HTTP直接傳送沒有安全認(rèn)證

1.拉取registry docker pull registry
2.啟動(dòng)docker run -dp 5000:5000 --restart=always --name registry registry:latest
--restart=always docker啟動(dòng)時(shí)也啟動(dòng)此容器
沒有-v參數(shù),docker鏡像默認(rèn)保存在宿主機(jī)的/var/lib/docker/volumes/xxx/_data/docker/registry/v2/repositories/容器刪除后這里面的鏡像也會(huì)刪除,指定一下-v /mnt/registry:/var/lib/registry宿主機(jī)就不刪除了
3.報(bào)錯(cuò)Get https://192.168.80.160:5000/v2/: http: server gave HTTP response to HTTPS client
基本上本地倉(cāng)庫(kù)都會(huì)這樣,修改/etc/docker/daemon.json,

{
  "registry-mirrors": ["https://y0iv6bup.mirror.aliyuncs.com"],
  "insecure-registries":["192.168.80.160:5000"]
}
systemctl restart docker

不要忘記第一個(gè)配置后面加逗號(hào),要增加多個(gè)認(rèn)證鏈接,"insecure-registries":["192.168.80.160:5000","192.168.80.160:5001"]沒有逗號(hào)

4.docker pull busybox
docker tag busybox:latest 192.168.80.160:5000/busybox
docker push 192.168.80.160:5000/busybox

增加賬戶密碼認(rèn)證

1.創(chuàng)建存放密碼賬號(hào)的文件 mkdir -p /docker-hub/auth,這個(gè)倉(cāng)庫(kù)可以把原來的倉(cāng)庫(kù)刪除,我用的是新建一個(gè)容器,改端口為5001,但是daemon.json要增加
2.docker run --entrypoint htpasswd registry -Bbn username password > /docker-hub/auth/htpasswd
username和password自己設(shè)置
3.啟動(dòng)本地倉(cāng)庫(kù)容器

docker run -d -p 5001:5000 --restart=always --name docker-hub \
  -v /docker-hub/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  registry

4.登錄docker login -u libaojia -p 000000 192.168.80.160:5001

docker tag 192.168.80.160:5000/busybox:latest 192.168.80.160:5001/busybox
docker push 192.168.80.160:5001/busybox
curl -u libaojia:000000  http://192.168.80.160:5001/v2/_catalog
{"repositories":["busybox"]}

參考文檔docker Doc
docker私有倉(cāng)庫(kù)搭建并且配置倉(cāng)庫(kù)認(rèn)證

自簽發(fā)證書和賬戶密碼驗(yàn)證

1. mkdir -p certs
   openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
   2.生成自簽發(fā)證書,修改hosts 本機(jī)ip registry.domain.com

Generating a 2048 bit RSA private key
...+++
....+++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:libaojia
Locality Name (eg, city) [Default City]:tianjin
Organization Name (eg, company) [Default Company Ltd]:wisedu
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:registry.domain.com
Email Address []:

3.docker run --entrypoint htpasswd registry -Bbn username password > /docker-hub/auth/htpasswd
username和password自己設(shè)置
4.啟動(dòng)容器

docker run -dp 5001:5000 --restart=always --name registry1 \
> -v /docker-hub/auth/:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -v /docker-hub/registry:/var/lib/registry \
> -v /root/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> registry

5.讓docker client安裝我們的CA證書,這里需要注意：如果使用自簽署的證書，那么所有要與Registry交互的Docker主機(jī)都需要安裝registry.domain.com的ca.crt(domain.crt)
mkdir -p /etc/docker/certs.d/registry.domain.com:5001
cp certs/domain.crt /etc/docker/certs.d/registry.domain.com:5001/ca.crt
systemctl restart docker
6.docker login registry.domain.com:5001
7.curl -u libaojia:000000 http://192.168.80.160:5001/v2/_catalog
參考文檔
docker搭建私有倉(cāng)庫(kù)办龄、自簽發(fā)證書、登錄認(rèn)證