: Pushed 
2ec5c0a4cb57: Pushed 
latest: digest: sha256:926b086e1234b6ae9a11589c4cece66b267890d24d1da388c96dd8795b2ffcfb size: 948

[root@localhost home]# docker images
myregistry.com:5000/my_nginx      latest              3f8a4339aadd        5 weeks ago         108MB

在64上登錄绒尊，登錄失敗，也無法上傳文件

[root@localhost ~]# docker login myregistry.com:5000
Username: qiulei
Password: 
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority

[root@localhost ~]# docker pull myregistry.com:5000/my_ubuntu
Using default tag: latest
Error response from daemon: Get https://myregistry.com:5000/v2/: x509: certificate signed by unknown authority