Of Stack

docker registry Private server construction method

  • 2020-11-25 07:41:31
  • OfStack

So far, the official registry image of docker has been divided into two versions, v2 and v2's previous versions, which I call v1. v1 is written in python, and later v2 USES the GO language, and their APIS are not the same. This article will build docker private servers based on SSL and login authentication respectively.

registry(v2)

Setting up environment: 172.16.71.52 (contos7, docker1.8)

First download the image 


docker pull resigtry:2

Create a certificate 


mkdir -p certs && openssl req \
 -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
 -x509 -days 365 -out certs/domain.crt

Reproduction domain. crt to the specified directory, 172.16.71.52 xip. io for private warehouse where the server domain, for registry port number 5000 


cp /certs/domain.crt /etc/docker/certs.d/172.16.71.52.xip.io:5000/ca.crt

Establish login authentication 


mkdir auth
docker run --entrypoint htpasswd registry:2 -Bbn  Your username   Your password  > auth/htpasswd

Restart docker 


systemctl restart docker

run up 


docker run -d -p 5000:5000 --restart=always --name registry \
 -v `pwd`/auth:/auth \
 -e "REGISTRY_AUTH=htpasswd" \
 -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
 -v `pwd`/certs:/certs \
 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
 -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
 registry:2

Log in first, then use 


 docker login 172.16.71.52.xip.io:5000

 docker tag redis 172.16.71.52.xip.io:5000/redis

 docker push 172.16.71.52.xip.io:5000/redis

Check if image entered the private warehouse we built 


#  Locate the externally mounted directory 
docker inspect --format {{'json .Mounts'}} registry

# push Come in image All lie here in peace 
cd /tmp/data/docker/registry/v2/repositories

Here are some things to note:

1. When creating the authentication certificate, common name should use the domain name of the machine where registry is located. I failed the test with IP.

2. Before docker run, make sure that port 5000 is not occupied. After successful startup, use docker logs to check if there is any error

3.push and pull before docker login1

4. Want to remember to put the generated by safety certification domain. crt copied to/etc docker/certs d / 172.16.71.52 xip. io: 5000 / ca crt, including 172.16.71.52. xip. io for private servers of the domain name, 5000 for registry foreign ports

5. api for v2 has changed, access to v1/search will report an error of 404 not found, you can view the directory of the private warehouse through /v2/_catalog, aip for v2 see here

reference

https://docs.docker.com/registry/deploying/
https://docs.docker.com/engine/reference/commandline/inspect/
https://docs.docker.com/registry/spec/api/

registry (V1)

V1 version of registry is hard to build (maybe I don't find an elegant way). I found a blog post using nginx for SSL and login authentication on the Internet. Thanks to the blogger, you can check it here (available for personal testing).

Set up docker Intranet private server (ES131en-ES132en with nginx) & ssl on centos)

For version reasons (docker1.8), the generated root certificate, copy, needs to be added to the docker specified directory on ssl authentication (as described when building V2). 


cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/172.16.71.43.xip.io:5000/ca.crt

Note that this is also done when other hosts access private servers.

Related articles: