红帽全球峰会7.3.4. 不安全的 registry
应避免使用非可信证书的外部 registry(或根本没有证书)。
但是,任何不安全的 registry 都应使用 --insecure-registry 选项来添加,以允许 docker 守护进程从存储库拉取镜像。这与 --add-registry 选项相同,但不会验证 docker 操作。
该 registry 应该使用这两个选项添加来启用搜索的选项;如果有黑名单,则应该执行其他操作,如拉取镜像。
出于测试目的,以下示例显示了如何添加一个 localhost 不安全的 registry。
流程
修改
/etc/containers/registries.conf配置文件以添加 localhost 不安全的 registry:Copy to Clipboard Copied! Toggle word wrap Toggle overflow 注意将不安全的 registry 添加到
registry.search部分以及registry.insecure部分,以确保它们标记为不安全并列入白名单。添加到registeries.block部分的任何 registry 都会被阻断,除非也被添加到registry.search部分。重启
docker守护进程以使用 registry:sudo systemctl restart docker.service
$ sudo systemctl restart docker.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow 重启
docker守护进程会导致docker容器被重启。在
localhost运行容器镜像 registry pod:sudo docker run -p 5000:5000 registry:2
$ sudo docker run -p 5000:5000 registry:2Copy to Clipboard Copied! Toggle word wrap Toggle overflow 拉取镜像:
sudo docker pull openshift/hello-openshift
$ sudo docker pull openshift/hello-openshiftCopy to Clipboard Copied! Toggle word wrap Toggle overflow 标记镜像:
sudo docker tag docker.io/openshift/hello-openshift:latest localhost:5000/hello-openshift-local:latest
$ sudo docker tag docker.io/openshift/hello-openshift:latest localhost:5000/hello-openshift-local:latestCopy to Clipboard Copied! Toggle word wrap Toggle overflow 将镜像推送到本地 registry:
sudo docker push localhost:5000/hello-openshift-local:latest
$ sudo docker push localhost:5000/hello-openshift-local:latestCopy to Clipboard Copied! Toggle word wrap Toggle overflow 使用 Ansible 安装程序,这可以使用
Ansible主机文件中的openshift_docker_additional_registries、openshift_docker_blocked_registries和openshift_docker_insecure_registries变量进行配置:openshift_docker_additional_registries=registry.redhat.io,my.registry.example.com,localhost:5000 openshift_docker_insecure_registries=localhost:5000 openshift_docker_blocked_registries=all
openshift_docker_additional_registries=registry.redhat.io,my.registry.example.com,localhost:5000 openshift_docker_insecure_registries=localhost:5000 openshift_docker_blocked_registries=allCopy to Clipboard Copied! Toggle word wrap Toggle overflow 注意您还可以将
openshift_docker_insecure_registries变量设置为主机的 IP 地址。0.0.0.0/0不是一个有效设置。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}