docker install private registry 【docker 安装 registry & 仅证书认证】

预备条件:

我们设定镜像仓库域名为registry01.dev.com

配置/etc/hosts

bash 复制代码
192.168.23.51 registry01.dev.com

安装 registry

bash 复制代码
#!/bin/bash

reg_ip=$1
reg_n=$2
reg_port=$3

if [ $# -eq 0 ]; then
  echo "Usage: $0 [reg_ip] [registry_name]"
  echo "Please provide one or more arguments."
  exit 1
fi

BASE_DIR="$(dirname "$(readlink -f "${0}")")"
DEST_DIR='/registry'
certs_dir='/registry/certs'
data_dir='/data/registry'
mkdir -p $DEST_DIR
mkdir -p $certs_dir
mkdir -p $data_dir


image_load(){
  docker load -i ${DEST_DIR}/images/registry_latest.tar

}


# create tls certs for docker registry
create_certs() {


cat << EOF > ${DEST_DIR}/ssl.conf
[ req ]
prompt             = no
distinguished_name = req_subj
x509_extensions    = x509_ext

[ req_subj ]
CN = Localhost

[ x509_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:true
subjectAltName         = @alternate_names

[ alternate_names ]
DNS.1 = $reg_n
IP.1  = $reg_ip
EOF




openssl req -config  ${DEST_DIR}/ssl.conf -new -x509 -nodes -sha256 -days 365 -newkey rsa:4096 -keyout ${DEST_DIR}/${reg_n}.key -out ${DEST_DIR}/${reg_n}.crt
openssl x509 -inform PEM -in ${DEST_DIR}/${reg_n}.crt -out ${DEST_DIR}/${reg_n}.cert

}

# deploy docker registry
run_reg () {

cp ${DEST_DIR}/${reg_n}.key ${DEST_DIR}/${reg_n}.crt ${DEST_DIR}/${reg_n}.cert  $certs_dir


 docker run -d --privileged=true --restart=always --name registry-tls-certs  -v ${certs_dir}:/certs  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/${reg_n}.crt -e REGISTRY_HTTP_TLS_KEY=/certs/${reg_n}.key -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -e REGISTRY_STORAGE_DELETE_ENABLED=true  -p 443:443 -p $reg_port:5000  -v ${data_dir}:/var/lib/registry/docker/registry  registry
 if [ $? != 0 ];then
    echo "contianer create failed" && exit 1
 fi

[ -d /etc/docker/certs.d/${reg_n}:$reg_port ]  || mkdir -p /etc/docker/certs.d/${reg_n}:${reg_port}
cp -r ${certs_dir}/${reg_n}.crt   /etc/docker/certs.d/${reg_n}:${reg_port}/
systemctl restart docker

}

# test push
push_images() {

 docker tag registry:latest ${reg_n}:${reg_port}/registry:latest
 docker push ${reg_n}:${reg_port}/registry:latest

}

image_load
create_certs
run_reg
push_images

执行

bash 复制代码
sh -x  install_registry.sh  192.168.23.51 registry01.dev.com 80

输出:

bash 复制代码
sh -x install_registry.sh 192.168.23.52 registry02.dev.com 80
+ reg_ip=192.168.23.52
+ reg_n=registry02.dev.com
+ reg_port=80
+ '[' 3 -eq 0 ']'
+++ readlink -f install_registry.sh
++ dirname /root/install_registry.sh
+ BASE_DIR=/root
+ DEST_DIR=/registry
+ certs_dir=/registry/certs
+ data_dir=/data/registry
+ mkdir -p /registry
+ mkdir -p /registry/certs
+ mkdir -p /data/registry
+ image_load
+ docker load -i /registry/images/registry_latest.tar
open /registry/images/registry_latest.tar: no such file or directory
+ create_certs
+ cat
+ openssl req -config /registry/ssl.conf -new -x509 -nodes -sha256 -days 365 -newkey rsa:4096 -keyout /registry/registry02.dev.com.key -out /registry/registry02.dev.com.crt
Generating a RSA private key
.........................++++
............................................................................................................................................................................................................................................................................................................................................................................++++
writing new private key to '/registry/registry02.dev.com.key'
-----
+ openssl x509 -inform PEM -in /registry/registry02.dev.com.crt -out /registry/registry02.dev.com.cert
+ run_reg
+ cp /registry/registry02.dev.com.key /registry/registry02.dev.com.crt /registry/registry02.dev.com.cert /registry/certs
+ docker run -d --privileged=true --restart=always --name registry-tls-certs -v /registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry02.dev.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/registry02.dev.com.key -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -e REGISTRY_STORAGE_DELETE_ENABLED=true -p 443:443 -p 80:5000 -v /data/registry:/var/lib/registry/docker/registry registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
619be1103602: Pull complete 
2ba4b87859f5: Pull complete 
0da701e3b4d6: Pull complete 
14a4d5d702c7: Pull complete 
d1a4f6454cb2: Pull complete 
Digest: sha256:f4e1b878d4bc40a1f65532d68c94dcfbab56aa8cba1f00e355a206e7f6cc9111
Status: Downloaded newer image for registry:latest
ef764fc4e390850d45f5b97bc44cccba8aa630e1732be41503ddc2d1f91a31a6
+ '[' 0 '!=' 0 ']'
+ '[' -d /etc/docker/certs.d/registry02.dev.com:80 ']'
+ mkdir -p /etc/docker/certs.d/registry02.dev.com:80
+ cp -r /registry/certs/registry02.dev.com.crt /etc/docker/certs.d/registry02.dev.com:80/
+ systemctl restart docker
+ push_images
+ docker tag registry:latest registry02.dev.com:80/registry:latest
+ docker push registry02.dev.com:80/registry:latest
The push refers to repository [registry02.dev.com:80/registry]
a2e9568f0343: Pushed 
95d5b7fa5097: Pushed 
bf7f68cf6cd2: Pushed 
98e9164d5432: Pushed 
aedc3bda2944: Pushed 
latest: digest: sha256:12202eb78732e22f8658d595bd6e3d47ef9f13ede78e94e90974c020c7d7c1b3 size: 1363
相关推荐
阿米亚波1 小时前
【EVE-NG 实战】防火墙基础(VLAN · VRRP · NAT · ACL · 静态路由)
运维·网络·笔记·网络协议·计算机网络·网络安全·运维开发
日取其半万世不竭2 小时前
云服务器迁移怎么少停机?DNS 切换前后的完整清单
运维·服务器
FREEDOM_X2 小时前
Linux 多线程编程——总结
java·linux·运维·ubuntu
名字还没想好☜2 小时前
Docker 多阶段构建:把镜像从 1.2GB 砍到 15MB
运维·docker·容器·多阶段构建·镜像优化
祸心依旧3 小时前
Visual Studio 五月更新 —— 计划、评审、优化
运维·人工智能·visual studio
her_heart3 小时前
ChatGPT 5.6 实战:用 AI 做云成本治理,从账单复盘到 K8s 优化
人工智能·云原生·chatgpt·kubernetes·测试用例
Web4Browser3 小时前
Headless 浏览器自动化适合哪些任务?巡检、截图和提交动作要分级
运维·前端·自动化
難釋懷3 小时前
Nginx浏览器强制缓存
运维·nginx·缓存
花和满楼3 小时前
K8s 1.36 ImageVolume GA:OCI 镜像不再只能跑容器
java·容器·kubernetes
大博士.J3 小时前
视频号主体违规与认证上限?正确的解决方式
运维·python·自动化