docker registry v2 nginx-linux
Docker registry V2 nginx 搭建一 环境
俩台centos 7 64位
Docker 版本
Client:
Version: 1.8.2
API version:1.20
Package Version: docker-1.8.2-7.el7.centos.x86_64
Go version: go1.4.2
Git commit: bb472f0/1.8.2
Built:
OS/Arch: linux/amd64
Server:
Version: 1.8.2
API version:1.20
Package Version:
Go version: go1.4.2
Git commit: bb472f0/1.8.2
Built:
OS/Arch: linux/amd64
Register V2.0
Register server 镜像服务器 192.168.33.75
Register client 测试镜像docker服务器 192.168.153.86
二 搭建过程
在Register server 上(192.168.33.75)
2.1 安装需要的软件
yum install gcc make pcre-devel pcre openssl-devel httpd-tools -y
其中pcre-devel pcre 是在nginx需要的用的软件包
Openssl-devel 是制作key的时候需要用的软件包
Httpd-tools 是生成nginx用户密码需要用的软件包
2.2 更改hosts,添加
# vim /etc/hosts
192.168.33.75 dockertest.xxxx.com
2.3 生成根密钥
先看下/etc/pki/CA 下有没有
Cacert.pem index.txt index.txt.attr index.txt.old serial serial.old
有的话全部删除,然后
# cd /etc/pki/CA/
生成根密钥
#openssl genrsa -out private/cakey.pem 2048
生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出,其中最主要的是红色表明的
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :beijing
Organizational Unit Name (eg, section) []:beijing
Common Name (eg, your name or your server's hostname) []:dockertest.xxxx.com
Email Address []:abcd@qq.com
其中CN一定要写自己的私有镜像库的域名
Email要记住,后面要用到
上面的自签证书cacert.pem在/etc/pki/CA/目录下
2.4 为nginx web服务器生成ssl密钥
# mkdir /usr/local/nginx/ssl
# cd /usr/local/nginx/ssl
# openssl genrsa -out nginx.key 2048
为nginx生成证书签署请求
# openssl req -new -key nginx.key -out nginx.csr
输出,其中最主要的是红色表明的
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :beijing
Organizational Unit Name (eg, section) []:beijing
Common Name (eg, your name or your server's hostname) []:dockertest.xxxx.com
Email Address []:abcd@qq.com
A challenge password []:
An optional company name []:
其中Common Name 和email要和上面的一样,challenge password不填
私有CA根据请求来签发证书
# touch /etc/pki/CA/index.txt
# touch /etc/pki/CA/serial
# echo 00 > /etc/pki/CA/serial
#openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 11 06:04:22 2016 GMT
Not After : Jan 10 06:04:22 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = beijing
organizationalUnitName = beijing
commonName = dockertest.hc360.org
emailAddress = 122727569@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:2C:A4:5D:55:92:2E:E0:38:26:9A:A0:F2:7E:29:6A:24:3D:FE:DF
X509v3 Authority Key Identifier:
keyid:60:BE:EA:F3:43:79:DC:46:D3:A2:00:2A:2E:8A:D6:10:93:5C:54:59
Certificate is to be certified until Jan 10 06:04:22 2017 GMT (365 days)
Sign the certificate? :y
直接输入y,确认就好了。
三 安装配置nginx
3.1 安装nginx
Nginx 版本必须大于1.7.5,我使用的是1.8的
# tar zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
mkdir /usr/local/nginx
./configure --prefix=/usr/local/nginx--with-http_ssl_module --with-http_stub_status_module--with-pcre--with-http_addition_module --with-http_realip_module--with-http_flv_module
make && make install
3.2 生成htpasswd
# htpasswd -cb /usr/local/nginx/conf/.htpasswd admin admin
生成的用户名和密码都是admin,到时登录私有仓库的时候用。
3.3 配置nginx
# cd /usr/local/nginx/conf/
# cp nginx.conf nginx.conf.bak
#vim nginx.conf
userroot root;
worker_processesauto;
error_loglogs/error.log;
#error_loglogs/error.lognotice;
#error_loglogs/error.loginfo;
pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections51200;
multi_accept on;
}
http {
include mime.types;
default_typeapplication/octet-stream;
log_formatmain'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_loglogs/access.logmain;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout0;
