HTTP直接传送没有安全认证

1.拉取registry docker pull registry
2.启动docker run -dp 5000:5000 --restart=always --name registry registry:latest
--restart=always docker启动时也启动此容器
没有-v参数,docker镜像默认保存在宿主机的/var/lib/docker/volumes/xxx/_data/docker/registry/v2/repositories/容器删除后这里面的镜像也会删除,指定一下-v /mnt/registry:/var/lib/registry宿主机就不删除了
3.报错Get https://192.168.80.160:5000/v2/: http: server gave HTTP response to HTTPS client
基本上本地仓库都会这样,修改/etc/docker/daemon.json,

{
  "registry-mirrors": ["https://y0iv6bup.mirror.aliyuncs.com"],
  "insecure-registries":["192.168.80.160:5000"]
}
systemctl restart docker

不要忘记第一个配置后面加逗号,要增加多个认证链接,"insecure-registries":["192.168.80.160:5000","192.168.80.160:5001"]没有逗号

4.docker pull busybox
docker tag busybox:latest 192.168.80.160:5000/busybox
docker push 192.168.80.160:5000/busybox

增加账户密码认证

1.创建存放密码账号的文件 mkdir -p /docker-hub/auth,这个仓库可以把原来的仓库删除,我用的是新建一个容器,改端口为5001,但是daemon.json要增加
2.docker run --entrypoint htpasswd registry -Bbn username password > /docker-hub/auth/htpasswd
username和password自己设置
3.启动本地仓库容器

docker run -d -p 5001:5000 --restart=always --name docker-hub \
  -v /docker-hub/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  registry

4.登录docker login -u libaojia -p 000000 192.168.80.160:5001

docker tag 192.168.80.160:5000/busybox:latest 192.168.80.160:5001/busybox
docker push 192.168.80.160:5001/busybox
curl -u libaojia:000000  http://192.168.80.160:5001/v2/_catalog
{"repositories":["busybox"]}

参考文档docker Doc
docker私有仓库搭建并且配置仓库认证

自签发证书和账户密码验证

1. mkdir -p certs
   openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt
   2.生成自签发证书,修改hosts 本机ip registry.domain.com

Generating a 2048 bit RSA private key
...+++
....+++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:libaojia
Locality Name (eg, city) [Default City]:tianjin
Organization Name (eg, company) [Default Company Ltd]:wisedu
Organizational Unit Name (eg, section) []:edu
Common Name (eg, your name or your server's hostname) []:registry.domain.com
Email Address []:

3.docker run --entrypoint htpasswd registry -Bbn username password > /docker-hub/auth/htpasswd
username和password自己设置
4.启动容器

docker run -dp 5001:5000 --restart=always --name registry1 \
> -v /docker-hub/auth/:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -v /docker-hub/registry:/var/lib/registry \
> -v /root/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> registry

5.让docker client安装我们的CA证书,这里需要注意：如果使用自签署的证书，那么所有要与Registry交互的Docker主机都需要安装registry.domain.com的ca.crt(domain.crt)
mkdir -p /etc/docker/certs.d/registry.domain.com:5001
cp certs/domain.crt /etc/docker/certs.d/registry.domain.com:5001/ca.crt
systemctl restart docker
6.docker login registry.domain.com:5001
7.curl -u libaojia:000000 http://192.168.80.160:5001/v2/_catalog
参考文档
docker搭建私有仓库、自签发证书、登录认证