# 自建私有Docker Registry(含TLS)
###### tags: `教學` `Docker Registry`
:::info
:boy: **作者:** neverleave0916
:mailbox_closed: **聯絡資訊:<neverleave0916@gmail.com>**
:point_right: **<font color="#B24B42">修改日期:** 2020/12/17 03:52</font>
:::
>- Docker Registry:video_game:
> - 軟體版本:
| Software | Version |
|:--------------|:--------|
| Ubunut | 20.04 |
| Docker | 19.03.8 |
## 1.自動取得SSL憑證
https://letsencrypt.org/zh-tw/
#### Github:https://github.com/acmesh-official/acme.sh
#### 中文教學(未用到):https://richarlin.tw/blog/ssl-acme-sh/
* Run acme.sh in docker:https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker
* deploy to docker containers:https://github.com/acmesh-official/acme.sh/wiki/deploy-to-docker-containers
* 使用Docker方式运行acme.sh签发SSL证书并达到自动续签的简单介绍:https://zhuanlan.zhihu.com/p/45425683
原本是使用--net=host,但為了避免port 80被他人占用,因此改用-p 80:80先佔用該port
#### 啟用取得憑證之微服務
啟用後,可透過此docker下任何acme.sh支援的指令
```console=+
docker run --rm -itd \
-v /mnt/MIL/share/docker/cert:/acme.sh \
-p 80:80 \
--name=acme.sh \
neilpang/acme.sh daemon
```
#### 設定網域
```console=+
#設定驗證網域(由acme產生臨時網頁伺服器進行認證)
docker exec acme.sh --issue -d ncyu-mil.ddns.net --standalone
#開啟微服務檔案自動更新
docker exec acme.sh --upgrade --auto-upgrade
```
## 2.啟動Docker Registry
#### docs:https://docs.docker.com/registry/deploying/
> /var/lib/registry是存放images的地方
#### 沒驗證版本(測試OK)
```console=
docker run -d \
--restart=always \
--name registry \
-v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \
-e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \
-p 443:443 \
-v /mnt/MIL/share/docker/registry:/var/lib/registry \
registry:2
```
#### htpasswd版本(測試OK)
```console=
docker run -d \
--restart=always \
--name registry \
-v /mnt/MIL/share/docker/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \
-e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \
-p 443:443 \
-v /mnt/MIL/share/docker/registry:/var/lib/registry \
registry:2
```
#### token版本(測試OK)
```console=
docker run -d \
--restart=always \
--name registry \
-e "REGISTRY_AUTH=token" \
-e "REGISTRY_AUTH_TOKEN_REALM=https://ncyu-mil.ddns.net:5001/auth" \
-e "REGISTRY_AUTH_TOKEN_SERVICE=Docker registry" \
-e "REGISTRY_AUTH_TOKEN_ISSUER=Acme auth server" \
-e "REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/fullchain.cer" \
-e "REGISTRY_AUTH_TOKEN_AUTOREDIRECT=false" \
-v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \
-e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \
-p 443:443 \
-v /mnt/MIL/share/docker/registry:/var/lib/registry \
registry:2
```
## 3.docker registry單一檔案(htpasswd)認證
https://blog.scottchayaa.com/post/2018/08/07/create-docker-registry-services-and-web-ui-on-synology/
* 產生htpasswd檔案
```console=
docker run --rm -ti xmartlabs/htpasswd <username> <password> > htpasswd
```
```console=
#登入Docker Registry
docker login ncyu-mil.ddns.net
```
## 4.驗證伺服器(token認證)
#### Github:https://github.com/cesanta/docker_auth
https://neverleave0916.com:5002/
啟動驗證伺服器
> --v=2 --alsologtostderr是為了印出log
```console=
docker run \
--rm -it --name docker_auth -p 5001:5001 \
-v /mnt/MIL/share/docker_auth_service/config_dir:/config:ro \
-v /mnt/MIL/share/docker_auth_service/docker_auth:/logs \
-v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \
cesanta/docker_auth:1 \
--v=2 --alsologtostderr \
/config/auth_config.yml
```
[配置檔](/uoCzXNY6T6eFnWiODIeauQ?both)
## 測試步驟
1. Pull the ubuntu:16.04 image from Docker Hub.
2. Tag the image as ncyu-mil.ddns.net/my-ubuntu.
3. Push the image to the local registry running at ncyu-mil.ddns.net
4. Remove the locally-cached `ubuntu:16.04` and `ncyu-mil.ddns.net/my-ubuntu` images, so that you can test pulling the image from your registry.
```console=
#拉取映像並新增標記
docker pull ubuntu:16.04
docker tag ubuntu:16.04 ncyu-mil.ddns.net/my-ubuntu
#推送映像
docker push ncyu-mil.ddns.net/my-ubuntu
#刪除本機映像
docker image remove ubuntu:16.04
docker image remove ncyu-mil.ddns.net/my-ubuntu
#拉取映像
docker pull ncyu-mil.ddns.net/my-ubuntu
```
docker login ncyu-mil.ddns.net
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet