docker registry_v2 部署过程中遇到的坑

docker registry_v2

docker registry_v2的搭建和排错文档，nginx+registry源码搭建，有别于网上类docker的搭建方法，方便registry日后调优

搭建过程

CA证书的制作(openssl)
nginx的搭建及配置
registry源码编译及配置
验证及排错

CA证书的制作

1.首先我们去 /etc/ssl/openssl.cnf下修改下参数，必须在生成证书之前修改，否则无意义  

[ CA_default ]

dir = /etc/ssl/demoCA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no # Set to 'no' to allow creation of

# several ctificates with same subject.

new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/certs/cacert.pem # The CA certificate

serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

# must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

#这个很重要，否则在后面会报registry endpoint...x509: cannot validate certificate for ... because it doesn't contain any IP SANs

subjectAltName=IP:192.168.172.150

2.制作证书
证书的配置文件都在 Ubuntu的路径在/etc/ssl下
cd /etc/ssl

mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private

touch /etc/ssl/demoCA/index.txt

echo 01 > /etc/ssl/demoCA/serial

cd /etc/ssl/demoCA

openssl req -newkey rsa:4096 -nodes -sha256 -keyout cakey.pem -x509 -days 365 -out cacert.pem

mv cacert.pem certs/ && mv cakey.pem private/
注意这里的domain设置成自己的域名即可，比如我的是*.192.168.172.150.xip.io
You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:self

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:*.192.168.172.150.xip.io

Email Address []:jackyuan@126.com

OK,至此，根证书等制作完成

nginx的搭建及配置

方式一:
yum install nginx 

方式二:

1.选择版本安装,最好是高版本，否则add header功能没法使用

cd ~

wget http://nginx.org/download/nginx-1.9.4.tar.gz 
tar zxvf nginx-1.9.4.tar.gz

cd ./nginx-1.4.6 && \

./configure --user=www --group=www --prefix=/opt/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module --with-openssl=/root/openssl-1.0.2h --with-zlib=/root/zlib-1.2.8 --with-pcre=/root/pcre-8.39

make &&  make install

2.生成nginx的ssl证书,并加入进openssl本身的证书数据库

mkdir -p /etc/nginx/ssl

cd /etc/nginx/ssl

openssl genrsa -out nginx.key 4096

openssl req -new -key nginx.key -out nginx.csr

#上面这一步的配置要和跟设置的一样，尤其是domain那块

openssl ca -in nginx.csr -out nginx.crt

在这里如果不在之前配置好CA的配置，则会出现demoCA无法打开等错误，所以要注意。

3.生成htpassword,用户名和密码都为admin

htpasswd -cb /opt/nginx/conf/.htpasswd admin admin

4.修改nginx配置

user  www www;

worker_processes  auto;

error_log   /var/log/nginx_error.log error;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

#pid		logs/nginx.pid;

worker_rlimit_nofile 51200;

events {

use epoll;

worker_connections  51200;

multi_accept on;

}

http {

include	   mime.types;

default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx_access.log  main;

server_names_hash_bucket_size 128;

client_header_buffer_size 32k;

large_client_header_buffers 4 32k;

sendfile		on;

tcp_nopush	 on;

tcp_nodelay	on;

#keepalive_timeout  0;

keepalive_timeout  65;

#gzip  on;

upstream registry {

server 192.168.172.150:5000;

}

4000
server {

listen	   443;

server_name  192.168.172.150;

ssl		  on;

ssl_certificate /etc/nginx/ssl/nginx.crt;

ssl_certificate_key /etc/nginx/ssl/nginx.key;

client_max_body_size 0;

chunked_transfer_encoding on;

location /v2/ {

auth_basic "Registry realm";

auth_basic_user_file /opt/nginx/conf/.htpasswd;

add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

proxy_pass						  http://registry; 
proxy_set_header  Host			  \$http_host;   # required for docker client's sake

proxy_set_header  X-Real-IP		 \$remote_addr; # pass on real client's IP

proxy_set_header  X-Forwarded-For   \$proxy_add_x_forwarded_for;

proxy_set_header  X-Forwarded-Proto $scheme;

proxy_read_timeout				  900;

}

error_page   500 502 503 504  /50x.html;

location = /50x.html {

root   html;

}

}
}

proxy_set_header  Host			  \$http_host;   # required for docker client's sake

proxy_set_header  X-Real-IP		 \$remote_addr; # pass on real client's IP

proxy_set_header  X-Forwarded-For   \$proxy_add_x_forwarded_for;

 改成

proxy_set_header  Host			  $http_host;   # required for docker client's sake

proxy_set_header  X-Real-IP		 $remote_addr; # pass on real client's IP

proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;

