Docker 学习之路 – 仓库用户管理

/ 0评 / 0

现在谁都有权限去操作仓库,而且如果人多了,每个人都改改配置也好麻烦.
那可以签名证书,不过,你先有个指向域名...

没多久,域名就生效了.
创建SSL证书也是个麻烦事情.
第一步.创建 CA 私钥(我就敷衍了事,全部回车.)

openssl genrsa -out "root-ca.key" 4096
openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256

第二步,(新建)配置根证书文件root-ca.cnf

[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash

第三步,签发.

openssl x509 -req  -days 3650  -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca

第四步,生成站点私钥.(不要抄我域名了~)

openssl genrsa -out "docker.lijingquan.net.key" 4096


第五步,生成私钥请求文件.(继续敷衍了事)

openssl req -new -key "docker.lijingquan.net.key" -out "site.csr" -sha256

第六步,配置证书.新建site.cnf文件.

[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = DNS:docker.lijingquan.net, IP:173.255.197.12
subjectKeyIdentifier=hash

第七步:部署

openssl x509 -req -days 750 -in "site.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "docker.lijingquan.net.crt" -extfile "site.cnf" -extensions server

第八步:把得到的两个文件放ssl文件夹.(我推荐挪到/etc/docker/registry/ssl/)

容器里面的/etc/docker/registry/config.yml是配置文件,但是,我们不能操作他.在容器外做一个config.yml,然后用文件挂载方式挂进去.(根据你实际情况作出改变)

version: 0.1
log:
  accesslog:
    disabled: true
  level: debug
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
auth:
  htpasswd:
    realm: basic-realm
    path: /etc/docker/registry/auth/nginx.htpasswd
http:
  addr: :443
  host: https://docker.domain.com
  headers:
    X-Content-Type-Options: [nosniff]
  http2:
    disabled: false
  tls:
    certificate: /etc/docker/registry/ssl/docker.lijingquan.net.crt
    key: /etc/docker/registry/ssl/docker.lijingquan.net.key
health:
  storagedriver:
    enabled: true
    interval: 10s
threshold: 3

再做一个auth的文件夹.(记得替换用户名密码)

docker run --rm --entrypoint htpasswd registry -Bbn username password > auth/nginx.htpasswd

创建docker-compose.yml(这个我也不太理解,先做着.)

version: '2'
services:
  registry:
    image: registry
    ports:
      - "443:443"
    volumes:
      - ./:/etc/docker/registry
      - registry-data:/var/lib/registry
volumes:
  registry-data:

想启动,发现缺组件.

apt-get install docker-compose
docker-compose up -d

现在目录结构.

之前登录过DockerHub,现docker logout,然后docker login docker.lijingquan.net,然后悲剧了,自签证书的毛病.

还能怎样,信任他.然后重启容器服务,再重启仓库容器.就可以登录.

echo -n | openssl s_client -showcerts -connect docker.lijingquan.net:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/ssl/certs/ca-certificates.crt

其他操作就没差别了... (还是开放docker好啊.)
好像还遇到nginx 403问题,说是文件过大...

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注