Intranet deployment support for SSL-enabled Docker registry

First need to use the domain name or hostname to create a certificate, self-signed certificate network can be used, because the intranet can eliminate trust problems, since the visa book process can refer to the use of self-signed certificate configuration Nginx HTTPS.

Certificate production completed we started to deploy registry, the current registry V2 version has been released, so we use the V2 version of the deployment test, before deployment needs to run Docker daemon

1, the production of the certificate copy to/ETC/DOCKER/CERTS.D/${DOMAIN}/CA.CRT, note that the directory of domain is the name of registry or hostname, but also the production of the certificate when the input common name.

#] CP WEB1.CRT/ETC/DOCKER/CERTS.D/WEB1\:5000/CA.CRT

Then restart the Docker daemon

2, pull the official registry image

#] Docker pull Registry:2 # # Docker Pull Registry:latest

3. Run Registry container:

#] Docker run-d-P 5000:5000--restart=always--name registry \

-v/root/ssl:/certs \

-e registry_http_tls_certificate=/certs/web1.crt \

-E registry_http_tls_key=/certs/web1.key \

Registry:2

Note: The parameter-v/root/ssl is the directory where the certificate resides

4. Test push the image to the warehouse

Label the image you want to push to the warehouse

#] Docker tag Registry:2 web1:5000/registry

Push image

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/85/A6/wKiom1eq7cjT4x6_AAAqo9L1WSw012.png-wh_500x0-wm_3 -wmp_4-s_2457449142.png "title=" s4cmc}w[v@}q$h3]qv[' L_8.png "alt=" Wkiom1eq7cjt4x6_aaaqo9l1wsw012.png-wh_50 "/>

After the push is finished, you can use the Docker pull web1:5000/registry locally

5, pull the mirror on another machine, first need to copy the certificate to this machine's/etc/docker/certs.d/web1:5000/directory

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/85/A5/wKioL1eq7orBoK7bAAAMPzuQ9EE828.png-wh_500x0-wm_3 -wmp_4-s_3039521549.png "title=" Ek438oc%reipm@9$2%lqzdt.png "alt=" Wkiol1eq7orbok7baaampzuq9ee828.png-wh_50 "/>

Rename the CA.CRT, and then restart the Docker daemon

Execute the Docker pull web1:5000/registry command:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/85/A6/wKiom1eq7vuifA_cAAAcDXlUV2A924.png-wh_500x0-wm_3 -wmp_4-s_1219924322.png "title="]rpet$y ' 1bt061@}y) 0x_r7.png "alt=" Wkiom1eq7vuifa_caaacdxluv2a924.png-wh_50 "/>

Pull succeeds, registry deployment is complete.

Problems encountered: X509:certificate signed by unknown authority when push and pull are present: 650 this.width=650; src= http://s2.51cto.com/ Wyfs02/m00/85/a6/wkiom1eq71vgqttnaaauwgqnlbi963.png-wh_500x0-wm_3-wmp_4-s_3187326942.png "title=" EEGC8QX0M% Bgfmb6fiqa[9f.png "alt=" Wkiom1eq71vgqttnaaauwgqnlbi963.png-wh_50 "/>

The main reason is that the certificate is not copied to the/etc/docker/certs.d/web1:5000 directory, and the certificate needs to be renamed to CA.CRT.

Of course you have to make sure that you have no problem with your visa.

This article is from the "JC" blog, be sure to keep this source http://jackeychen.blog.51cto.com/7354471/1836602

Intranet deployment support for SSL-enabled Docker registry