就好使了

不然路径有可能是 https://localhost/v2\   报错,多了反斜杠,报400 Bad Request: malformed Host header

 curl -i -k -v https://admin:admin@zq.reg32.jd.com/v2/
400 Bad Request: malformed Host header

========================================================================================================================

重点细节要注意的

Nginx配置proxy_pass转发的/路径问题

在nginx中配置proxy_pass时，如果是按照^~匹配路径时,要注意proxy_pass后的url最后的/,当加上了/，相当于是绝对根路径，则nginx不会把location中匹配的路径部分代理走;如果没有/，则会把匹配的路径部分也给代理走。

location ^~ /static_js/ 

{ 

proxy_cache js_cache; 

proxy_set_header Host js.test.com; 

proxy_pass http://js.test.com/; 
}

如上面的配置，如果请求的url是http://servername/static_js/test.html

会被代理成http://js.test.com/test.html

而如果这么配置

location ^~ /static_js/ 

{ 

proxy_cache js_cache; 

proxy_set_header Host js.test.com; 

proxy_pass http://js.test.com; 
}

则会被代理到http://js.test.com/static_js/test.htm

当然，我们可以用如下的rewrite来实现/的功能

location ^~ /static_js/ 

{ 

proxy_cache js_cache; 

proxy_set_header Host js.test.com; 

rewrite /static_js/(.+)$ /$1 break; 

proxy_pass http://js.test.com; 
} 

=============================================================================================

5.验证及启动启动nginx

/opt/nginx/sbin/nginx -t 检查nginx.conf配置是否正确

/opt/nginx/sbin/nginx -c /opt/nginx/conf/nginx.conf

registry源码编译及配置

1.checkout 源码：

git clone https://github.com/docker/distribution 
cd distribution

git checkout v2.1.1

godep restore ./...

2.安装registry,这里图省事，要编译重新设定下gopath即可

go get github.com/docker/distribution

3.配置registry,config-example.yml

version: 0.1

log:

fields:

service: registry

storage:

cache:

layerinfo: inmemory

filesystem:

rootdirectory: /home/jojo/registry

http:

addr: :5000

secret: admin

#	tls:

#	  certificate: /etc/ssl/demoCA/certs/cacert.pem

#	  key: /etc/ssl/demoCA/private/cakey.pem

#proxy:

#  remoteurl: https://api.192.168.172.150.xip.io 
#  username: admin

#  password: admin

这里注意我注掉的部分，因为前方已经有一层代理了，我们这里就没有必要设置tls了，否则，后端 会报 tls: first record does not look like a TLS handshake

4.配置docker,增加一行

vi /etc/default/docker

DOCKER_OPTS="--insecure-registry api.192.168.172.150.xip.io --tlsverify --tlscacert /etc/ssl/demoCA/certs/cacert.pem"

5.启动docker和registry

service docker start

registry serve /home/jojo/register/config-example.yml

验证及排错

1.验证联通性：

curl -i -k -v https://admin:admin@api.192.168.172.150.xip.io/v2/ 
* Hostname was NOT found in DNS cache

*   Trying 192.168.172.150...

* Connected to api.192.168.172.150.xip.io (192.168.172.150) port 443 (#0)

* successfully set certificate verify locations:

*   CAfile: none

CApath: /etc/ssl/certs

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server key exchange (12):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using ECDHE-RSA-AES256-GCM-SHA384

* Server certificate:

*        subject: C=CN; ST=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; emailAddress=jack@126.com

*        start date: 2015-09-18 13:54:11 GMT

*        expire date: 2016-09-17 13:54:11 GMT

*        issuer: C=CN; ST=beijing; L=beijing; O=self; OU=self; CN=*.192.168.172.150.xip.io; emailAddress=jack@126.com

*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

* Server auth using Basic with user 'admin'

> GET /v2/ HTTP/1.1

> Authorization: Basic YWRtaW46YWRtaW4=

> User-Agent: curl/7.35.0

> Host: api.192.168.172.150.xip.io

> Accept: */*

>

< HTTP/1.1 200 OK

HTTP/1.1 200 OK

* Server nginx/1.9.4 is not blacklisted

< Server: nginx/1.9.4

Server: nginx/1.9.4

< Date: Fri, 18 Sep 2015 17:02:00 GMT

Date: Fri, 18 Sep 2015 17:02:00 GMT

< Content-Type: application/json; charset=utf-8

Content-Type: application/json; charset=utf-8

< Content-Length: 2

Content-Length: 2

< Connection: keep-alive

Connection: keep-alive

< Docker-Distribution-Api-Version: registry/2.0

Docker-Distribution-Api-Version: registry/2.0

< Docker-Distribution-Api-Version: registry/2.0

Docker-Distribution-Api-Version: registry/2.0

2.验证docker login

docker login -u admin -p admin -e jackyuan@126 https://api.192.168.172.150.xip.io/v2/ 
WARNING: login credentials saved in /root/.docker/config.json

