使用Podman设置Docker容器注册表并加密SSL

使用容器映像的专用注册表,您可以管理所有内容并以安全的方式在本地工作。使用容器注册表在任何计算机上构建容器映像,然后使用Docker或Podman CLI将其推送到本地容器注册表。本指南显示了如何使用Podman创建本地Docker容器映像注册表。

Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行OCI容器。有很多安装Podman的指南。

在CentOS 8上安装Podman

在CentOS 7 / Fedora上安装Podman

在Ubuntu上安装Podman

在Debian上安装Podman

一旦安装了Podman,就可以使用它来构建本地Docker注册表。

步骤1:为Docker注册表创建域

创建一个容器注册表子域– Registry.computingforgeeks.com 更新DNS记录。

启用后,验证是否已加载记录。

$ dig A registry.computingforgeeks.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> A registry.computingforgeeks.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23567
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.computingforgeeks.com.	IN	A

;; ANSWER SECTION:
registry.computingforgeeks.com.	300 IN	A	159.69.179.51

;; Query time: 14 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Thu Jan 16 11:25:14 CET 2020
;; MSG SIZE  rcvd: 75

步骤2:创建一个不安全的注册表

如果您在本地托管域或使用没有SSL证书的注册表,则可以执行此操作,但是不建议将其用于生产环境。

确保已安装podman。

$ podman version
Version:            1.4.2-stable2
RemoteAPI Version:  1
Go Version:         go1.12.8
OS/Arch:            linux/amd64

创建一个容器数据目录。

sudo mkdir -p /var/lib/registry

创建一个不安全的私有注册表,如下所示:

podman run --privileged -d 
  --name registry 
  -p 5000:5000 
  -v /var/lib/registry:/var/lib/registry 
  --restart=always 
  registry:2
  • 注册表内容保存到 / var / lib /容器/注册表 在主机系统上。

这是我的执行输出:

Trying to pull docker.io/library/registry:2...Getting image source signatures
Copying blob c87736221ed0 done
Copying blob e8afc091c171 done
Copying blob 54d33bcb37f5 done
Copying blob b4541f6d3db6 done
Copying blob 1cc8e0bb44df done
Copying config f32a97de94 done
Writing manifest to image destination
Storing signatures
c99542d2802a85825cf75ecfa9ee34b5d4184b70f36acf110f75beaa4120b2aa

检查注册表容器是否正在运行。

$ podman ps
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
c99542d2802a  docker.io/library/registry:2  /entrypoint.sh /e...  3 minutes ago  Up 3 minutes ago  0.0.0.0:5000->5000/tcp  registry

使用不安全的注册表

默认情况下,Docker / Podman客户端将尝试通过HTTPS访问注册表。由于存在HTTP注册表,因此需要进行一些更改才能使用不安全的注册表。

为Podman编辑 /etc/containers/registries.conf 归档并添加不安全的注册表 [registries.insecure] 块

$ sudo vi /etc/containers/registries.conf
registries = ['myregistry.local','registry.computingforgeeks.com:5000']

对于Docker,请编辑/ etc / sysconfig / docker,然后添加–insecure-registry选项。

OPTIONS='--insecure-registry registry.computingforgeeks.com:5000 --selinux-enabled .....' 

更改后,您需要重新启动Docker服务。

sudo systemctl restart docker

测试注册表:

$ podman pull hello-world
$ podman  images
REPOSITORY                      TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB
$ podman tag docker.io/library/hello-world registry.computingforgeeks.com:5000/hello-world
$ podman images
REPOSITORY                                        TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world                     latest   fce289e99eb9   12 months ago   6.14 kB
registry.computingforgeeks.com:5000/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB

$ podman push registry.computingforgeeks.com:5000/hello-world
Getting image source signatures
Copying blob af0b15c8625b done
Copying config fce289e99e done
Writing manifest to image destination
Storing signatures

检查注册表服务器主机上注册表的内容。

$ ls /var/lib/registry/docker/registry/v2/repositories/
hello-world

您可以通过执行以下操作将映像拉到另一台主机上:

podman pull registry.computingforgeeks.com:5000/hello-world

步骤2:加密证书并创建一个安全的注册表

创建一个容器数据目录。

sudo mkdir -p /var/lib/registry

安装用于获取注册表的Let's Encrypt SSL证书的certbot-auto工具。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo firewall-cmd --add-service https --permanent
sudo firewall-cmd --reload

获取“让我们加密SSL证书”。

export DOMAIN="registry.computingforgeeks.com"
export EMAIL="[email protected]"
sudo /usr/local/bin/certbot-auto --standalone certonly -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

  • 设置注册表电子邮件地址和域名

显示证书和私钥的存储路径。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for registry.computingforgeeks.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/registry.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/registry.computingforgeeks.com/privkey.pem
   Your cert will expire on 2020-04-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

将cron设置为自动更新。

# crontab -e
00 3 * * * /usr/local/bin/certbot-auto renew --quiet

接下来,创建一个安全的容器注册表。

export REG_DOMAIN="registry.computingforgeeks.com"
podman run --privileged -d 
  --name registry 
  -p 5000:5000 
  -v /var/lib/registry:/var/lib/registry 
  -v /etc/letsencrypt/live/${REG_DOMAIN}/fullchain.pem:/certs/fullchain.pem 
  -v /etc/letsencrypt/live/${REG_DOMAIN}/privkey.pem:/certs/privkey.pem 
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem 
  -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem 
  registry:2 

检查容器是否已成功启动。

$ podman ps 
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
d5ee3ead9d77  docker.io/library/registry:2  /entrypoint.sh /e...  7 seconds ago  Up 7 seconds ago  0.0.0.0:5000->5000/tcp  registry

操作检查:

$ podman pull nginx
$ podman images
REPOSITORY                TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx   latest   c7460dfcab50   6 days ago   130 MB

$ podman tag docker.io/library/nginx registry.computingforgeeks.com:5000/nginx
$ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx                     latest   c7460dfcab50   6 days ago   130 MB
registry.computingforgeeks.com:5000/nginx   latest   c7460dfcab50   6 days ago   130 MB

$ podman push registry.computingforgeeks.com:5000/nginx
Getting image source signatures
Copying blob 17fde96446df done
Copying blob c26e88311e71 done
Copying blob 556c5fb0d91b done
Copying config c7460dfcab done
Writing manifest to image destination
Storing signatures

现在,您可以在整个基础结构中使用注册表。如果您需要更高级的注册表,请检查以下内容:

在CentOS / Debian / Ubuntu上安装Harbor Docker Image Registry

如何在CentOS / RHEL / Ubuntu上设置Red Hat Quay注册表

Podman详细信息:

如何使用Podman将Docker映像发布到Docker Hub

如何使用Podman和Libpod运行Docker容器

Sidebar