如何劫持 docker.io 的镜像流量到私有仓库

云计算 2023-01-04 法医 手机阅读

1. 自签 *.docker.io 域名证书

1.1 创建 CA 证书

  • 生成 CA 证书私钥
1

openssl genrsa -out ca.key 4096
  • 生成 CA 证书
1
2
3
4

openssl req -x509 -new -nodes -sha512 -days 3650 
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=chenshaowen.com" 
    -key ca.key 
    -out ca.crt

1.2 创建 *.docker.io 域名证书

  • 生成私钥
1

openssl genrsa -out docker.io.key 4096
  • 生成证书签名请求 CSR
1
2
3
4

openssl req -sha512 -new 
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=*.docker.io" 
    -key docker.io.key 
    -out docker.io.csr
  • 生成 x509 v3 扩展
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=docker.io
DNS.2=*.docker.io
EOF
  • 生成 *.docker.io 域名证书
1
2
3
4
5

openssl x509 -req -sha512 -days 3650 
    -extfile v3.ext 
    -CA ca.crt -CAkey ca.key -CAcreateserial 
    -in docker.io.csr 
    -out docker.io.crt

1.3 查看生成的全部文件

1
2
3

ls

ca.crt         ca.key         ca.srl         docker.io.cert docker.io.crt  docker.io.csr  docker.io.key  v3.ext

2. 部署 Registry 并配置 HTTPS 证书

2.1 部署 Nginx 代理转发 HTTPS 流量

  • 创建一个 mirror 目录
1
2

mkdir mirror
cd mirror
  • 编辑配置文件
1

vim config.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io
  • 在 5000 端口启动
1

mkdir data

1
2
3
4

docker run -d -p 5000:5000 --restart=always --name mirror 
             -v `pwd`/config.yml:/etc/docker/registry/config.yml 
             -v `pwd`/data:/var/lib/registry 
             registry:2

2.3 部署私有仓库的 Registry

  • 创建一个 harbor-mirror 目录
1
2

mkdir harbor-mirror
cd harbor-mirror
  • 编辑配置文件
1

vim config.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://private.chenshaowen.com
  username: [username]
  password: [password]

3.1 Ubuntu 系统

  • 添加
1
2

cp chenshaowen.com.ca.crt /usr/local/share/ca-certificates
update-ca-certificates
  • 删除
1
2

rm -f /usr/local/share/ca-certificates/chenshaowen.com.ca.crt
update-ca-certificates

3.2 CentOS 系统

  • 添加
1

cp chenshaowen.com.ca.crt /etc/pki/ca-trust/source/anchors/

1

update-ca-trust extract
  • 删除
1
2
3

rm /etc/pki/ca-trust/source/anchors/chenshaowen.com.ca.crt

update-ca-trust extract

3.3 需要重启 Docker,才会重新加载根证书

1

systemctl restart docker

4. 测试验证