Docker private repository and securing docker registry
- Category: 電腦相關
- Last Updated: Sunday, 11 June 2017 22:06
- Published: Thursday, 08 June 2017 16:49
- Written by sam
Docker private repository securing docker registry
使用了Docker之後,總是會有需求,能不能有自己的儲存庫,這樣在使用印像檔時能更快速,也降低有外流自製印像檔的風險
架設的方式就先略過…
處理一下錯誤訊息
環境是proxmox起的vm上面架debian 然後安裝docker之後 run image registry
先打上tag
docker tag registry 10.0.252.111:5000/registry
pull 自建的儲存庫
sudo docker pull 10.0.252.111:5000/registry
通常就會報錯
Using default tag: latest
Error response from daemon: Get https://10.0.252.111:5000/v1/_ping: http: server gave HTTP response to HTTPS client
這時候通常會為了省事就直接在docker修改設定檔,這麼做也是蠻快的,但每臺client都需要做
--insecure-registry 10.0.252.111:5000
試一下別的方法,但要有key
我有現成的,就跳過,需要請參考
這個是非正規方法的快速生key
openssl req \
-newkey rsa:4096 -nodes -sha256 \
-keyout /certs/domain.key \
-x509 -days 30678 \
-out /certs/domain.crt
產生了key,請使用以下指令來啟動docker (記得把資料夾掛載出來host)
docker run -d -p 5000:5000 --restart=always --name registry -v /certs:/certs -v /dockerimage:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/debian.crt -e REGISTRY_HTTP_TLS_KEY=/certs/debian.key registry
檢查一下是否正常啟動
root@debian:/# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61c1548c12e2 registry "/entrypoint.sh /e..." 6 minutes ago Up 5 minutes 0.0.0.0:5000->5000/tcp registry
拉一個小的image試試
root@debian:/# docker pull hello-world
打一個tag
root@debian:/# docker tag hello-world debian:5000/hello-world:0608
試試push
root@debian:/# docker push debian:5000/hello-world:0608
The push refers to a repository [debian:5000/hello-world]
98c944e98de8: Pushed
0608: digest: sha256:2075ac87b043415d35bb6351b4a59df19b8ad154e578f7048335feeb02d0f759 size: 524
看看是不是真的有push到主機上
root@debian:/# curl -v -k -X GET https://debian:5000/v2/hello-world/tags/list
{"name":"hello-world","tags":["0608"]}檢查資料夾是否有產生檔案
root@debian: ls /dockerimage/docker/registry/v2/repositories/hello-world
_layers _manifests _uploads完成
狀況:
x509: certificate signed by unknown authority
root@mesos-s2:~# docker pull debian:5000/hello-world:0611
Error response from daemon: Get https://debian:5000/v1/_ping: x509: certificate signed by unknown authority
scp .crt to client
root@mesos-s2:~# scp This email address is being protected from spambots. You need JavaScript enabled to view it.:/tmp/debian.crt ./
The authenticity of host '10.0.252.111 (10.0.252.111)' can't be established.
ECDSA key fingerprint is 6b:8c:3e:44:6c:fe:43:ef:c7:d7:a0:73:a3:b8:52:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.252.111' (ECDSA) to the list of known hosts.
This email address is being protected from spambots. You need JavaScript enabled to view it.'s password:
debian.crt 100% 2017 2.0KB/s 00:00
move it and update-ca
root@mesos-s2:~# mkdir -p /usr/local/share/ca-certificates/
root@mesos-s2:~# cp debian.crt /usr/local/share/ca-certificates/
root@mesos-s2:~# rm debian.crt
root@mesos-s2:~# update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.restart docker.service and test push
root@mesos-s2:~# systemctl restart docker.service
root@mesos-s2:~# docker pull debian:5000/hello-world:0611
0611: Pulling from hello-world
983bfa07a342: Pull complete
Digest: sha256:2075ac87b043415d35bb6351b4a59df19b8ad154e578f7048335feeb02d0f759
Status: Downloaded newer image for debian:5000/hello-world:0611
root@mesos-s2:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest e0645af13ada 4 weeks ago 177MB
mesosphere/marathon-lb latest 08e0c402b5c2 7 weeks ago 229MB
debian:5000/hello-world 0611 48b5124b2768 4 months ago 1.84kB
done.