为了其他主机可访问docker registry,必须采用https协议。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| registry_data_dir=~/docker_registry/data
cert_dir=~/docker_registry/certs
signdomain=mycert
# 制作证书
mkdir -p ${cert_dir}
openssl req -nodes -subj "/C=CN/ST=BeiJing/L=BeiJing/CN=$signdomain" -newkey rsa:4096 -keyout ${cert_dir}/$signdomain.key -out ${cert_dir}/${signdomain}.csr
openssl x509 -req -days 3650 -in ${cert_dir}/$signdomain.csr -signkey ${cert_dir}/${signdomain}.key -out ${cert_dir}/$signdomain.crt
# 从docker hub拉取registry镜像,并启动镜像
mkdir -p ${registry_data_dir}
docker run -d -p 15000:5000 --restart=always --name registry \
-v ${registry_data_dir}:/var/lib/registry \
-v ${cert_dir}:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${signdomain}.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/${signdomain}.key \
registry:2
|
停止registry镜像并删除的命令为:
1
| docker stop registry && docker rm -v registry
|
下载最新的centos7镜像
1
| docker pull centos:7.3.1611
|
将centos7镜像增加tag
1
2
3
4
5
6
7
8
| docker tag centos:7.3.1611 127.0.0.1:15000/centos:7.3
# 可以看到列表中会多出一个镜像
[root@103-17-184-lg-201-k08 data]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/registry 2 047218491f8c 4 weeks ago 33.17 MB
103-17-184-lg-201-k08.yidian.com:5000/centos 7.3 67591570dd29 3 months ago 191.8 MB
docker.io/centos 7.3.1611 67591570dd29 3 months ago 191.8 MB
|
docker push命令仅支持https协议,签名已经启动了自签名的https协议的registry,为了能够让docker能够信任registry,需要在/etc/docker/certs.d/目录下增加相应的crt文件,增加后的目录结构为/etc/docker/certs.d/103-17-184-lg-201-k08.yidian.com:5000/103-17-184-lg-201-k08.yidian.com.crt,添加完成后需要重启docker服务。
将image push到registry
1
| docker push 103-17-184-lg-201-k08.yidian.com:5000/centos:7.3
|
api
可以直接通过curl命令来访问api:curl --cacert 103-17-184-lg-201-k08.yidian.com.crt -v https://103-17-184-lg-201-k08.yidian.com:5000/v2
ref