信任/忽略证书验证
文档
- Verify repository client with certificates | Docker Docs
- 历史网站去哪了? - Routine 常规 - 徐晓伟的论坛
信任证书
# 无端口
# 要信任的 Docker 仓库域名
domain_name=registry.xuxiaowei.com.cn
mkdir -p /etc/docker/certs.d/$domain_name
openssl s_client -showcerts -connect $domain_name:443 -servername $domain_name < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/docker/certs.d/$domain_name/ca.crt
echo | openssl s_client -CAfile /etc/docker/certs.d/$domain_name/ca.crt -connect $domain_name:443 -servername $domain_name
ls -lh /etc/docker/certs.d/$domain_name
# 有端口
# 要信任的 Docker 仓库域名
domain_name=registry.xuxiaowei.com.cn
# 要信任的 Docker 仓库域名端口
port=443
mkdir -p /etc/docker/certs.d/$domain_name:$port
openssl s_client -showcerts -connect $domain_name:$port -servername $domain_name < /dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/docker/certs.d/$domain_name:$port/ca.crt
echo | openssl s_client -CAfile /etc/docker/certs.d/$domain_name:$port/ca.crt -connect $domain_name:$port -servername $domain_name
ls -lh /etc/docker/certs.d/$domain_name:$port
registry.xuxiaowei.com.cn 与 registry.xuxiaowei.com.cn:443 属于不同的配置- 缺点:虽然无需重启 docker 服务,但 Docker 仓库证书如果更新了,需要重新配置一遍
- 优点:在完成证书信任配置
后,无需担心 DNS 是否受到污染,信任机制来源于 /etc/docker/certs.d/ 已配置的证书
忽略证书验证
vim /etc/docker/daemon.json
{
"insecure-registries": [
"registry.xuxiaowei.com.cn:443",
"registry.xuxiaowei.com.cn"
]
}
sudo systemctl restart docker
registry.xuxiaowei.com.cn 与 registry.xuxiaowei.com.cn:443 属于不同的配置- 缺点 1:需要重启 docker 服务
- 缺点 2:如果 DNS 受到污染,拉取镜像将不可信