我想运行一个私有docker注册表,该注册表广泛可用。这样我就可以从其他服务器推送和提取图像。
我执行了3个步骤:首先,我创建了证书和密钥(作为CNAME,我填写了ec2-hostname)
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
比我使用此密钥创建了Docker注册表。
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
比我将domain.crt的内容复制到/etc/docker/certs.d/ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/ca.crt我重新启动了泊坞窗:sudo service docker restart当我尝试推送图像时,出现以下错误:
unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: net/http: TLS handshake timeout
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v1/_ping: net/http: TLS handshake timeout
我真的不知道我缺少什么或做错了什么。有人可以帮帮我吗。谢谢
我不确定您是否直接复制/粘贴了pwd ...,但文件路径应为/ etc / docker / certs.d
您当前拥有etc / docker / cert.d / registry.ip:5000 / domain.crt
错误消息显示“ TLS握手超时”。这表明没有进程在端口5000上侦听(使用netstat检查),或者从您尝试推送映像的位置关闭了该端口(AWS安全组中的打开端口)。
[我所看到的是docker登录比起浏览器对正确制作的自签名证书更敏感,我会在最底层指出一个有趣的陷阱,因此请通读全文。
根据此网站:https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Bash#openssl x509 -noout -text -in ca.crtX509v3基本约束:严重CA:TRUE
^您应该看到这样的内容,即您已正确配置了证书。在网上遵循随机的操作指南时,我能够生成ca.crt和website.crt当我运行上面的命令时,我没有看到该输出,但是我注意到:如果我将证书导入为Mac或Win中受信任的证书,我的浏览器会很高兴并说yeap有效证书,但是RHEL7上的docker登录会抱怨类似消息)
x509:未知授权机构签名的证书
我尝试了以下与使用相关的指示:/etc/docker/certs.d/mydockerrepo.lan:5000/ca.crt在https://docs.docker.com/engine/security/certificates/它给了我一个更好的错误消息(这使我首先找到了上述站点)
x509:证书由未知授权机构签名(可能是由于“ x509:无效签名:父证书无法对这种类型的签名证书”,同时尝试验证候选授权证书
经过两天的混乱,我发现了:当我学习编程时,我被教导了一个简短的自包含示例的概念,因此,为了在此处尝试使用ansible,并利用openssl内置模块,我正在运行最新的ansible 2.9,但这应该对ansible有用理论上为2.5 ++:
简短的自包含示例:
#Name this file generatecertificates.playbook.yml
#Run using Bash# ansible-playbook generatecertificates.playbook.yml
#
#What to Expect:
#Run Self Contained Stand Alone Ansible Playbook --Get-->
# currentworkingdir/certs/
# ca.crt
# ca.key
# mydockerrepo.private.crt
# mydockerrepo.private.key
#
#PreReq Ansible 2.5++
#PreReq Bash# pip3 install cryptograph >= 1.6 or PyOpenSSL > 0.15 (if using selfsigned provider)
---
- hosts: localhost
connection: local
gather_facts: no
vars:
- caencryptionpassword: "myrootcaencryptionpassword"
- dockerepodns: "mydockerrepo.private"
- rootcaname: "My Root CA"
tasks:
- name: get current working directory
shell: pwd
register: pathvar
- debug: var=pathvar.stdout
- name: Make sub directory
file:
path: "{{pathvar.stdout}}/certs"
state: directory
register: certsoutputdir
- debug: var=certsoutputdir.path
- name: "Generate Root CA's Encrypted Private Key"
openssl_privatekey:
size: 4096
path: "{{certsoutputdir.path}}/ca.key"
cipher: auto
passphrase: "{{caencryptionpassword}}"
- name: "Generate Root CA's Self Signed Certificate Signing Request"
openssl_csr:
path: "{{certsoutputdir.path}}/ca.csr"
privatekey_path: "{{certsoutputdir.path}}/ca.key"
privatekey_passphrase: "{{caencryptionpassword}}"
common_name: "{{rootcaname}}"
basic_constraints_critical: yes
basic_constraints: ['CA:TRUE']
- name: "Generate Root CA's Self Signed Certificate"
openssl_certificate:
path: "{{certsoutputdir.path}}/ca.crt"
csr_path: "{{certsoutputdir.path}}/ca.csr"
provider: selfsigned
selfsigned_not_after: "+3650d" #Note: Mac won't trust by default due to https://support.apple.com/en-us/HT210176, but you can explitly trust to make it work.
privatekey_path: "{{certsoutputdir.path}}/ca.key"
privatekey_passphrase: "{{caencryptionpassword}}"
register: cert
- debug: var=cert
- name: "Generate Docker Repo's Private Key"
openssl_privatekey:
size: 4096
path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
- name: "Generate Docker Repo's Certificate Signing Request"
openssl_csr:
path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
privatekey_path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
common_name: "{{dockerepodns}}"
subject_alt_name: 'DNS:{{dockerepodns}},DNS:localhost,IP:127.0.0.1'
- name: "Generate Docker Repo's Cert, signed by Root CA"
openssl_certificate:
path: "{{certsoutputdir.path}}/{{dockerepodns}}.crt"
csr_path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
provider: ownca
ownca_not_after: "+365d" #Cert valid 1 year
ownca_path: "{{certsoutputdir.path}}/ca.crt"
ownca_privatekey_path: "{{certsoutputdir.path}}/ca.key"
ownca_privatekey_passphrase: "{{caencryptionpassword}}"
register: cert
- debug: var=cert
有趣的陷阱/最后一步:
RHEL7Bash#sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ca.crtRHEL7Bash#sudo update-ca-trustRHEL7Bash#sudo systemctl重新启动docker
陷阱是,您必须重新启动docker,docker登录才能识别对新添加到系统的CA的更新。