1.環境描述

[root@localhost docker.registry:5000]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@localhost docker.registry:5000]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost docker.registry:5000]# docker version
Client:
 Version:         1.13
 
.1
 API version:     1.26
 Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13
 
.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64
 Experimental:    false

2.搭建方式

1. 無需驗證的映象中心
2. https鑑權的映象中心
3. 使用者名稱密碼登入的映象中心

3.搭建步驟：

3.1 無需驗證的映象中心

拉取映象：

docker pull registry:2.6
 
.2

不需要驗證的啟動：

docker run -d -p 5000:5000  --name registry2-noauth --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

--restart=always docker重啟容器自啟動

客戶端配置免https

1. 修改 /etc/docker/daemon.json

[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146:5000"] }' > /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146:5000"] }

1. 過載docker

root@localhost ~]# service docker restart

如果不配置，客戶端使用時候會報錯：
Error response from daemon: Get https:// 172.16.1.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client

使用：

• tag映象並上傳

使用docker tag將一個映象標記，格式如下：
172.16.1.146:5000/registry:2.6.2，其中172.16.1.146是本地倉庫地址，5000為倉庫埠，registry是映象標籤, 2.6.2是版本號
這裡的172.16.1.146可以是本地的ip也可以是域名，如：www.xxx.net

[root@gitlab conf]# docker tag docker.io/registry:2.6.2  172.16.1.146:5000/registry:2.6.2

當標記完成後，本地的images中會存放一個和標記名稱一樣的映象，我們將這個映象上傳即可

• 上傳映象到映象中心

[root@localhost local]# docker push 172.16.1.146:5000/registry:2.6.2
The push refers to a repository [172.16.1.146:5000/registry]
9113493eaae1: Pushed 
621c2399d41a: Pushed 
59e80739ed3f: Pushed 
febf19f93653: Pushed 
e53f74215d12: Pushed 
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364

• 判斷映象是否存在

api：
- 列出所有儲存庫

GET http://127.0.0.1:5000/v2/_catalog
{
  ● repositories: 
[
      ○ "mongo",
      ○ "registry"
]
}

• 列出映象所有tags

GET http://127.0.0.1:5000/v2/registry/tags/list
{
  ● name: "registry",
  ● tags: 
[
      ○ "2.6.2",
      ○ "2.6.3"
]
}

registry是映象的名稱，可以看出來映象已經上傳成功。

• 從私有映象中心拉取映象

[root@localhost local]# docker pull 172.16.1.146:5000/registry:2.6.2
Trying to pull repository 172.16.1.146:5000/registry ... 
2.6.2: Pulling from 172.16.1.146:5000/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146:5000/registry:2.6.2

3.2 https鑑權的映象中心:

注意:客戶端不需要配置免https

• 建立key

mkdir -p /usr/local/docker/registry/certs/
cd /usr/local/docker/registry/certs/
openssl genrsa -out docker.registry.key 2048

• 建立crt

openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt

部分資訊填寫示例如下:

[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.............................++
writing new private key to 'docker.registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Anhui
Locality Name (eg, city) [Default City]:Hefei
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:docker.registry
Email Address []:[email protected]

• 檢視證書失效時間。

[root@localhost docker.registry:5000]# openssl x509 -in docker.registry.crt -noout -dates
notBefore=Jul  5 06:58:36 2018 GMT
notAfter=Jul  5 06:58:36 2019 GMT

• 加入docker信任

由於是自簽名證書,預設是不受Docker信任的,故而需要將證書新增到Docker 的根證書中,Docker在CentOS 7中,證書存放路徑是 :

mkdir -p /etc/docker/certs.d/docker.registry:5000
cp /usr/local/docker/registry/certs/docker.registry.crt /etc/docker/certs.d/docker.registry:5000/

docker.registry:5000為實際訪問域名和埠

• 啟動

docker run -d -p 5000:5000 --name registry2-sslauth    -v /usr/local/docker/registry/certs/:/certs/  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.registry.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.registry.key -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

• 驗證：

docker tag docker.io/registry:2.6.2  docker.registry:5000/registry:2.6.2
docker push docker.registry:5000/registry:2.6.2
docker rmi  docker.registry:5000/registry:2.6.2
docker pull docker.registry:5000/registry:2.6.2

其他類似，api操作，需要使用https。

3.3 使用者名稱密碼登入的映象中心

• > 生成使用者名稱：密碼

mkdir -p /usr/local/docker/registry/auth
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin 1qaz\!QAZ  >> /usr/local/docker/registry/auth/htpasswd

上面這條命令是為admin使用者名稱生成密碼為1qaz!QAZ的一條使用者資訊，存在/usr/local/docker/registry/auth/htpasswd檔案裡面，檔案中存的密碼是被加密過的。

• > 啟動：

docker run -d -p 5000:5000 --name registry2-httpauth  --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -e "REGISTRY_AUTH=htpasswd"  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

• http登入：

docker login 172.16.1.146:5000

同樣需要配置客戶端免https，其他類似，api操作，需要輸入使用者名稱、密碼。