501.【registry】docker 私有堆栈实现https 访问

源码 · 2024-9-6 18:55:52

上一篇，我们已经成功通过 registry 搭建了一个 docker 私有堆栈，但过细点我们会发现，在拉取和推送镜像时，必要附加 --insecure-registry 参数，很不方便，这次来优化一下这块。
一、天生证书

天生 CA 根证书

openssl genrsa -out ca.key 2048openssl req -x509 -new -nodes -key ca.key -subj "/CN=<YOUR IP>" -days 36500 -out ca.crt

天生registry ca 证书

cat > domain_ssl.cnf <<EOF[ req ]req_extensions = v3_reqdistinguished_name = req_distinguished_name[ req_distinguished_name ][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names[ alt_names ]DNS.1 = <YOUR HOSTNAME>IP.1 = <YOUR IP>EOF

DNS.1 写成 registry 的访问域名
IP.1 写成 registry 地点的呆板的IP

天生 key 和 crt

openssl genrsa -out domain.key 2048openssl req -new -key domain.key -config etcd_ssl.cnf -subj "/CN=etcd-server" -out domain.csropenssl x509 -req -in domain.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile domain_ssl.cnf -out domain.crt

将 domain.crt 和 domain.key 复制到 /etc/docker/registry/certs/ 目次

二、设置systemd情况变量

systemctl edit registryd文件内容如下：
[Service]Environment="REGISTRY_HTTP_TLS_CERTIFICATE=/etc/docker/registry/certs/domain.crt"Environment="REGISTRY_HTTP_TLS_KEY=/etc/docker/registry/certs/domain.key"重启并查看服务状态：
[root@qijing0 ~]# systemctl restart registryd && systemctl status registryd ● registryd.service - private registry Loaded: loaded (/usr/lib/systemd/system/registryd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/registryd.service.d └─override.conf Active: active (running) since Mon 2022-11-21 23:08:20 EST; 8ms ago Docs: https://github.com/distribution/distribution#readme Main PID: 15662 (registry) Tasks: 5 Memory: 6.5M CGroup: /system.slice/registryd.service └─15662 /usr/bin/registry serve /etc/docker/registry/config.ymlNov 21 23:08:20 qijing0 systemd[1]: Started private registry.三、在客户端呆板安装证书

复制 domain.crt 到 /etc/containerd/certs.d/domain/ 目次下。
并重启 containerd
四、验证

推送镜像验证：
[root@k8s0 server]# nerdctl push domain/test-server:0.0.5INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:e0f152bb79f22dcbaaf4429cf8bc3cff75d831a5bee8042acf018560f5900586) manifest-sha256:e0f152bb79f22dcbaaf4429cf8bc3cff75d831a5bee8042acf018560f5900586: done |++++++++++++++++++++++++++++++++++++++| config-sha256:cf3c9b089da1f8120c9ee912752dd14d56d7ef769d81d6a81423dea7324a3e5b: done |++++++++++++++++++++++++++++++++++++++| elapsed: 0.1 s total: 6.4 Ki (63.3 KiB/s)

可以看到现在能正常推送镜像了

拉取镜像验证：
[root@k8s1 tmp]# nerdctl pull registry.domain.cn/test-server:0.0.5registry.domain.cn/test-server:0.0.5: resolved |++++++++++++++++++++++++++++++++++++++| manifest-sha256:e0f152bb79f22dcbaaf4429cf8bc3cff75d831a5bee8042acf018560f5900586: done |++++++++++++++++++++++++++++++++++++++| config-sha256:cf3c9b089da1f8120c9ee912752dd14d56d7ef769d81d6a81423dea7324a3e5b: done |++++++++++++++++++++++++++++++++++++++| elapsed: 0.1 s total: 0.0 B (0.0 B/s) [root@k8s1 tmp]# dateTue Nov 22 13:54:41 CST 2022

可以看到现在能正常拉取镜像了

【附加1】、安装 konradkleine/docker-registry-frontend:v2 用户界面

上一节安装的是joxit/docker-registry-ui，没升级成https之前还蛮好使用的，升级之后，就不绝报 CORS 跨域错误，折腾了会，还是决定换一个用户界面步伐，来支持 https：
docker run \ -d \ -e ENV_DOCKER_REGISTRY_HOST=registry.domain.cn \ -e ENV_DOCKER_REGISTRY_PORT=443 \ -e ENV_DOCKER_REGISTRY_USE_SSL=1 \ -p 5001:80 \ konradkleine/docker-registry-frontend:v2安装完之后，也不是一帆风顺，刚开始也获取不到镜像列表，我从欣赏器访问，按f12之后，发现分析不了域名，于是手动进入容器内部，在 /etc/hosts 中添加了域名：
[root@qijing0 ~]# docker exec -it 6d /bin/bashroot@6d48c37a52c5:/# cat >>/etc/hosts<<EOF> 192.168.3.1 registry.domain.cn> EOFok!，现在可以了，通过欣赏器能顺遂访问到镜像列表了，充足了。

501.【registry】docker 私有堆栈实现https 访问

所属分类: 问答交流

新帖推荐: 30日

推荐作品