搭建私服-docker registry
阿新 • • 發佈:2018-03-16
docker
Docke官方提供了Docker Hub網站來作為一個公開的集中倉庫。然而,本地訪問Docker Hub速度往往很慢,並且很多時候我們需要一個本地的私有倉庫只供網內使用。
Docker倉庫實際上提供兩方面的功能,一個是鏡像管理,一個是認證。前者主要由docker-registry項目來實現,通過http服務來上傳下載;後者可以通過docker-index(閉源)項目或者利用現成認證方案(如nginx)實現http請求管理。
系統環境:CentOS 7.2
主機IP:192.168.116.148
1、安裝docker-registry
| 1 | docker run -d -p 5000:5000 --restart=always --name registry -v /opt/registry:/var/lib/registry registry:2 |
2、上傳鏡像
查看系統已有的鏡像:
| 1234 | # docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEcentos latest 8140d0c64310 7 days ago 193MBregistry 2 9d0c4eabab4d 8 days ago 33.2MB |
使用docker tag將centos鏡像打個標記
| 1 | # docker tag centos 192.168.116.148:5000/centos |
使用docker push 上傳標記的鏡像
| 1 | # docker push 192.168.116.148:5000/centos |
沒有成功,這是因為從docker1.3.2版本開始,使用registry時,必須使用TLS保證其安全。
在/etc/docker/目錄下,創建daemon.json文件。在文件中寫入:
| 1 | { "insecure-registries":["192.168.116.148:5000"] } |
然後重啟docker:
| 1 | # systemctl restart docker |
重新上傳:
接下來開始配置https
3、配置SSL證書及nginx反向代理docker registry
搭建私有CA,初始化CA環境,在/etc/pki/CA/下建立證書索引數據庫文件index.txt和序列號文件serial,並為證書序列號文件提供初始值。
| 12 | # touch /etc/pki/CA/{index.txt,serial}# echo 01 > /etc/pki/CA/serial |
生成密鑰並保存到/etc/pki/CA/private/cakey.pem
| 1 | # (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) |
生成根證書
| 1 | # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 |
需要填寫的信息:
| 1234567 | Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ChinaLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:wtsOrganizational Unit Name (eg, section) []:sysopsCommon Name (eg, your name or your server's hostname) []:hub.wts.comEmail Address []:[email protected] |
使系統信任根證書
| 1 | # cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt |
安裝nginx
安裝過程略,安裝路徑為/app/nginx,需要安裝openssl模塊。
簽發證書
創建ssl目錄用來存放密鑰文件和證書申請文件
| 1 | # mkdir /app/nginx/conf/ssl |
創建密鑰文件和證書申請文件
| 12 | # (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048)# openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr |
填寫的申請信息前四項要和私有CA的信息一致
| 123456789101112 | Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:ChinaLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:wtsOrganizational Unit Name (eg, section) []:sysopsCommon Name (eg, your name or your server's hostname) []:hub.wts.comEmail Address []:[email protected] Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: #直接回車An optional company name []: #直接回車 |
簽署,證書
| 1234567891011121314151617181920212223242526272829303132 | # openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 19 19:03:55 2017 GMT Not After : May 17 19:03:55 2027 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = wts organizationalUnitName = sysops commonName = hub.wts.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 69:F0:D7:BF:B2:CE:6D:53:AA:1A:CD:E8:73:47:A7:9F:30:EA:17:F7 X509v3 Authority Key Identifier: keyid:AF:E5:48:44:A3:18:59:38:D5:17:07:1B:1D:6F:32:F4:EC:1E:E0:E2 Certificate is to be certified until May 17 19:03:55 2027 GMT (3650 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated |
配置nginx反向代理docker registry
添加認證
| 12 | # yum -y install httpd-tools# htpasswd -cb /app/nginx/conf/docker-registry.htpasswd admin admin |
nginx相關配置:
| 1234567891011121314151617181920212223242526272829303132333435 | upstream docker-registry { server 127.0.0.1:5000; } server { listen 443; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; ssl on; ssl_certificate /app/nginx/conf/ssl/docker.crt; ssl_certificate_key /app/nginx/conf/ssl/docker.key; client_max_body_size 0; chunked_transfer_encoding on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; location / { auth_basic "Docker registry"; auth_basic_user_file /app/nginx/conf/docker-registry.htpasswd; proxy_pass http://docker-registry; } location /_ping{ auth_basic off; proxy_pass http://docker-registry; } location /v2/_ping{ auth_basic off; proxy_pass http://docker-registry; }} |
重啟nginx
| 1 | # /app/nginx/sbin/nginx -s reload |
如果沒有DNS解析內網域名,修改hosts文件
| 123 | # cat >>/etc/hosts <<EOF192.168.116.148 hub.wts.comEOF |
重啟docker
| 12 | # systemctl daemon-reload# systemctl restart docker |
登錄
上傳鏡像
| 123 | # docker pull nginx# docker tag nginx 192.168.116.148:5000/nginx# docker push 192.168.116.148:5000/nginx |
查看
| 12 | # curl --user admin:admin https://hub.wts.com/v2/_catalog{"repositories":["centos","nginx"]} |
局域網內其他機器認證(192.168.116.147 系統版本:CentOS6.5)
修改hosts文件
| 123 | # cat >>/etc/hosts <<EOF192.168.116.148 hub.wts.comEOF |
把CA的密鑰發送到客戶機,並添加到ca-bundle.crt
| 123 | # scp -p /etc/pki/tls/certs/ca-bundle.crt [email protected]:/etc/pki/tls/certs/ca-bundle.crt# scp -p /etc/pki/CA/cacert.pem [email protected]:/etc/pki/CA/cacert.pem# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt |
重啟docker
| 1 | # /etc/init.d/docker restart |
登錄
下載鏡像
至此,私服基本上可以使用了。
搭建私服-docker registry