centos6.5 docker私有仓库创建

分类:CentOS教程 阅读:97067 次

Docker私有Registry在CentOS6.X下安装指南

说明:

docker.yy.com这是docker registry服务器的域名也就是你的公司docker私有服务器的主机地址,假定ip是192.168.2.114;因为https的SSL证书不能用IP地址,我就随便起了个名字。

registry服务器作为上游服务器处理docker镜像的最终上传和下载,用的是官方的镜像。

nginx 1.4.x是一个用nginx作为反向代理服务器

一、Docker Server端配置

安装依赖

yum-yinstallgccmakefile&&\ yum-yinstalltarpcre-develpcre-staticopensslopenssl-develhttpd-tools

配置SSL

(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:

192.168.2.114docker.yy.com

(2) 生成根密钥

先把

/etc/pki/CA/cacert.pem
/etc/pki/CA/index.txt
/etc/pki/CA/index.txt.attr
/etc/pki/CA/index.txt.old
/etc/pki/CA/serial
/etc/pki/CA/serial.old

删除掉!

cd/etc/pki/CA/opensslgenrsa-outprivate/cakey.pem2048

(3) 生成根证书

opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem

输出:

Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:beijing LocalityName(eg,city)[DefaultCity]:beijing OrganizationName(eg,company)[DefaultCompanyLtd]:youyuan OrganizationalUnitName(eg,section)[]: CommonName(eg,yournameoryourserver'shostname)[]:docker.yy.com EmailAddress[]:

会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。上面的自签证书cacert.pem应该生成在/etc/pki/CA下。

(4) 为我们的nginx web服务器生成ssl密钥

mkdir-p/etc/nginx/ssl cd/etc/nginx/ssl opensslgenrsa-outnginx.key2048

我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成。

(5) 为nginx生成证书签署请求

opensslreq-new-keynginx.key-outnginx.csr

输出:

Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:beijing LocalityName(eg,city)[DefaultCity]:beijing OrganizationName(eg,company)[DefaultCompanyLtd]:youyuan OrganizationalUnitName(eg,section)[]: CommonName(eg,yournameoryourserver'shostname)[]:docker.yy.com EmailAddress[]: Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]:

同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。

(6) 私有CA根据请求来签发证书

touch/etc/pki/CA/index.txt touch/etc/pki/CA/serial echo00>/etc/pki/CA/serial opensslca-innginx.csr-outnginx.crt

输出:

Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:0(0x0) Validity NotBefore:Dec909:59:202014GMT NotAfter:Dec909:59:202015GMTSubject: countryName=CN stateOrProvinceName=beijing organizationName=youyuan commonName=docker.yy.com X509v3extensions: X509v3BasicConstraints:CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier:5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66 X509v3AuthorityKeyIdentifier:keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41CertificateistobecertifieduntilDec909:59:202015GMT(365days) Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated

同样会提示输入一些内容,选择y就可以了!


二、安装,配置,运行nginx

(1) 添加组和用户:

groupaddwww-g58 useradd-u58-gwwwwww

(2) 下载nginx源文件:

cd/tmp wgethttp://nginx.org/download/nginx-1.4.6.tar.gzcp./nginx-1.4.6.tar.gz/tmp/

(3) 编译,安装nginx:

tarzxvf./nginx-1.4.6.tar.gz cd./nginx-1.4.6&&\ ./configure--user=www--group=www--prefix=/opt/nginx\ --with-pcre\ --with-http_stub_status_module\ --with-http_ssl_module\ --with-http_addition_module\ --with-http_realip_module\ --with-http_flv_module&&\ make&&\ makeinstall cd/tmp rm-rf/tmp/nginx-1.4.6/rm/tmp/nginx-1.4.6.tar.gz

(4) 生成htpasswd

htpasswd-cb/opt/nginx/conf/.htpasswd${USER}${PASSWORD}

(5) 编辑/opt/nginx/conf/nginx.conf文件

#daemonoff; #使用的用户和组userwwwwww; #指定工作进程数(一般等于CPU总核数)worker_processesauto; #指定错误日志的存放路径,错误日志记录级别选项为:[debug|info|notic|warn|error|crit]error_log/var/log/nginx_error.logerror; #指定pid存放的路径 #pidlogs/nginx.pid; #指定文件描述符数量 worker_rlimit_nofile51200; events{ #使用的网络I/O模型,Linux推荐epoll;FreeBSD推荐kqueue useepoll; #允许的最大连接数 worker_connections51200; multi_accepton; } http{ includemime.types; log_formatmain'$remote_addr-$remote_user[$time_local]"$request"' '$status$body_bytes_sent"$http_referer"' '"$http_user_agent""$upstream_addr"'; access_log/var/log/nginx_access.logmain; #服务器名称哈希表的桶大小,该默认值取决于CPU缓存 server_names_hash_bucket_size128; #客户端请求的Header头缓冲区大小 client_header_buffer_size32k; large_client_header_buffers432k; #启用sendfile()函数 sendfileon; tcp_nopushon; tcp_nodelayon; keepalive_timeout65; upstreamregistry{ server127.0.0.1:5000; } server{ listen443; server_name192.168.2.114; sslon; ssl_certificate/etc/nginx/ssl/nginx.crt; ssl_certificate_key/etc/nginx/ssl/nginx.key; client_max_body_size0; #disableanylimitstoavoidHTTP413forlargeimageuploads #requiredtoavoidHTTP411:seeIssue#1486(https://github.com/docker/docker/issues/1486) chunked_transfer_encodingon; location/{ auth_basic"registry"; auth_basic_user_file/opt/nginx/conf/.htpasswd; roothtml; indexindex.htmlindex.htm; proxy_passhttp://registry; proxy_set_headerHost$http_host; proxy_set_headerX-Real-IP$remote_addr; proxy_set_headerAuthorization""; client_body_buffer_size128k; proxy_connect_timeout90; proxy_send_timeout90; proxy_read_timeout90; proxy_buffer_size8k; proxy_buffers432k; proxy_busy_buffers_size64k;#如果系统很忙的时候可以申请更大的proxy_buffers官方推荐*2 proxy_temp_file_write_size64k;#proxy缓存临时文件的大小 } location/_ping{ auth_basicoff; proxy_passhttp://registry; } location/v1/_ping{ auth_basicoff; proxy_passhttp://registry; } } }

