1、为docker仓库添加加密功能
仓库配置
生成证书:
[root@master ~]# mkdir -p /data/cert
[root@master ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /data/cert/harbor.key -x509 -days 365 -out /data/cert/harbor.crt
填写信息后打开certs目录即可看到证书:
[root@master ~]# cd /data/cert/
[root@master cert]# ls
harbor.crt harbor.key
注意要求在master 中做解析。
下一步我们需要运行registry,运行之前需要关闭上个实验所运行的容器:
[root@master cert]# docker rm -f registry #删除容器
registry
[root@master cert]# docker volume prune #删除卷
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Volumes:
4b6a8739615b4eb56ee8a940ca774242efc01dddcc3e24d8f6383688dff69569
cfd3c38ef73b58b09e9d79e45de6780fe16da3e15bfa498dc5a43fd06aa81782
Total reclaimed space: 60MB
运行容器
[root@master~]#
docker run -d \
--name registry \
-v "$(pwd)"/cert:/cert \
-v /opt/data/registry:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/data/cert/harbor.crt \
-e REGISTRY_HTTP_TLS_KEY=/data/cert/harbor.key \
-p 443:443\
--restart=always \
registry
image.png
查看运行状态
[root@master~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34b75ec2d1ec registry "/entrypoint.sh /etc…" 3 minutes ago Up 3 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
客户端配置
将证书复制给每一个客户端:
这里以本机为例:
mkdir /etc/docker/certs.d/ #这个目录不可以改动
cd /etc/docker/certs.d/
mkdir harbor.com
cd harbor.com/ #需要访问的仓库主机名
cp /data/cert/harbor.crt . #将证书复制到指定目录
mv harbor.crt ca.crt #必须要命名为ca.crt
本机测试
测试上传镜像
[root@master~]# docker tag ubuntu:latest harbor域名/ubuntu
[root@master~]# docker push harbor域名/ubuntu
The push refers to repository [harbor域名/ubuntu]
16542a8fc3be: Layer already exists
6597da2e2e52: Layer already exists
977183d4e999: Layer already exists
c8be1b8f4d60: Layer already exists
latest: digest: sha256:e5dd9dbb37df5b731a6688fa49f4003359f6f126958c9c928f937bec69836320 size: 1152
上传成功,上传成功后可以查看容器挂载目录
[root@master~]# cd /opt/registry/
[root@master registry]# ls
docker
远程主机测试 (node 机器)
测试之前需要确保远程主机的指定目录有证书信息
[root@node~]# cd /etc/docker/certs.d/harbor.com/
[root@node harbor.com]# ls
ca.crt
此时在node测试访问,测试之前删除node之前设置的非加密配置信息
[root@node ~]# cd /etc/docker/
[root@node docker]# rm -f daemon.json
测试拉取
[root@node ~]# docker pull reg.westos.org/ubuntu
Using default tag: latest
latest: Pulling from ubuntu
5bed26d33875: Pull complete
f11b29a9c730: Pull complete
930bda195c84: Pull complete
78bf9a5ad49e: Pull complete
Digest: sha256:e5dd9dbb37df5b731a6688fa49f4003359f6f126958c9c928f937bec69836320
Status: Downloaded newer image for harbor域名/ubuntu:latest
harbor域名/ubuntu:latest
拉取成功
网友评论