需要用域名,直接用IP地址会报错:
[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull 139.224.66.172:5000/centos00
Using defaulttag: latest
Error responsefrom daemon: unable to ping registry endpoint https://139.224.66.172:5000/v0/
v2 pingattempt failed with error: Get https://139.224.66.172:5000/v2/: x509: cannotvalidate certificate for 139.224.66.172 because it doesn't contain any IP SANs
v1 ping attempt failed with error: Gethttps://139.224.66.172:5000/v1/_ping: x509: cannot validate certificate for139.224.66.172 because it doesn't contain any IP SANs
[root@xcjdocker-occs-wkr-2 opc]# sudo docker pull
mydockerhub
.com:5000/vvv
Using defaulttag: latest
latest:Pulling from vvv
Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3
Status:Downloaded newer image for mydockerhub.com:5000/vvv:latest
[root@xcjdocker-occs-wkr-2opc]#
如果要想支持IP方式
如果Docker registry要想支持https, 需要生成证书。这里我们采用openssl生成证书,一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
修改openssl.cnf,支持IP地址方式,HTTPS访问
在Redhat7或者Centos系统中,文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ]
subjectAltName= IP:129.144.150.111
用openssl生成自签名的证书:
我们直接在root用户下操作,创建一个目录: /root/certs
然后执行:
openssl req -newkey rsa:2048 -nodes -sha256-keyout /root/certs/domain.key -x509 -days 365 -out /root/certs/domain.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [DefaultCompany Ltd]:mycom
Organizational Unit Name (eg, section)[]:it
Common Name (eg, your name or your server'shostname) []:129.144.150.111
Email Address []:xcjing@yeah.Net
执行成功后会生成:domain.key 和domain.crt 两个文件
COPY证书
使用Docker Registry的Docker机需要将domain.crt拷贝到 /etc/docker/certs.d/[docker_registry_domain:端口或者IP:端口]/ca.crt,
cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt
将domain.crt内容放入系统的CA bundle文件当中,使操作系统信任我们的自签名证书。
CentOS 6 / 7或者REDHAT中bundle文件的位置在/etc/pki/tls/certs/ca-bundle.crt:
cat domain.crt >>/etc/pki/tls/certs/ca-bundle.crt
Ubuntu/Debian Bundle文件地址/etc/ssl/certs/ca-certificates.crt
cat domain.crt >> /etc/ssl/certs/ca-certificates.crt
注意,如果之前已经有cat过同样的IP, 需要到ca-bundle.crt中把它删除,再做cat操作。否则后面PUSH时会报:
Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority
重启DOCKER Daemon, Registry
systemctl restart docker
启动REGITRY
docker run -d -p 5000:5000--privileged=true -v /opt/registry:/tmp/registry -v ~/certs/:/root/certs -eREGISTRY_HTTP_TLS_CERTIFICATE=/root/certs/domain.crt -eREGISTRY_HTTP_TLS_KEY=/root/certs/domain.key registry:2
验证测试
确认HTTPS OK: curl -i -k -v https://129.144.150.111:5000
或者直接浏览器访问 https://129.144.150.111:5000/v2 显示{} 表示正常
[root@bf278c certs]# docker images
REPOSITORY TAG IMAGE> centos latest a8493f5f50ff 12 days ago 192MB
129.144.150.111:5000/c latest a8493f5f50ff 12 days ago 192MB
registry 2 136c8b16df20 12 days ago 33.2MB
registry latest 136c8b16df20 12 days ago 33.2MB
hello-world latest 48b5124b2768 3 months ago 1.84kB
[[root@bf278c certs]# docker push129.144.150.111:5000/c
The push refers to a repository[129.144.150.111:5000/c]
36018b5e9787: Pushing 28.9MB/192.5MB
成功
在别的机器上访问
如果要在另一台机器上访问,需要把CERT文件 COPY过去,同样放在/etc/docker/certs.d下面,建一个目录:/129.144.150.111:5000,然后
[opc@xcjdocker-occs-wkr-2 ~]$ cp domain.crt/etc/docker/certs.d/129.144.150.111:5000/ca.crt
否则报:Error: API error (500): unable to ping registry endpointhttps://129.144.150.111:5000/v0/ v2 ping attempt failed with error: Gethttps://129.144.150.111:5000/v2/: x509: certificate signed by unknown authorityv1 ping attempt failed with error: Get https://129.144.150.111:5000/v1/_ping:x509: certificate signed by unknown authority
测试:
[root@xcjdocker-occs-wkr-2 opc]# sudodocker pull 129.144.150.111:5000/c
Using default tag: latest
latest: Pulling from c
Digest:sha256:1164a179f7328c80edab409118c4cf0986ffe143b3693c7769f6d54e098705e3
Status: Image is up to date for129.144.150.111:5000/c:latest
QQ群⑧:
窥视卡
雷达卡
发表于 2019-2-22 08:31:28
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