随着Docker技术的广泛应用以及越来越多第三方Registry安全审核推送监测机智的限制,越来越多的开发者开始构建自己的Docker Repository。私有镜像仓库不仅可以提高开发效率,还可以减少对外部公网的依赖,直接调用内网进行应用发布。为了保障数据的安全性和完整性,通常需要在私有镜像仓库中启用 HTTPS 协议。
在开始之前,确保服务器已经部署了Docker,并且能够正常运行。此外,还需要准备一个Repository域名和对应的SSL证书(推荐服务器和客户端的双向自签)。
实验测试专用的 HTTPS Docker Registry
创建必要的目录
root@Dev-AlibabaCloudLinux3-Virginia-America1:~# mkdir -p /data/app/docker/repository_v2/certs
root@Dev-AlibabaCloudLinux3-Virginia-America1:~# mkdir -p /data/app/docker/repository_v2/registry使用 Docker 启动 Registry 服务,并挂载证书和数据目录
root@Dev-AlibabaCloudLinux3-Virginia-America1:~# docker run -d --restart=always --name docker-repository_v2 \
-v /data/app/docker/repository_v2/certs:/certs \
-v /data/app/docker/repository_v2/registry:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/repository.ponfey.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/repository.ponfey.com.key \
-p 5000:5000 \
localhost/registry:2*配置 Docker 客户端信任证书 , 需要以下操作:(与 Podman 二选一即可)
root@Dev-AlibabaCloudLinux3-Virginia-America1:~# mkdir -p /etc/docker/certs.d/repository.ponfey.com:5000 root@Dev-AlibabaCloudLinux3-Virginia-America1:~# cp /data/app/docker/repository_v2/certs/repository.ponfey.com.crt /etc/docker/certs.d/repository.ponfey.com:5000/ca.crt*配置 Podman 客户端信任证书 , 需要以下操作: (与 Docker 二选一即可)
root@Dev-AlibabaCloudLinux3-Virginia-America1:~# rsync -avP /data/app/docker/repository_v2/certs/repository.ponfey.com.crt root@Dev-RockyLinux9-Area1-HangZhou:/etc/pki/ca-trust/source/anchors/repository.ponfey.com.crt
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# update-ca-trust extract # 更新证书信任库
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# openssl x509 -in /etc/pki/ca-trust/source/anchors/repository.ponfey.com.crt -noout -text # 验证证书推送镜像到私有仓库
需要将本地构建的容器镜像打上私有仓库的标签
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# podman tag localhost/mysql901_community_innovation_middle:2408 mysql901_community_innovation_middle:2408 将容器镜像推送到私有仓库 repository.ponfey.com
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# podman commit bc0514f51851 mysql901_community_innovation_middle:2408
Getting image source signatures
Copying blob e2eb06d8af82 skipped: already exists
Copying blob 4df918a2e6c8 skipped: already exists
Copying blob 805c622f49a3 skipped: already exists
Copying blob 5f70bf18a086 skipped: already exists
Copying blob 5f70bf18a086 skipped: already exists
Copying config 17c9a051a9 done |
Writing manifest to image destination
17c9a051a9eb12af76bd83d5625dbc9a9a441a8c87722bbb953809451dcd0f47
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# podman push mysql901_community_innovation_middle:2408
Getting image source signatures
Copying blob 805c622f49a3 done |
Copying blob 5f70bf18a086 done |
Copying blob 5f70bf18a086 done |
Copying blob 4df918a2e6c8 done |
Copying blob e2eb06d8af82 done |
Copying config 17c9a051a9 done |
Writing manifest to image destination
使用skopeo工具查询私有仓库
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# skopeo list-tags docker://repository.ponfey.com:5000/mysql901_community_innovation_middle
{
"Repository": "repository.ponfey.com:5000/mysql901_community_innovation_middle",
"Tags": [
"v2408"
]
}后续仓库要求身份验证,需要提供认证信息:
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# skopeo --insecure list-tags docker://repository.ponfey.com:5000/mysql901_community_innovation_middle --creds <username>:<password>集成镜像标签脚本进行查询
[richard@Dev-RockyLinux9-Area1-HangZhou ~]# cdpython
[richard@Dev-RockyLinux9-Area1-HangZhou python]# python3 list_all_images_and_tags_from_repository2.py
Image: python_3_12_5_sit
{
"Repository": "repository.ponfey.com:5000/python_3_12_5_sit",
"Tags": [
"v2408"
]
}
Image: mysql901_community_innovation_middle
{
"Repository": "repository.ponfey.com:5000/mysql901_community_innovation_middle",
"Tags": [
"v2408"
]
}
...
总结
通过上述步骤,成功地部署HTTPS的实验测试专用的Docker Registry(Repository),并实现了安全地推送镜像。这种方式不仅提高了私有镜像仓库的安全性,还简化了镜像管理流程。后续可以根据实际需求进一步扩展和优化私有镜像仓库的功能,添加身份验证机制(registry-auth)、权限控制等高级特性。
