搭建私服-docker registry
Docke官方提供了Docker Hub網站來做爲一個公開的集中倉庫。然而,本地訪問Docker Hub速度每每很慢,而且不少時候咱們須要一個本地的私有倉庫只供網內使用。
Docker倉庫實際上提供兩方面的功能,一個是鏡像管理,一個是認證。前者主要由docker-registry項目來實現,經過http服務來上傳下載;後者能夠經過docker-index(閉源)項目或者利用現成認證方案(如nginx)實現http請求管理。nginx
系統環境:CentOS 7.2
主機IP:192.168.116.148docker
一、安裝docker-registry數據庫
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/registry:/var/lib/registry registry:2
二、上傳鏡像json
查看系統已有的鏡像:centos
# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos latest 8140d0c64310 7 days ago 193MB registry 2 9d0c4eabab4d 8 days ago 33.2MB
使用docker tag將centos鏡像打個標記安全
# docker tag centos 192.168.116.148:5000/centos
使用docker push 上傳標記的鏡像
# docker push 192.168.116.148:5000/centos
沒有成功,這是由於從docker1.3.2版本開始,使用registry時,必須使用TLS保證其安全。
在/etc/docker/目錄下,建立daemon.json文件。在文件中寫入:bash
{ "insecure-registries":["192.168.116.148:5000"] }
而後重啓docker:
# systemctl restart docker
從新上傳:app
接下來開始配置httpscurl
三、配置SSL證書及nginx反向代理docker registry網站
搭建私有CA,初始化CA環境,在/etc/pki/CA/下創建證書索引數據庫文件index.txt和序列號文件serial,併爲證書序列號文件提供初始值。
# touch /etc/pki/CA/{index.txt,serial}
# echo 01 > /etc/pki/CA/serial
生成密鑰並保存到/etc/pki/CA/private/cakey.pem
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
生成根證書
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
須要填寫的信息:
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:wts Organizational Unit Name (eg, section) []:sysops Common Name (eg, your name or your server's hostname) []:hub.wts.com Email Address []:admin@wts.com
使系統信任根證書
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
安裝nginx
安裝過程略,安裝路徑爲/app/nginx,須要安裝openssl模塊。
簽發證書
建立ssl目錄用來存放密鑰文件和證書申請文件
# mkdir /app/nginx/conf/ssl
建立密鑰文件和證書申請文件
# (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048) # openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr
填寫的申請信息前四項要和私有CA的信息一致
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:wts Organizational Unit Name (eg, section) []:sysops Common Name (eg, your name or your server's hostname) []:hub.wts.com Email Address []:admin@wts.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #直接回車 An optional company name []: #直接回車
簽署,證書
# openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 19 19:03:55 2017 GMT
Not After : May 17 19:03:55 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = wts
organizationalUnitName = sysops
commonName = hub.wts.com
emailAddress = admin@wts.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
69:F0:D7:BF:B2:CE:6D:53:AA:1A:CD:E8:73:47:A7:9F:30:EA:17:F7
X509v3 Authority Key Identifier:
keyid:AF:E5:48:44:A3:18:59:38:D5:17:07:1B:1D:6F:32:F4:EC:1E:E0:E2
Certificate is to be certified until May 17 19:03:55 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
配置nginx反向代理docker registry
添加認證
# yum -y install httpd-tools # htpasswd -cb /app/nginx/conf/docker-registry.htpasswd admin admin
nginx相關配置:
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
ssl on;
ssl_certificate /app/nginx/conf/ssl/docker.crt;
ssl_certificate_key /app/nginx/conf/ssl/docker.key;
client_max_body_size 0;
chunked_transfer_encoding on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
location / {
auth_basic "Docker registry";
auth_basic_user_file /app/nginx/conf/docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping{
auth_basic off;
proxy_pass http://docker-registry;
}
location /v2/_ping{
auth_basic off;
proxy_pass http://docker-registry;
}
}
重啓nginx
# /app/nginx/sbin/nginx -s reload
若是沒有DNS解析內網域名,修改hosts文件
# cat >>/etc/hosts <<EOF 192.168.116.148 hub.wts.com EOF
重啓docker
# systemctl daemon-reload # systemctl restart docker
登陸
上傳鏡像
# docker pull nginx # docker tag nginx 192.168.116.148:5000/nginx # docker push 192.168.116.148:5000/nginx
查看
# curl --user admin:admin https://hub.wts.com/v2/_catalog
{"repositories":["centos","nginx"]}
局域網內其餘機器認證(192.168.116.147 系統版本:CentOS6.5)
修改hosts文件
# cat >>/etc/hosts <<EOF 192.168.116.148 hub.wts.com EOF
把CA的密鑰發送到客戶機,並添加到ca-bundle.crt
# scp -p /etc/pki/tls/certs/ca-bundle.crt root@192.168.116.147:/etc/pki/tls/certs/ca-bundle.crt # scp -p /etc/pki/CA/cacert.pem root@192.168.116.147:/etc/pki/CA/cacert.pem # cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
重啓docker
# /etc/init.d/docker restart
登陸
下載鏡像
至此,私服基本上可使用了。
相關文章
- 1. Docker compose 搭建 Docker Registry 私服
- 2. CentOS7 搭建docker registry 私庫
- 3. Docker搭建私有registry
- 4. docker 搭建私有registry
- 5. 搭建私有Docker Registry
- 6. [docker]搭建私有registry
- 7. docker搭建私服
- 8. Ubuntu18搭建Docker Registry服務
- 9. 用Harbor搭建Docker私服
- 10. Docker搭建私有Registry倉庫(Docker & Registry & SSL)
- 更多相關文章...
- • Git 服務器搭建 - Git 教程
- • Swift 環境搭建 - Swift 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
