自建私有Docker Registry(含TLS)

# 自建私有Docker Registry(含TLS) ###### tags: `教學` `Docker Registry` :::info :boy: **作者：** neverleave0916 :mailbox_closed: **聯絡資訊：<neverleave0916@gmail.com>** :point_right: **<font color="#B24B42">修改日期：** 2020/12/17 03:52</font> ::: >- Docker Registry:video_game: > - 軟體版本： | Software | Version | |:--------------|:--------| | Ubunut | 20.04 | | Docker | 19.03.8 | ## 1.自動取得SSL憑證 https://letsencrypt.org/zh-tw/ #### Github：https://github.com/acmesh-official/acme.sh #### 中文教學(未用到)：https://richarlin.tw/blog/ssl-acme-sh/ * Run acme.sh in docker：https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker * deploy to docker containers：https://github.com/acmesh-official/acme.sh/wiki/deploy-to-docker-containers * 使用Docker方式运行acme.sh签发SSL证书并达到自动续签的简单介绍：https://zhuanlan.zhihu.com/p/45425683 原本是使用--net=host，但為了避免port 80被他人占用，因此改用-p 80:80先佔用該port #### 啟用取得憑證之微服務啟用後，可透過此docker下任何acme.sh支援的指令 ```console=+ docker run --rm -itd \ -v /mnt/MIL/share/docker/cert:/acme.sh \ -p 80:80 \ --name=acme.sh \ neilpang/acme.sh daemon ``` #### 設定網域 ```console=+ #設定驗證網域(由acme產生臨時網頁伺服器進行認證) docker exec acme.sh --issue -d ncyu-mil.ddns.net --standalone #開啟微服務檔案自動更新 docker exec acme.sh --upgrade --auto-upgrade ``` ![](https://i.imgur.com/Y4vv1go.png) ![](https://i.imgur.com/fSDcz11.png) ## 2.啟動Docker Registry #### docs：https://docs.docker.com/registry/deploying/ > /var/lib/registry是存放images的地方 #### 沒驗證版本(測試OK) ```console= docker run -d \ --restart=always \ --name registry \ -v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \ -e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \ -p 443:443 \ -v /mnt/MIL/share/docker/registry:/var/lib/registry \ registry:2 ``` #### htpasswd版本(測試OK) ```console= docker run -d \ --restart=always \ --name registry \ -v /mnt/MIL/share/docker/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \ -e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \ -p 443:443 \ -v /mnt/MIL/share/docker/registry:/var/lib/registry \ registry:2 ``` #### token版本(測試OK) ```console= docker run -d \ --restart=always \ --name registry \ -e "REGISTRY_AUTH=token" \ -e "REGISTRY_AUTH_TOKEN_REALM=https://ncyu-mil.ddns.net:5001/auth" \ -e "REGISTRY_AUTH_TOKEN_SERVICE=Docker registry" \ -e "REGISTRY_AUTH_TOKEN_ISSUER=Acme auth server" \ -e "REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/fullchain.cer" \ -e "REGISTRY_AUTH_TOKEN_AUTOREDIRECT=false" \ -v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \ -e REGISTRY_HTTP_TLS_KEY=/certs/ncyu-mil.ddns.net.key \ -p 443:443 \ -v /mnt/MIL/share/docker/registry:/var/lib/registry \ registry:2 ``` ## 3.docker registry單一檔案(htpasswd)認證 https://blog.scottchayaa.com/post/2018/08/07/create-docker-registry-services-and-web-ui-on-synology/ * 產生htpasswd檔案 ```console= docker run --rm -ti xmartlabs/htpasswd <username> <password> > htpasswd ``` ```console= #登入Docker Registry docker login ncyu-mil.ddns.net ``` ## 4.驗證伺服器(token認證) #### Github：https://github.com/cesanta/docker_auth https://neverleave0916.com:5002/ 啟動驗證伺服器 > --v=2 --alsologtostderr是為了印出log ```console= docker run \ --rm -it --name docker_auth -p 5001:5001 \ -v /mnt/MIL/share/docker_auth_service/config_dir:/config:ro \ -v /mnt/MIL/share/docker_auth_service/docker_auth:/logs \ -v /mnt/MIL/share/docker/cert/ncyu-mil.ddns.net:/certs \ cesanta/docker_auth:1 \ --v=2 --alsologtostderr \ /config/auth_config.yml ``` [配置檔](/uoCzXNY6T6eFnWiODIeauQ?both) ## 測試步驟 1. Pull the ubuntu:16.04 image from Docker Hub. 2. Tag the image as ncyu-mil.ddns.net/my-ubuntu. 3. Push the image to the local registry running at ncyu-mil.ddns.net 4. Remove the locally-cached `ubuntu:16.04` and `ncyu-mil.ddns.net/my-ubuntu` images, so that you can test pulling the image from your registry. ```console= #拉取映像並新增標記 docker pull ubuntu:16.04 docker tag ubuntu:16.04 ncyu-mil.ddns.net/my-ubuntu #推送映像 docker push ncyu-mil.ddns.net/my-ubuntu #刪除本機映像 docker image remove ubuntu:16.04 docker image remove ncyu-mil.ddns.net/my-ubuntu #拉取映像 docker pull ncyu-mil.ddns.net/my-ubuntu ``` docker login ncyu-mil.ddns.net