本文共 1397 字,大约阅读时间需要 4 分钟。
如果想让其他网段的主机也能把镜像推送到私有仓库,则需要把IP地址作为私有仓库地址,且Docker默认不允许非HTTPS方式推送镜像,这时候我们可以通过修改Docker的配置文件来取消这个限制.
{ "registry-mirror": [ "http://registry.docker-cn.com" ], "insecure-registries": [ "www.sholck.top:5000" ]}
但是这种方法很不安全,所有人都可以push或pull,所以我们需要添加认证.
一. TLS认证
(1) 生成签名证书:
mkdir -p /opt/docker/registry/certsopenssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /opt/docker/registry/certs/domain.key -out /opt/docker/registry/certs/domain.crt
(2)创建带有TLS认证的Registry服务器
docker run -d --name docker-registry-no-proxy --restart=always -v /opt/docker/registry/data:/var/lib/registry -u root -p 5000:5000 -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
(3)将证书复制到客户端宿主级上:(解决certificate signed by unknown authority)
cp /opt/docker/registry/certs/domain.crt /etc/docker/certs.d/www.sholck.top/ca.crt
(4)验证
[lynx@chejian ~]$ docker tag docker.io/eclipse/che:latest www.sholck.top:5000/eclipse/che:latest[lynx@chejian ~]$ docker push www.sholck.top:5000/eclipse/che:latestThe push refers to a repository [www.sholck.top:5000/eclipse/che]f9007e4027ba: Pushed 4a22df9df4f8: Pushed ccb2a12e07c2: Pushed 3c8efdaed0b5: Pushed 32dbd8416e90: Pushed d59be409f7ba: Pushed a0bdd3917620: Pushed e53f74215d12: Pushed latest: digest: sha256:b70377d8291151bec2b0c4652760750e9de113edbbb0a51498b1a4d7d079ed0c size: 1984
转载地址:http://hfgji.baihongyu.com/