Skip to content

用 Docker Distribution 建立第一個 TLS 容器倉庫

遇過非常多人使用 docekr-distribution 和 RHEL/CentOS 來建立人生第一個容器映像檔倉庫 (Container Registry) 時,都會遇到 SSL/TLS 相關的問題,大多都是用 insecure-registries 來避掉,今天要來分享自簽憑證的作法


  • Hostname: rhel7.misc.local
  • IP:
  • Necessary Software
  • docker-distribution 2.6.2
  • RHEL 7.7
  • skopeo 0.1.37


準備 OS

  • FirewalldSELinux 預設開啟
  • 以 RHEL7 為核心

Docker Distribution

安裝 docker-distribution

yum install docker-distribution -y

設定 docker-distribution

cat << EOF > /etc/docker-distribution/registry/config.yml
version: 0.1
    service: registry
        layerinfo: inmemory
        rootdirectory: /var/lib/registry
    host: https://rhel7.misc.local:5000
      certificate: /etc/docker-distribution/my_self_signed_cert.crt
      key: /etc/docker-distribution/my_self_signed.key

依據上述的設定檔,/var/lib/registry 是指定主要放置 Container Images 檔案的位置,如果嫌太小的話,可以掛 Shared Storage;:5000 開的 Port 預設是 5000,但可以依據需求修改;certificatekey 則是放置 SSL/TLS 的金鑰和憑證,後面會講怎麼快速自簽;若想要瞭解更多的設定檔,可以參考 Docker Official - Configuring a registry

自簽 OpenSSL

# Command for SSL Cert
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /etc/docker-distribution/my_self_signed.key \
-out /etc/docker-distribution/my_self_signed_cert.crt

# Sample Out
Generating a 2048 bit RSA private key
writing new private key to '/etc/docker-distribution/my_self_signed.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]: TW
State or Province Name (full name) []: Taipei
Locality Name (eg, city) [Default City]: Taipei City
Organization Name (eg, company) [Default Company Ltd]: Red Hat
Organizational Unit Name (eg, section) []: Solution Architect
Common Name (eg, your name or your server\'s hostname) []: rhel7.misc.local
Email Address []: [email protected]
注意 Common Name (eg, your name or your server\'s hostname) 務必要填自己的 hostname

# Configure RHEL to trust the self-signed certificate
# You should put the pem into /etc/pki/ca-trust/source/anchors/
openssl x509 \
-in /etc/docker-distribution/my_self_signed_cert.crt \
-out /etc/pki/ca-trust/source/anchors/workstation.pem \
-outform PEM

# Update the system's trust store

建議把 /etc/docker-distribution/my_self_signed_cert.crt 這檔案放到一個可以讓其他機器下載的地方,未來只要有需要用到該 Container registry 的服務,都要執行上面的動作匯入憑證

啟用 Firewall

firewall-cmd --zone=public --add-port=5000/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-all

驗證 Container Registry

# Install
yum install -y skopeo

# Copy the image from DockerHub to on-premise container registry
skopeo copy docker:// docker://rhel7.misc.local:5000/library/centos:7.7.1908

# Inspect the information of specific container
skopeo inspect docker://rhel7.misc.local:5000/library/centos:7.7.1908


整個過程其實蠻簡單的,大概不用半小時就可以建立完,但他能提供的功能,就是非常基本中的基本 - 放映像檔,若要尋求多功能的 Container Registry,可以考慮使用紅帽宣布 Red Hat Introduces open source Project Quay container registry 的 Project Quay,比較符合現實生活。