2022年10月28日 (五) 11:02的最新版本

生成证书

建一个空的网站，指向registry.riguz.com,然后更新证书:

sudo certbot --apache

安装Docker

sudo apt-get install     ca-certificates     curl     gnupg     lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
 echo   "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io

启动镜像

htpasswd -Bbn user xxxxxxxxx> auth/htpasswd

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl : https://gcr.io

docker run -d -p 5000:443 \
    --restart always \
    --name registry  \
    -v /etc/letsencrypt/archive/riguz.com:/certs \
    -v "$(pwd)"/auth:/auth \
    -v "$(pwd)"/config.yml:/etc/docker/registry/config.yml \
    -e "REGISTRY_AUTH=htpasswd" \
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain3.pem \
    -e REGISTRY_HTTP_TLS_KEY=/certs/privkey3.pem \
    registry:latest

apache 代理

sudo a2enmod proxy
sudo a2enmod proxy_http

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName registry.riguz.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/registry

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPreserveHost On

        SSLProxyEngine on
        ProxyPass / https://127.0.0.1:5000/
        ProxyPassReverse / https://127.0.0.1:5000/
</VirtualHost>
</IfModule>

k3s 使用代理

/etc/rancher/k3s/registries.yaml（没有的话自行创建）

mirrors:
  gcr.io:
    endpoint:
      - "https://registry.riguz.com/v2"
configs:
  "registry.riguz.com":
    auth:
      username: xxx
      password: xxxxx

sudo systemctl restart k3s.service
sudo systemctl restart k3s-agent.service

使用自签名证书

openssl \
  req \
  -newkey rsa:2048 -nodes \
  -keyout key.pem \
  -x509 -days 36500 \
  -out cert.pem \
  -config server_cert.cnf

[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
x509_extensions = req_ext

[req_distinguished_name]
C   = CN
ST  = Hubei
L   = Wuhan
O   = KingSoft
OU  = HPC
CN  = gcr-mirror.com

[req_ext]
basicConstraints=CA:TRUE
subjectAltName = @alt_names

[alt_names]
IP.1 = 10.226.27.53
DNS.1 = gcr-mirror.com
DNS.2 = www.gcr-mirror.com
DNS.3 = gcr.ksord.com
DNS.4 = mirror.ksord.com
DNS.5 = registry.ksord.com

docker run -d -p 5000:443 ^
    --restart always ^
    --name gcr-mirror ^
    -v /c/gcr-mirror/certs/:/certs ^
    -v /c/gcr-mirror/auth:/auth ^
    -v /c/gcr-mirror/config.yaml:/etc/docker/registry/config.yaml ^
    -e "REGISTRY_AUTH=htpasswd" ^
    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" ^
    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd ^
    -e REGISTRY_HTTP_ADDR=0.0.0.0:443 ^
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem ^
    -e REGISTRY_HTTP_TLS_KEY=/certs/key.pem ^
    registry:latest

cp cert.pem /etc/pki/ca-trust/source/anchors
update-ca-trust
openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"