目录

openEuler 24.03 (LTS-SP1) 下私有镜像仓库部署与自签 SSL 全流程

1 创建根 CA 与服务器证书（修正版：SAN 写法兼容所有 OpenSSL）

2 配置 Docker Compose 文件

3 客户端节点信任 CA

3.1 Docker

3.2 containerd

4 推送 / 拉取测试

5 常见问题 & 排查

结语

---

注意: ansible 相关命令请参考之前相关文章, 如下操作命令 实际验证可用

openEuler 24.03 (LTS-SP1) 下私有镜像仓库部署与自签 SSL 全流程

目标

• 主机 IP：10.130.135.145

• 端口：30500（映射到容器 5000）

• 数据目录：/app/registry

• 运行时：Docker / containerd 均可使用

• 证书目录：/app/registry/certs

• 客户端：其余 K8s 节点或开发机

---

1 创建根 CA 与服务器证书（修正版：SAN 写法兼容所有 OpenSSL）

# ① 准备目录
sudo mkdir -p /app/registry/certs
cd /app/registry/certs# ② 生成根 CA（有效期 10 年）
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \-subj "/CN=Brytech-Registry-CA" -out ca.crt# ③ 生成服务器私钥
openssl genrsa -out registry.key 4096# ④ 生成带 SAN 的 CSR（使用 alt_names 小节，100% 兼容）
cat > csr.cnf <<'EOF'
[ req ]
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext[ dn ]
CN = 10.130.135.145                # Common Name[ req_ext ]
subjectAltName = @alt_names[ alt_names ]
IP.1 = 10.130.135.145
EOFopenssl req -new -key registry.key -out registry.csr -config csr.cnf# ⑤ 用根 CA 签发服务器证书（有效期 10 年）
openssl x509 -req -in registry.csr \-CA ca.crt -CAkey ca.key -CAcreateserial \-out registry.crt -days 3650 -sha256 \-extfile csr.cnf -extensions req_ext

验证：

openssl x509 -in registry.crt -noout -text | grep -A1 "Subject Alternative Name"
# ➜ 必须看到 IP Address:10.130.135.145

---

2 配置 Docker Compose 文件

/app/registry/docker-compose.yml

version: '3.7'
services:registry:image: registry:3container_name: registryrestart: alwaysports:- "0.0.0.0:30500:5000"environment:REGISTRY_STORAGE: filesystemREGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registryREGISTRY_HTTP_SECRET: "a0393a48d72c4428a5aa87766430cb39c4e38d736e569a6cf6089445c823817c"REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crtREGISTRY_HTTP_TLS_KEY: /certs/registry.keyOTEL_TRACES_EXPORTER: "none"volumes:- /app/registry:/var/lib/registry        # 镜像数据- /app/registry/certs:/certs:ro          # 证书只读挂载

启动：

cd /app/registry
docker compose up -d         # 或 docker-compose up -d

日志中出现 listening on [::]:5000, tls 即代表 TLS 启用成功。

---

3 客户端节点信任 CA

以下以 节点 IP 为 NODE=10.130.135.145:30500。

3.1 Docker

NODE=10.130.135.145:30500
sudo mkdir -p /etc/docker/certs.d/$NODE
# 将 ca.crt 拷贝到所有节点
sudo scp root@10.130.135.145:/app/registry/certs/ca.crt /etc/docker/certs.d/$NODE/
sudo systemctl restart docker

3.2 containerd

NODE=10.130.135.145:30500
sudo mkdir -p /etc/containerd/certs.d/$NODE
sudo cp /etc/docker/certs.d/$NODE/ca.crt /etc/containerd/certs.d/$NODE/cat <<EOF | sudo tee /etc/containerd/certs.d/$NODE/hosts.toml
server = "https://$NODE"[host."https://$NODE"]capabilities = ["pull", "resolve", "push"]ca           = "/etc/containerd/certs.d/$NODE/ca.crt"
EOFsudo systemctl restart containerd

Kubernetes 节点批量分发
可用 Ansible：

# 假设 NODE=10.130.135.145:30500
NODE=10.130.135.145:30500# ① 创建目录（Docker + containerd）
ansible all -m file -a "path=/etc/docker/certs.d/${NODE} state=directory mode=0755"
ansible all -m file -a "path=/etc/containerd/certs.d/${NODE} state=directory mode=0755"# ② 拷贝 ca.crt（Docker 用）
ansible all -m copy -a "src=/app/registry/certs/ca.crt dest=/etc/docker/certs.d/${NODE}/ca.crt owner=root mode=0644"# ③ 拷贝 ca.crt（containerd 用）
ansible all -m copy -a "src=/app/registry/certs/ca.crt dest=/etc/containerd/certs.d/${NODE}/ca.crt owner=root mode=0644"# ④ 创建 hosts.toml（用于 containerd 识别 Registry）
ansible all -m copy -a "content='server = \"https://${NODE}\"[host.\"https://${NODE}\"]capabilities = [\"pull\", \"resolve\", \"push\"]ca = \"/etc/containerd/certs.d/${NODE}/ca.crt\"
' dest=/etc/containerd/certs.d/${NODE}/hosts.toml mode=0644"# ⑤ 重启运行时服务
ansible all -m shell -a "systemctl restart docker containerd"

---

4 推送 / 拉取测试

REG=10.130.135.145:30500
docker pull busybox:latest
docker tag busybox $REG/busybox:test
docker push $REG/busybox:test
docker pull $REG/busybox:test
# containerd 用户：
# crictl pull $REG/busybox:test如果crictl 遇到错误 tls: failed to verify certificate: x509: certificate signed by unknown authority , 请参考如下文章解决:https://blog.csdn.net/gs80140/article/details/149248275?sharetype=blogdetail&sharerId=149248275&sharerefer=PC&sharesource=gs80140&spm=1011.2480.3001.8118

若过程无 x509: certificate signed by unknown authority 等错误，说明 CA 链配置成功。

---

5 常见问题 & 排查

现象	原因	解决
unsupported option: subjectAltName	旧 OpenSSL 不支持 @alt_names 语法	本文已改用兼容写法；或升级 OpenSSL 至 ≥1.1.1
x509: certificate signed by unknown authority	节点未加载 ca.crt	确认路径、文件权限，并重启 Docker/containerd
server gave HTTP response to HTTPS client	Registry 未启用 TLS	检查 REGISTRY_HTTP_TLS_* 环境变量、端口映射

---

结语

通过上述步骤，在 openEuler 24.03 (LTS-SP1) 上零依赖外网地搭建了安全的私有镜像仓库，并让集群节点可信任自签 CA，实现了镜像的高速本地化分发。后续可结合 Harbor 或 S3 远端存储进一步增强功能。祝部署顺利！