keepalive_timeout65;
#gzipon;
upstream registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name192.168.33.75;
add_header Docker-Distribution-Api-Version registry/2.0 always;
sslon;
ssl_certificate /usr/local/nginx/ssl/nginx.crt; #crt的位置
ssl_certificate_key /usr/local/nginx/ssl/nginx.key; #key的位置
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "registry";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd; #htpasswd的位置
root html;
indexindex.html index.htm;
proxy_pass http://registry;
#proxy_set_headerHost $http_host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerAuthorization"";
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;#如果系统很忙的时候可以申请更大的proxy_buffers 官方推荐*2
proxy_temp_file_write_size64k;#proxy缓存临时文件的大小
}
location /_ping {
auth_basic off;
proxy_pass http://registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://registry;
}
}
}
其中红色标明的地方一定要注意
如果不添加add_header Docker-Distribution-Api-Version registry/2.0 always;
无法用https访问私有仓库
如果不注解掉
#proxy_set_headerHost $http_host;
这个的话,私有仓库可以用https登录,但是push的时候会报错,
The push refers to a repository (len: 1)
af88597ec24b: Pushing
dial tcp 192.168.33.75:80: connection refused
不注解的话它连接的是真实ip地址,无法代理
这个具体含义,大家查下nginx 反向代理 proxy_set_header
3.4验证配置
# /usr/local/nginx/sbin/nginx -t
如果没有错误的话,启动nginx
# /usr/local/nginx/sbin/nginx
四 搭建docker registry V2
4.1 更改docker配置文件
# systemctl stop docker
# vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --insecure-registry dockertest.xxxx.com'
更改成这样,添加--insecure-registry dockertest.xxxx.com 红色的是私有仓库的域名,更前面生成密钥时候的域名对应
配置密钥文件
Mkdir -p /etc/docker/certs.d/hc.docker.io
Cp /etc/pki/CA/cacert.pem ./hc.docker.io/ca-certificates.crt
cat /etc/pki/CA/cacert.pem>> /etc/pki/tls/certs/ca-bundle.crt
#systemctl restart docker
#vim config.yml
version: 0.1
log:
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
delete:
enabled: true
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
secret: admin
#mkdir data
docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/config.yml:/etc/docker/registry/config.yml -v `pwd`/data:/var/lib/registry registry:2
4.2 验证
# curl https://admin:admin@dockertest.xxxx.com/v2/
结果返回{}
登录
docker login https://dockertest.xxxx.com
Username: admin
Password: #admin
Email: abcd@qq.com
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
4.3 验证push镜像到私有仓库
在登录的前题下,本机验证
# docker pull centos
# docker images
daocloud.io/centos latest 60e65a8e4030 2 weeks ago 196.6 MB
# docker tag 60e65a8e4030 dockertest.hc360.org/centos_test_v12
# docker push dockertest.xxxx.com/centos_test_v12
The push refers to a repository (len: 1)
60e65a8e4030: Pushed
60e65a8e4030: Preparing
838c1c5c4f83: Pushed
838c1c5c4f83: Preparing
latest: digest: sha256:3019f69254dcceb22a65859a3a414386ffbdd2908afba1b39e73220845c6cec8 size: 7228
查看push结果
# curlhttps://admin:admin@dockertest.hc360.org/v2/_catalog
{"repositories":["centos_test_v12"]}
五 在client端测试
5.1 配置密钥
#scp /etc/pki/CA/cacert.pem root@192.168.153.86:/root/
在192.168.153.86这台服务器上
# cat /root/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
#vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --insecure-registry dockertest.xxxx.com'
# systemctl restart docker
最好重启下服务器吧,我第一次更改完无法登录。重启后可以登录了,可能是没有加载密钥
# docker login https://dockertest.hc360.org
Username: admin
Password:
Email: 122727569@qq.com
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
5.2 验证
和上面验证方法一样
能登录上传基本没有什么问题
页:
[1]