Login Succeeded

3.push镜像到私有registry

docker tag 91e54dfb1179 api.192.168.172.150.xip.io/ubuntu:trusty

docker push api.192.168.172.150.xip.io/ubuntu:trusty

The push refers to a repository [api.192.168.172.150.xip.io/ubuntu] (len: 1)

91e54dfb1179: Image already exists

d74508fb6632: Image successfully pushed

c22013c84729: Image successfully pushed

d3a1f33e8a5a: Image successfully pushed

Digest: sha256:a731c12a4d21af384c4659666f177cd1e871646b95b9440d709ec4ee176145b2

4.查看是否上传

curl -i -k -v https://admin:admin@api.192.168.172.150.xip.io/v2/_catalog 
{"repositories":["ubuntu"]}

cd /home/jojo/registry/docker/registry/v2 && ls

blobs  repositories

这里就不往里面看了，深入registry后可以继续看里面的数据结构。

重要的是，查看registry日志，查看nginx日志，三者的日志

====================================================

registry 日志

INFO[5489] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=bafd9501-08e5-418b-9bba-ddadbefc819a http.request.method=GET http.request.remoteaddr=192.168.225.132:53216 http.request.uri=// http.request.useragent=curl/7.29.0
http.response.duration=105.962µs http.response.status=301 http.response.written=0 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown
192.168.225.132 - - [05/Jul/2016:17:10:47 +0800] "GET // HTTP/1.0" 301 0 "" "curl/7.29.0" 

这个当时的proxy_pass  http://registry/; 末尾有斜杠,参考Nginx配置proxy_pass转发的/路径问题

INFO[5574] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=b2a20ff4-bc84-4529-9c5a-a0472f76c992 http.request.method=GET http.request.remoteaddr=192.168.225.132:53222 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0
http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.370983ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d v
c35e
ersion=v2.4.1+unknown

192.168.225.132 - - [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"

INFO[5658] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=9e744f42-c563-48d4-87b7-29ed31deb8e5 http.request.method=GET http.request.remoteaddr=192.168.225.132:53230 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0
http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.093502ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown

192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"

INFO[5674] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=6d7b3e74-a066-4b3d-a414-463d4d6b7bd7 http.request.method=GET http.request.remoteaddr=192.168.225.132:53232 http.request.uri=/v2/_catalog/
http.request.useragent=curl/7.29.0 http.response.duration=108.687µs http.response.status=301 http.response.written=47 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown

192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.0" 301 47 "" "curl/7.29.0"

INFO[5738] response completed                            go.version=go1.6.2 http.request.host=registry http.request.id=4bc3c40f-be43-4a7b-b014-372456fa6123 http.request.method=GET http.request.remoteaddr=192.168.225.132:53237 http.request.uri=/v2/_catalog http.request.useragent=curl/7.29.0
http.response.contenttype=application/json; charset=utf-8 http.response.duration=1.176057ms http.response.status=200 http.response.written=20 instance.id=f604880f-a37b-4ebe-9652-d6326c09366d version=v2.4.1+unknown

192.168.225.132 - - [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.0" 200 20 "" "curl/7.29.0"

=================================================================
nginx日志

192.168.225.132 - admin [05/Jul/2016:17:04:21 +0800] "GET /v2/_catalog HTTP/1.1" 200 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/_catalog/v2/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:04:50 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:05:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:05:13 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:05:25 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:05:30 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - - [05/Jul/2016:17:05:30 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - - [05/Jul/2016:17:06:04 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - - [05/Jul/2016:17:06:05 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - - [05/Jul/2016:17:06:06 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/_catalog/v2 HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:06:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:06:23 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:06:26 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:06:27 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0"

192.168.225.132 - admin [05/Jul/2016:17:10:15 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:10:26 +0800] "GET /v2/_category HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:10:33 +0800] "GET /v2/_category/ HTTP/1.1" 400 49 "-" "curl/7.29.0"
192.168.225.132 - admin [05/Jul/2016:17:10:47 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 0 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:11:02 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:11:51 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:12:12 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:12:36 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:12:52 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - - [05/Jul/2016:17:13:19 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"

192.168.225.132 - - [05/Jul/2016:17:13:37 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"

