docker registry Private server construction method
- 2020-11-25 07:41:31
- OfStack
So far, the official registry image of docker has been divided into two versions, v2 and v2's previous versions, which I call v1. v1 is written in python, and later v2 USES the GO language, and their APIS are not the same. This article will build docker private servers based on SSL and login authentication respectively.
registry(v2)
Setting up environment: 172.16.71.52 (contos7, docker1.8)
First download the image
docker pull resigtry:2
Create a certificate
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Reproduction domain. crt to the specified directory, 172.16.71.52 xip. io for private warehouse where the server domain, for registry port number 5000
cp /certs/domain.crt /etc/docker/certs.d/172.16.71.52.xip.io:5000/ca.crt
Establish login authentication
mkdir auth
docker run --entrypoint htpasswd registry:2 -Bbn Your username Your password > auth/htpasswd
Restart docker
systemctl restart docker
run up
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
Log in first, then use
docker login 172.16.71.52.xip.io:5000
docker tag redis 172.16.71.52.xip.io:5000/redis
docker push 172.16.71.52.xip.io:5000/redis
Check if image entered the private warehouse we built
# Locate the externally mounted directory
docker inspect --format {{'json .Mounts'}} registry
# push Come in image All lie here in peace
cd /tmp/data/docker/registry/v2/repositories
Here are some things to note:
1. When creating the authentication certificate, common name should use the domain name of the machine where registry is located. I failed the test with IP.
2. Before docker run, make sure that port 5000 is not occupied. After successful startup, use docker logs to check if there is any error
3.push and pull before docker login1
4. Want to remember to put the generated by safety certification domain. crt copied to/etc docker/certs d / 172.16.71.52 xip. io: 5000 / ca crt, including 172.16.71.52. xip. io for private servers of the domain name, 5000 for registry foreign ports
5. api for v2 has changed, access to v1/search will report an error of 404 not found, you can view the directory of the private warehouse through /v2/_catalog, aip for v2 see here
reference
https://docs.docker.com/registry/deploying/
https://docs.docker.com/engine/reference/commandline/inspect/
https://docs.docker.com/registry/spec/api/
registry (V1)
V1 version of registry is hard to build (maybe I don't find an elegant way). I found a blog post using nginx for SSL and login authentication on the Internet. Thanks to the blogger, you can check it here (available for personal testing).
Set up docker Intranet private server (ES131en-ES132en with nginx) & ssl on centos)
For version reasons (docker1.8), the generated root certificate, copy, needs to be added to the docker specified directory on ssl authentication (as described when building V2).
cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/172.16.71.43.xip.io:5000/ca.crt
Note that this is also done when other hosts access private servers.