使用Podman设置Docker容器注册表并让SSL加密

时间:2020-02-23 14:30:19  来源:igfitidea点击:

容器镜像专用注册表使我们可以安全地在本地工作,因为我们可以管理所有内容。使用容器注册表,我们可以在任何计算机上构建容器镜像,然后使用Docker或者Podman CLI将其推送到本地容器注册表。本教程将向我们展示如何使用Podman创建本地Docker容器镜像注册表。

Podman是一个无守护进程的容器引擎,用于在Linux系统上开发,管理和运行OCI容器。

一旦安装了Podman,就可以继续使用它构建本地Docker注册表。

为Docker注册表创建域

为容器注册表registry.theitroad.local创建一个子域,并为其更新DNS记录。

启用记录后,确认记录已填充。

$dig A registry.theitroad.local

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> A registry.theitroad.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23567
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.theitroad.local.	IN	A

;; ANSWER SECTION:
registry.theitroad.local.	300 IN	A	159.69.179.51

;; Query time: 14 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Thu Jan 16 11:25:14 CET 2017
;; MSG SIZE  rcvd: 75

创建不安全的注册表

如果我们在本地托管域,或者想使用没有SSL证书的注册表,则可以这样做,尽管不建议将其用于生产。

确认已安装podman:

$podman version
Version:            1.4.2-stable2
RemoteAPI Version:  1
Go Version:         go1.12.8
OS/Arch:            linux/amd64

创建容器数据目录。

sudo mkdir -p /var/lib/registry

创建不安全私有注册表,如下所示:

podman run --privileged -d \
  --name registry \
  -p 5000:5000 \
  -v /var/lib/registry:/var/lib/registry \
  --restart=always \
  registry:2

注册表内容将存储在主机系统上的/var/lib/containers/registry中。

这是我的执行输出:

Trying to pull docker.io/library/registry:2...Getting image source signatures
Copying blob c87736221ed0 done
Copying blob e8afc091c171 done
Copying blob 54d33bcb37f5 done
Copying blob b4541f6d3db6 done
Copying blob 1cc8e0bb44df done
Copying config f32a97de94 done
Writing manifest to image destination
Storing signatures
c99542d2802a85825cf75ecfa9ee34b5d4184b70f36acf110f75beaa4120b2aa

检查注册表容器是否正在运行。

$podman ps
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
c99542d2802a  docker.io/library/registry:2  /entrypoint.sh /e...  3 minutes ago  Up 3 minutes ago  0.0.0.0:5000->5000/tcp  registry

使用不安全的注册表

默认情况下,Docker/Podman客户端将尝试通过HTTPS访问注册表。由于我们拥有HTTP注册表,因此我们需要进行一些更改以使用不安全的注册表。

对于Podman,请编辑/etc/containers/registries.conf文件,然后在[registries.insecure]块下添加不安全的注册表。

$sudo vi /etc/containers/registries.conf
registries = ['myregistry.local','registry.theitroad.local:5000']

对于Docker,请编辑/etc/sysconfig/docker并添加insecure-registry选项。

OPTIONS='--insecure-registry registry.theitroad.local:5000 --selinux-enabled .....'

进行更改后,我们需要重新启动docker服务。

sudo systemctl restart docker

测试注册表:

$podman pull hello-world
$podman  images
REPOSITORY                      TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB
$podman tag docker.io/library/hello-world registry.theitroad.local:5000/hello-world
$podman images
REPOSITORY                                        TAG      IMAGE ID       CREATED         SIZE
docker.io/library/hello-world                     latest   fce289e99eb9   12 months ago   6.14 kB
registry.theitroad.local:5000/hello-world   latest   fce289e99eb9   12 months ago   6.14 kB

$podman push registry.theitroad.local:5000/hello-world
Getting image source signatures
Copying blob af0b15c8625b done
Copying config fce289e99e done
Writing manifest to image destination
Storing signatures

检查注册表服务器主机上的注册表内容。

$ls /var/lib/registry/docker/registry/v2/repositories/
hello-world

我们可以通过运行以下命令告诉将图像拉到其他主机上:

podman pull registry.theitroad.local:5000/hello-world

使用Lets Encrypt证书创建安全的注册表

创建容器数据目录。

sudo mkdir -p /var/lib/registry

安装certbot-auto工具,该工具非常有用,可为我们的注册表获取Lets Encrypt SSL证书。

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo firewall-cmd --add-service https --permanent
sudo firewall-cmd --reload

获取Lets Encrypt SSL证书:

export DOMAIN="registry.theitroad.local"
export EMAIL="theitroad@localhost"
sudo /usr/local/bin/certbot-auto --standalone certonly -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

设置电子邮件地址和域名用于注册

我们将看到保存证书和私钥的路径。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for registry.theitroad.local
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/registry.theitroad.local/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/registry.theitroad.local/privkey.pem
   Your cert will expire on 2017-04-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG/Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

将cron设置为autorenew:

# crontab -e
00 3 * * * /usr/local/bin/certbot-auto renew --quiet

现在创建一个安全的Container注册表。

export REG_DOMAIN="registry.theitroad.local"
podman run --privileged -d \
  --name registry \
  -p 5000:5000 \
  -v /var/lib/registry:/var/lib/registry \
  -v /etc/letsencrypt/live/${REG_DOMAIN}/fullchain.pem:/certs/fullchain.pem \
  -v /etc/letsencrypt/live/${REG_DOMAIN}/privkey.pem:/certs/privkey.pem \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \
  -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \
  registry:2

检查容器是否成功启动。

$podman ps 
CONTAINER ID  IMAGE                         COMMAND               CREATED        STATUS            PORTS                   NAMES
d5ee3ead9d77  docker.io/library/registry:2  /entrypoint.sh /e...  7 seconds ago  Up 7 seconds ago  0.0.0.0:5000->5000/tcp  registry

确认它有效:

$podman pull nginx
$podman images
REPOSITORY                TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx   latest   c7460dfcab50   6 days ago   130 MB

$podman tag docker.io/library/nginx registry.theitroad.local:5000/nginx
$podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED      SIZE
docker.io/library/nginx                     latest   c7460dfcab50   6 days ago   130 MB
registry.theitroad.local:5000/nginx   latest   c7460dfcab50   6 days ago   130 MB

$podman push registry.theitroad.local:5000/nginx
Getting image source signatures
Copying blob 17fde96446df done
Copying blob c26e88311e71 done
Copying blob 556c5fb0d91b done
Copying config c7460dfcab done
Writing manifest to image destination
Storing signatures

现在,我们可以在整个基础结构中使用注册表。