本文共 1397 字，大约阅读时间需要 4 分钟。

如果想让其他网段的主机也能把镜像推送到私有仓库,则需要把IP地址作为私有仓库地址,且Docker默认不允许非HTTPS方式推送镜像,这时候我们可以通过修改Docker的配置文件来取消这个限制.

{  "registry-mirror": [    "http://registry.docker-cn.com"  ],  "insecure-registries": [    "www.sholck.top:5000"  ]}

但是这种方法很不安全,所有人都可以push或pull,所以我们需要添加认证.

一. TLS认证

(1) 生成签名证书:

mkdir -p /opt/docker/registry/certsopenssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /opt/docker/registry/certs/domain.key -out /opt/docker/registry/certs/domain.crt

(2)创建带有TLS认证的Registry服务器

docker run -d --name docker-registry-no-proxy --restart=always -v /opt/docker/registry/data:/var/lib/registry -u root -p  5000:5000 -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2

(3)将证书复制到客户端宿主级上:(解决certificate signed by unknown authority)

cp /opt/docker/registry/certs/domain.crt  /etc/docker/certs.d/www.sholck.top/ca.crt

(4)验证

[lynx@chejian ~]$ docker tag docker.io/eclipse/che:latest www.sholck.top:5000/eclipse/che:latest[lynx@chejian ~]$ docker push www.sholck.top:5000/eclipse/che:latestThe push refers to a repository [www.sholck.top:5000/eclipse/che]f9007e4027ba: Pushed 4a22df9df4f8: Pushed ccb2a12e07c2: Pushed 3c8efdaed0b5: Pushed 32dbd8416e90: Pushed d59be409f7ba: Pushed a0bdd3917620: Pushed e53f74215d12: Pushed latest: digest: sha256:b70377d8291151bec2b0c4652760750e9de113edbbb0a51498b1a4d7d079ed0c size: 1984

转载地址：http://hfgji.baihongyu.com/