192.168.225.132 - - [05/Jul/2016:17:13:53 +0800] "GET /v2/_catalog/ HTTP/1.1" 301 47 "-" "curl/7.29.0"

192.168.225.132 - - [05/Jul/2016:17:14:01 +0800] "GET /v2/ HTTP/1.1" 401 194 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:14:14 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:14:56 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:15:03 +0800] "GET /v2/search HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - - [05/Jul/2016:17:16:57 +0800] "GET /v2/_catalog HTTP/1.1" 401 194 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:17:08 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:17:27 +0800] "GET /v2/_catalog HTTP/1.1" 200 20 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:17:31 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:18:18 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:18:22 +0800] "GET /v2 HTTP/1.1" 301 184 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:18:28 +0800] "GET /v2/ HTTP/1.1" 400 49 "-" "curl/7.29.0"

192.168.225.132 - admin [05/Jul/2016:17:21:50 +0800] "GET /v2/ HTTP/1.1" 200 2 "-" "curl/7.29.0"

===========================================================================================

===========================================================================================

最后联调通的结果

[root@centos-master conf]# curl -i -k -v https://admin:admin@zq.reg32.jd.com/v2/
* About to connect() to zq.reg32.jd.com port 443 (#0)

*   Trying 192.168.225.132...

* Connected to zq.reg32.jd.com (192.168.225.132) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA

* Server certificate:

* subject: E=zhangqian3@jd.com,CN=*.reg32.jd.com,OU=jd,O=jd,ST=bj,C=CN

* start date: 7月 01 11:31:46 2016 GMT

* expire date: 7月 01 11:31:46 2017 GMT

* common name: *.reg32.jd.com

* issuer: E=zhangqian3@jd.com,CN=*.reg32.jd.com,OU=jd,O=jd,L=bj,ST=bj,C=CN

* Server auth using Basic with user 'admin'

> GET /v2/ HTTP/1.1

> Authorization: Basic YWRtaW46YWRtaW4=

> User-Agent: curl/7.29.0

> Host: zq.reg32.jd.com

> Accept: */*

> 

< HTTP/1.1 200 OK

HTTP/1.1 200 OK

< Server: nginx/1.9.4

Server: nginx/1.9.4

< Date: Tue, 05 Jul 2016 10:05:16 GMT

Date: Tue, 05 Jul 2016 10:05:16 GMT

< Content-Type: application/json; charset=utf-8

Content-Type: application/json; charset=utf-8

< Content-Length: 2

Content-Length: 2

< Connection: keep-alive

Connection: keep-alive

< Docker-Distribution-Api-Version: registry/2.0

Docker-Distribution-Api-Version: registry/2.0

< X-Content-Type-Options: nosniff

X-Content-Type-Options: nosniff

< 

* Connection #0 to host zq.reg32.jd.com left intact

{}

=============================================================================

root@VM-201-98-ubuntu:~# docker login

输入申请证书时填写的用户名和密码，发现并没有成功，出现下面的一段提示：

2014/12/01 23:47:17 Error response from daemon: Invalid registry endpoint https://registry.example.com/v1/: Get https://registry.example.com/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an
unknown CA certificate, please add `--insecure-registry registry.example.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry.example.com/ca.crt

这到底是怎么一回事呢？原来现在官方的 docker 还不能用自授权的证书。那怎么解决呢？办法总是有的，我们需要把服务器的根证书在docker这端自己认证一下。还记得之前申请自签名证书所生成的docker-registry.crt 文件吗？把这个文件下载到所要从registry服务器拉去镜像或者上传镜像的机器上面，加入到 boot2docker 的证书（ /etc/ssl/certs/ca-certificates.crt ）中去，这样，通过docker命令登陆到Docker Registry时，就可以通过认证了（这里，我们的测试机和Docker
Registry是同一台机器）。

root@VM-201-98-ubuntu:~#cat /etc/ssl/certs/docker-regi/etcrt | sudo tee -a /etc/ssl/certs/ca-certificates.crt

重新使用docker login 命令登陆，问题解决。

********************************************************************

添加证书 

　　Centos 6/7 添加证书具体步骤如下 

　　

安装ca-certificates包

$ yum install ca-certificates

使能动态CA配置功能

$ update-ca-trust force-enable 

将key拷贝到/etc/pki/ca-trust/source/anchors/

$ cp devdockerCA.crt /etc/pki/ca-trust/source/anchors/

使新拷贝的证书生效

$ update-ca-trust extract

证书拷贝后，需要重启docker以保证docker能使用新的证书

$ service docker restart

Docker pull/push image测试

制作要push到registry的镜像