这是我在内部部署Docker Registry时记录下来的笔记,操作环境是Centos 7、Docker 18.06.1-ce
1、运行registry
我当前所使用的主机的IP是192.168.1.249,工作目录在:/data/docker/registry,
- # docker run -d -p 5000:5000 --restart always --name registry
- -v /data/docker/registry/data:/var/lib/registry registry:2
此时访问,http://192.168.1.249:5000/v2/_catalog ,返回正常(空json对象),证明部署成功。
2、测试提交镜像
- # docker pull nginx:alpine
- # docker tag nginx:alpine 192.168.1.249:5000/nginx-alpine
- # docker push 192.168.1.249:5000/nginx-alpine
实际不成功,返回错误如下:
- The push refers to repository [192.168.1.249:5000/nginx-alpine]
- Get https://192.168.1.249:5000/v2/: http: server gave HTTP response to HTTPS client
查看文档得知,在配置文件中添加insecure-registries然后重启docker即可,如下:
- # vim /etc/docker/daemon.json
- {
- "insecure-registries": [ "192.168.1.249:5000"]
- }
- # systemctl restart docker
此时再push果然成功,除了使用配置文件,下面来配置使用自签名证书。
3、使用自签名证书
生成证书要使用域名,我这里定为:registry.docker.local,(不用域名,直接用IP的话,要修改openssl配置文件,建议用域名)
- # mkdir -p /data/docker/registry/certs
- # openssl req
- -newkey rsa:4096 -nodes -sha256 -keyout /data/docker/registry/certs/domain.key
- -x509 -days 365 -out /data/docker/registry/certs/domain.crt
生成证书时要输入一些信息,注意Common Name要输入你使用的域名,其它可直接回车,如下:
- Country Name (2 letter code) [XX]:
- State or Province Name (full name) []:
- Locality Name (eg, city) [Default City]:
- Organization Name (eg, company) [Default Company Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (eg, your name or your server's hostname) []:registry.docker.local
- Email Address []:
启动容器(相关参数按情况调整下,如你可使用443端口,这样在后续就不用带5000这个端口),如下:
- # docker run -d
- --restart=always
- --name registry
- -v /data/docker/registry/data:/var/lib/registry
- -v /data/docker/registry/certs:/certs
- -e REGISTRY_HTTP_ADDR=0.0.0.0:5000
- -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
- -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
- -p 5000:5000
- registry:2
4、测试使用
注意,由于是随便自定义的域名,记得先把域名 registry.docker.local添加到/etc/hosts文件,
- # docker tag nginx:alpine registry.docker.local:5000/nginx-alpine
- # docker push registry.docker.local:5000/nginx-alpine
此时报错,如下:
- The push refers to repository [registry.docker.local:5000/nginx-alpine]
- Get https://registry.docker.local:5000/v2/: x509: certificate signed by unknown authority
看文档,得知要把 domain.crt 文件放到 /etc/docker/certs.d/registry.docker.local:5000/ca.crt ,(注意,你在哪台机做push操作,就放到哪台机呀)
- # mkdir -p /etc/docker/certs.d/registry.docker.local:5000
- # cp xxx/domain.crt /etc/docker/certs.d/registry.docker.local:5000/
这时候再push就成功了,如下:
- # docker push registry.docker.local:5000/nginx-alpine
- The push refers to repository [registry.docker.local:5000/nginx-alpine]
- a83dbde6ba05: Layer already exists
- 431a5c7929dd: Layer already exists
- 39e8483b9882: Layer already exists
- df64d3292fd6: Layer already exists
- latest: digest: sha256:57a94fc99816c6aa225678b738ac40d85422e75dbb96115f1bb9b6ed77176166 size: 1153
访问 https://registry.docker.local:5000/v2/_catalog,也看到结果,如下:
- # curl https://registry.docker.local:5000/v2/_catalog --insecure
- {"repositories":["nginx-alpine"]}
看来自定义证书还很不方便,可以使用免费证书:https://letsencrypt.org (Let's Encrypt)
参考:
https://docs.docker.com/registry/deploying/
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry