现在谁都有权限去操作仓库,而且如果人多了,每个人都改改配置也好麻烦.
那可以签名证书,不过,你先有个指向域名...
没多久,域名就生效了.
创建SSL证书也是个麻烦事情.
第一步.创建 CA 私钥(我就敷衍了事,全部回车.)
openssl genrsa -out "root-ca.key" 4096 openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256
第二步,(新建)配置根证书文件root-ca.cnf
[root_ca] basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = critical, nonRepudiation, cRLSign, keyCertSign subjectKeyIdentifier=hash
第三步,签发.
openssl x509 -req -days 3650 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca
第四步,生成站点私钥.(不要抄我域名了~)
openssl genrsa -out "docker.lijingquan.net.key" 4096
第五步,生成私钥请求文件.(继续敷衍了事)
openssl req -new -key "docker.lijingquan.net.key" -out "site.csr" -sha256
第六步,配置证书.新建site.cnf文件.
[server] authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:docker.lijingquan.net, IP:173.255.197.12 subjectKeyIdentifier=hash
第七步:部署
openssl x509 -req -days 750 -in "site.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "docker.lijingquan.net.crt" -extfile "site.cnf" -extensions server
第八步:把得到的两个文件放ssl文件夹.(我推荐挪到/etc/docker/registry/ssl/)
容器里面的/etc/docker/registry/config.yml是配置文件,但是,我们不能操作他.在容器外做一个config.yml,然后用文件挂载方式挂进去.(根据你实际情况作出改变)
version: 0.1
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
htpasswd:
realm: basic-realm
path: /etc/docker/registry/auth/nginx.htpasswd
http:
addr: :443
host: https://docker.domain.com
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
tls:
certificate: /etc/docker/registry/ssl/docker.lijingquan.net.crt
key: /etc/docker/registry/ssl/docker.lijingquan.net.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
再做一个auth的文件夹.(记得替换用户名密码)
docker run --rm --entrypoint htpasswd registry -Bbn username password > auth/nginx.htpasswd
创建docker-compose.yml(这个我也不太理解,先做着.)
version: '2'
services:
registry:
image: registry
ports:
- "443:443"
volumes:
- ./:/etc/docker/registry
- registry-data:/var/lib/registry
volumes:
registry-data:想启动,发现缺组件.
apt-get install docker-compose docker-compose up -d
现在目录结构.
之前登录过DockerHub,现docker logout,然后docker login docker.lijingquan.net,然后悲剧了,自签证书的毛病.
还能怎样,信任他.然后重启容器服务,再重启仓库容器.就可以登录.
echo -n | openssl s_client -showcerts -connect docker.lijingquan.net:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/ssl/certs/ca-certificates.crt
其他操作就没差别了... (还是开放docker好啊.)
好像还遇到nginx 403问题,说是文件过大...