From 3fced7241ab8a6eb235f44203a900e96042ce4d6 Mon Sep 17 00:00:00 2001 From: panpingsheng Date: Wed, 11 Dec 2024 11:46:48 +0800 Subject: [PATCH] Add https docker private image repository Reference process --- ...72\345\257\206\345\256\271\345\231\250.md" | 110 +++++++++++++++++- 1 file changed, 109 insertions(+), 1 deletion(-) diff --git "a/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/9-FAQ/3-\346\234\272\345\257\206\345\256\271\345\231\250.md" "b/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/9-FAQ/3-\346\234\272\345\257\206\345\256\271\345\231\250.md" index 47e91433..a509f723 100644 --- "a/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/9-FAQ/3-\346\234\272\345\257\206\345\256\271\345\231\250.md" +++ "b/sig/Hygon Arch/content/2-CSV\346\265\213\350\257\225\346\226\207\346\241\243/9-FAQ/3-\346\234\272\345\257\206\345\256\271\345\231\250.md" @@ -72,4 +72,112 @@ $ sudo /opt/confidential-containers/bin/kata-runtime exec b66feaa98fcacfa8fe0b40 访问阿里云等国内仓库kernel_params 配置参数 不要设置agent.https_proxy 和agent.no_proxy 等代理地址 #### Q: 是否可以搭建私有仓库 -A: 可以,必须使用公网的CA证书,自签名的不行 \ No newline at end of file +A: 可以,必须使用公网的CA证书,自签名的不行 + +#### Q: https私有仓库搭建 +如下步骤作为搭建私有仓库参考 + +**必须使用公网的CA证书,自签名的不行** + +- 拉取镜像 + ``` + sudo docker pull registry:2.7.0 + ``` +- 生成密码文件 + user passord 为仓库账号密码,根据需求自行调整 + ``` + $ mkdir -p /docker/registry/auth + $ sudo docker run --entrypoint htpasswd registry:2.7.0 -Bbn user passord >> /docker/registry/auth/htpasswd + ``` +- 设置配置文件 + ``` + $ mkdir -p /docker/registry/config + $ vim /docker/registry/config/config.yml + ``` + /docker/registry/config/config.yml 输入以下内容 + ``` + version: 0.1 + log: + fields: + service: registry + storage: + delete: + enabled: true + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /var/lib/registry + http: + addr: :5000 + headers: + X-Content-Type-Options: [nosniff] + health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 + ``` +- 准备证书私钥 + sudo mkdir -p /opt/docker/registry/public_certs + 拷贝公网可信任证书和私钥 到/opt/docker/registry/public_certs 为domain.crt(证书)、domain.key(私钥) + +- 运行容器仓库 + ``` + sudo docker run -d -p 5005:5000 --restart=always --name=registry \ + -v /docker/registry/config/:/etc/docker/registry/ \ + -v /docker/registry/auth/:/auth/ \ + -v /opt/docker/registry/public_certs:/certs \ + -e "REGISTRY_AUTH=htpasswd" \ + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ + -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ + -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \ + -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \ + -v /docker/registry/:/var/lib/registry/ \ + registry:2.7.0 + ``` +- 私有仓库在机密容器中应用 + + 1)请参考[2-4-11-使用身份验证信息下载镜像](https://openanolis.cn/sig/Hygon-Arch/doc/896792319448421882)将私有仓库的账号密码信息添加到对应的配置文件中 + docker_auth_config.json文件示例 + ``` + $ cat docker_auth_config.json + { + "auths": { + "docker.io": { + "auth": "bGl1ZGFsaWJqOlBhc3N3MHJkIXFhego=" + }, + "quay.io": { + "auth": "bGl1ZGFsaWJqOlBhc3N3MHJkIXFhego=" + }, + "docker.xx.cn:5005": { + "auth": "dXNlcjpwYXNzd29yZAo=" + } + } + } + ``` + 2)在虚拟机initrd文件系统中建立dnc 映射,host_ip 为docker 服务器主机地址,docker.xx.cn服务器的域名,如何解压打包initrd参考[2-4-11-使用身份验证信息下载镜像](https://openanolis.cn/sig/Hygon-Arch/doc/896792319448421882) + + ``` + sed -i '$a\host_ip docker.xx.cn' $initrd_dir/etc/hosts + ``` + 3)请参考[2-4-2-测试CSV机密容器](https://openanolis.cn/sig/Hygon-Arch/doc/896792319448421882)获取启动机密容器,私有仓库不需要在**kernel_params 中添加代理操作**,将其中的dockerhub 仓库中对的镜像地址换成自己的私有仓库地址 + + 启动私有仓库容器示例 + ``` + cat <<-EOF | kubectl apply -f - + apiVersion: v1 + kind: Pod + metadata: + labels: + run: test-csv + name: test-csv + spec: + containers: + - image: docker.xx.cn:5005/busybox + name: test-csv + imagePullPolicy: Always + dnsPolicy: ClusterFirst + restartPolicy: Never + runtimeClassName: kata-qemu-csv + EOF + ``` -- Gitee