搭建Docker私有仓库的详细教程
<p><strong>1.Docker registry 说明<br /></strong>本文记录的个人完整搭建docker registry操作过程,官方虽然提供了<a target="_blank" href="http://www.wpython.com/go?url=aHR0cHM6Ly9yZWdpc3RyeS5odWIuZG9ja2VyLmNvbQ==">Docker Hub</a>作为一个公开的集中仓库,但是天朝的网络可想而知,第一次pull一个镜像不是失败就是时间很长,为了解决这个问题需要创建一个私有的仓库在本地pull 本地push。我使用的docker版本是:1.5.0</p><p><strong>2、安装docker-registry</strong></p>
<p><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode57">docker run -d -e SETTINGS_FLAVOR=dev -e STORAGE_PATH=/tmp/registry -v /alidata/registry:/tmp/registry-p 5000:5000 registry</div><br /># 如果本地没有下载过docker-registry,则首次会pull registry 运行时会映射路径和端口,以后就可以从/data/registry下找到私有仓库</p>
<p><strong>3、客户端上的操作<br /></strong>#从本地仓库上获取有哪些镜像<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode58">curl -X GET http://registry.wpython.com:5000/v1/search<br /> <br />curl http://registry.wpython.com:5000/v1/search<br />{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}</div></p>
<p># 拉取到本地<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode59">docker pull library/centos6</div></p>
<p># tag 一个镜像<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode60">docker tag 8552ea9a16f9registry.wpython.com:5000/centos6_x86_64.mini</div></p>
<p># 将新的docker images push 到本地仓库<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode61">docker push registry.wpython.com:5000/centos6_x86_64.mini</div></p>
<p><strong>4、加入nginx认证<br /></strong>Docker 启动监听端口后,使用的是 http,可以远程来管理 Docker 主机。<br />这样的场景存在弊端,API 层面是没有提供用户验证、Token 之类身份验证功能,任何人都可以通过地址加端口来控制 Docker 主机,为了避免这样的情况发生,Docker 官方也支持 https 方式,不过需要我们自己来生成证书。<br />新版本的docker 也强制必须使用https否则会报错</p>
<p># 安装nginx过程略<br />创建一个登陆用户(如果没有htpasswd命令 请安装httpd-tools这个包)</p>
<p> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode62">htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin<br />New password: <br />Re-type new password: <br />Adding password for user admin</div></p>
<p># 生成根密钥<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode63">cd /etc/pki/CA/<br />openssl genrsa -out private/cakey.pem 2048</div></p>
<p># 生成根证书<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode64">openssl req -new -x509 -key private/cakey.pem -out cacert.pem</div><br />Country Name (2 letter code) :CN<br />State or Province Name (full name) :Brijing<br />Locality Name (eg, city) []:Chaoyang<br />Organization Name (eg, company) :<br />Organizational Unit Name (eg, section) []:<br />Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com<br />Email Address []:</p>
<p># 为nginx服务器生成ssl密钥<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode65">cd /alidata/server/nginx/ssl <br />openssl genrsa -out nginx.key 2048</div></p>
<p># 为nginx生成的证书签署请求<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode66"> openssl req -new -key nginx.key -out nginx.csr</div><br />You are about to be asked to enter information that will be incorporated<br />into your certificate request.<br />What you are about to enter is what is called a Distinguished Name or a DN.<br />There are quite a few fields but you can leave some blank<br />For some fields there will be a default value,<br />If you enter '.', the field will be left blank.<br />-----<br />Country Name (2 letter code) :CN<br />State or Province Name (full name) :Beijing<br />Locality Name (eg, city) []:Chaoyang<br />Organization Name (eg, company) :<br />Organizational Unit Name (eg, section) []:<br />Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com<br />Email Address []:<br /> <br />Please enter the following 'extra' attributes<br />to be sent with your certificate request<br />A challenge password []:<br />An optional company name []:</p>
<p># 私有CA根据请求来签发证书<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode67">openssl ca -in nginx.csr -out nginx.crt</div><br /> <br /> <br /># 如果报如下错误:<br />Using configuration from /usr/local/ssl/openssl.cnf<br />/etc/pki/CA/index.txt: No such file or directory<br />unable to open '/etc/pki/CA/index.txt'<br />140137408210600:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')<br />140137408210600:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:<br /> <br /># 执行以下命令<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode68">cd /etc/pki/CA/<br />mkdir newcerts <br />touch index.txt <br />touch serial <br />echo 01 > serial<br />cd -<br /> <br />openssl ca -in nginx.csr -out nginx.crt</div><br /> <br />Using configuration from /usr/local/ssl/openssl.cnf<br />Check that the request matches the signature<br />Signature ok<br />Certificate Details:<br /> Serial Number: 1 (0x1)<br /> Validity<br /> Not Before: May 12 04:15:08 2015 GMT<br /> Not After : May 11 04:15:08 2016 GMT<br /> Subject:<br /> countryName = CN<br /> stateOrProvinceName = Beijing<br /> organizationName = Internet Widgits Pty Ltd<br /> commonName = registry.wpython.com<br /> emailAddress = 739827282@qq.com<br /> X509v3 extensions:<br /> X509v3 Basic Constraints: <br /> CA:FALSE<br /> Netscape Comment: <br /> OpenSSL Generated Certificate<br /> X509v3 Subject Key Identifier: <br /> B5:20:C7:47:26:D9:26:54:12:F7:36:7E:4E:3A:F0:D9:0E:2C:F7:BD<br /> X509v3 Authority Key Identifier: <br /> keyid:93:F7:86:72:1B:2B:24:CD:AF:24:EF:53:F4:E1:FA:EC:E7:70:1A:90<br /> <br />Certificate is to be certified until May 11 04:15:08 2016 GMT (365 days)<br />Sign the certificate? :y<br /> <br /> <br />1 out of 1 certificate requests certified, commit? y<br />Write out database with 1 new entries<br />Data Base Updated</p>
<p># 发现根证书<br /> </p>
<p><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode69"># cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 备份以防出错<br /># cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt</div></p>
<p># 创建nginx配置文件<br /> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode70"># vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf<br />upstream docker-registry {<br /> <br /> server localhost:5000;<br />}<br /> <br />server {<br /> listen 8080;<br /> server_name registry.wpython.com;<br /> <br /> # enabled ssl<br /> ssl on;<br /> ssl_certificate /alidata/server/nginx/ssl/nginx.crt;<br /> ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;<br /> <br /> proxy_set_header Host $http_host;<br /> proxy_set_header X-Real-IP$remote_addr;<br /> client_max_body_size 0;<br /> chunked_transfer_encoding on;<br /> <br />location / {<br /> <br /> auth_basic "Restricted";<br /> auth_basic_user_file docker-registry.htpasswd;<br /> proxy_pass http://docker-registry;<br /><br /> }<br /> <br />location /_ping {<br /><br /> auth_basic off;<br /> proxy_pass http://docker-registry;<br /><br />}<br /> <br />location /v1/_ping {<br /> auth_basic off;<br /> proxy_pass http://docker-registry;<br /> }<br />}</div></p>
<p># 完成测试</p>
<p> <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode71"># docker login https://registry.wpython.com:8080<br />Username: admin<br />Password: <br />Email: 739827282@qq.com<br />Login Succeeded</div><br /></p>
頁:
[1]