1,拉取docker registry 鏡像 2,創建證書存放目錄 3,生成CA證書Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:10.1.10.1 in [v3_ca] section.一 ...
1,拉取docker registry 鏡像
docker pull registry
2,創建證書存放目錄
mkdir -p /home/registry
3,生成CA證書
Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:10.1.10.1 in [v3_ca] section.
一般情況下,證書只支持功能變數名稱訪問,要使其支持IP地址訪問,需要修改配置文件openssl.cnf。
在redhat7系統中,openssl.cnf文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName選項:
[ v3_ca ] subjectAltName = IP:10.1.10.1
生成證書
openssl req -newkey rsa:4096 -nodes -sha256 \ -keyout /home/registry/certs/domain.key -x509 \ -days 365 -out /home/registry/certs/domain.crt
註意Common Name最好寫為registry的功能變數名稱
修改許可權,並將認證文件添加到(客戶端) /etc/docker/certs.d/10.1.10.1:5000/
chcon -Rt svirt_sandbox_file_t /home/registry/certs mkdir -p /etc/docker/certs.d/10.1.10.1:5000/ cp registry/certs/domain.crt /etc/docker/certs.d/10.1.10.1:5000/ca.crt
3,使用registry鏡像生成用戶名和密碼文件
docker run --entrypoint htpasswd registry -Bbn test 1 > /home/registry/auth/htpasswd chcon -Rt svirt_sandbox_file_t /home/registry/
4,運行registry並指定參數。包括了用戶密碼文件和CA書位置。--restart=always 始終自動重啟
docker run -d -p 5000:5000 --restart=always --name registry \ -v /home/registry/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /home/registry/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry
5,登陸和登出
###vim /etc/hosts
docker login 10.1.10.1:5000 -u uesr -p password docker logout 10.1.10.1:5000
6,添加用戶
docker run --entrypoint htpasswd registry -Bbn Dapeng 123456 >> /home/registry/auth/htpasswd docker run --entrypoint htpasswd registry -Bbn user123 passwd123 >> /home/registry/auth/htpasswd
無需執行 docker restart registry