(6) 验证配置

/opt/nginx/sbin/nginx-t

输出:

nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful

(7) 启动nginx:

/opt/nginx/sbin/nginx

(8) 验证nginx是否启动:

ps-ef|grep-i'nginx'

如下输出就表明nginx一切正常!

root271331018:58?00:00:00nginx:masterprocess/opt/nginx/sbin/nginx www2713427133018:58?00:00:00nginx:workerprocess www2713527133018:58?00:00:00nginx:workerprocess www2713627133018:58?00:00:00nginx:workerprocess www2713727133018:58?00:00:00nginx:workerprocess root2716042863018:58pts/000:00:00grep-inginx


三、配置,运行Docker

(1) 停止docker

servicedockerstop

(2)编辑/etc/sysconfig/docker文件,加上如下一行

DOCKER_OPTS="--insecure-registrydocker.yy.com--tlsverify--tlscacert/etc/pki/CA/cacert.pem"

(3) 把根证书复制到/etc/docker/certs.d/docker.yy.com/目录下

mkdir-p/etc/docker/certs.d/docker.yy.com/ cp/etc/pki/CA/cacert.pem/etc/docker/certs.d/docker.yy.com/ca-certificates.crt

(4) 启动docker

servicedockerstart


四、下载,配置,运行registryimage

(1) 获取Image

dockerpullregistry

(2) 运行Image

mkdir-p/opt/registrydockerrun-d-eSTORAGE_PATH=/registry-v/opt/registry:/registry-p127.0.0.1:5000:5000--nameregistryregistry

命令稍加解释一下:
-p 127.0.0.1:5000:5000registry 作为上游服务器,这个 5000 端口可以不用映射出来,因为所有的外部访问都是通过前端的nginx来提供,nginx 可以在私有网络访问 registry 。

(3) 验证registry:

用浏览器输入:https://docker.yy.com
或者:curl -i -k https://abc:123@docker.yy.com

服务端的配置就到此完成!


五、Docker客户端配置

(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:

192.168.2.114docker.yy.com

(2) 把docker registry服务器端的根证书追加到ca-certificates.crt文件里

先从docker registry服务器端把文件/etc/pki/CA/cacert.pem拷贝到本机,然后执行命令:

cat./cacert.pem>>/etc/pki/tls/certs/ca-certificates.crt

(3) 验证docker.yy.com下的registry:

用浏览器输入:https://docker.yy.com
或者:curl -i -k https://abc:123@docker.yy.com

(4) 使用私有registry步骤:

  • 登录:docker login -u abc -p 123 -e "test@gmail.com" https://docker.yy.com

  • 给container起另外一个名字:docker tag centos:centos6 docker.yy.com/centos:centos6

  • 发布:docker push docker.yy.com/centos:centos6


六、Server端,操作私有仓库的步骤:

1. 从官方pull下来image!

docker push centos:centos6

2. 查看image的id

执行docker images
输出:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZE centoscentos625c5298b1a368daysago215.8MB

3. 给image赋予一个私有仓库的tag

docker tag 25c5298b1a36 docker.yy.com/centos:centos6

4. push到私有仓库

docker push docker.yy.com/centos:centos6

5. 查看image

docker images
输出:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZE centoscentos625c5298b1a368daysago215.8MB docker.yy.com/centoscentos625c5298b1a368daysago215.8MB

七、 Client端,操作私有仓库的步骤:

1. 从私有仓库pull下来image!

dockerpulldocker.yy.com/centos:centos6

2. 查看image

docker images
输出:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZE docker.yy.com/centoscentos625c5298b1a368daysago215.8MB


附录:

(1) 弊端:

server端可以login到官方的Docker Hub,可以pull,push官方和私有仓库!
client端只能操作搭设好的私有仓库!
私有仓库不能search!

(2) 优点:

所有的build,pull,push操作只能在私有仓库的server端操作,降低企业风险!

(3) 当client端docker login到官方的https://index.docker.io/v1/网站,出现x509: certificate signed by unknown authority错误时

重命名根证书!mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak
重启docker服务!service docker restart!