当前位置: 移动技术网 > 科技>操作系统>windows > 搭建Docker私有仓库的详细教程

搭建Docker私有仓库的详细教程

2018年03月05日  | 移动技术网科技  | 我要评论

1.docker registry 说明
本文记录的个人完整搭建docker registry操作过程,官方虽然提供了作为一个公开的集中仓库,但是天朝的网络可想而知,第一次pull一个镜像不是失败就是时间很长,为了解决这个问题需要创建一个私有的仓库在本地pull 本地push。我使用的docker版本是:1.5.0

2、安装docker-registry


复制代码
代码如下:
docker run -d -e settings_flavor=dev -e storage_path=/tmp/registry -v /alidata/registry:/tmp/registry -p 5000:5000 registry

# 如果本地没有下载过docker-registry,则首次会pull registry 运行时会映射路径和端口,以后就可以从/data/registry下找到私有仓库

3、客户端上的操作
#从本地仓库上获取有哪些镜像
 

复制代码
代码如下:
curl -x get http://registry.wpython.com:5000/v1/search

curl http://registry.wpython.com:5000/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}

# 拉取到本地
 

复制代码
代码如下:
docker pull library/centos6

# tag 一个镜像
 

复制代码
代码如下:
docker tag 8552ea9a16f9 registry.wpython.com:5000/centos6_x86_64.mini

# 将新的docker images push 到本地仓库
 

复制代码
代码如下:
docker push registry.wpython.com:5000/centos6_x86_64.mini

4、加入nginx认证
docker 启动监听端口后,使用的是 http,可以远程来管理 docker 主机。
这样的场景存在弊端,api 层面是没有提供用户验证、token 之类身份验证功能,任何人都可以通过地址加端口来控制 docker 主机,为了避免这样的情况发生,docker 官方也支持 https 方式,不过需要我们自己来生成证书。
新版本的docker 也强制必须使用https否则会报错

# 安装nginx过程略
创建一个登陆用户(如果没有htpasswd命令 请安装httpd-tools这个包)

 

复制代码
代码如下:
htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin
new password:
re-type new password:
adding password for user admin

# 生成根密钥
 

复制代码
代码如下:
cd /etc/pki/ca/
openssl genrsa -out private/cakey.pem 2048

# 生成根证书
 

复制代码
代码如下:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem

country name (2 letter code) [au]:cn
state or province name (full name) [some-state]:brijing
locality name (eg, city) []:chaoyang
organization name (eg, company) [internet widgits pty ltd]:
organizational unit name (eg, section) []:
common name (e.g. server fqdn or your name) []:registry.wpython.com
email address []:

# 为nginx服务器生成ssl密钥
 

复制代码
代码如下:
cd /alidata/server/nginx/ssl
openssl genrsa -out nginx.key 2048

# 为nginx生成的证书签署请求
 

复制代码
代码如下:
openssl req -new -key nginx.key -out nginx.csr

you are about to be asked to enter information that will be incorporated
into your certificate request.
what you are about to enter is what is called a distinguished name or a dn.
there are quite a few fields but you can leave some blank
for some fields there will be a default value,
if you enter '.', the field will be left blank.
-----
country name (2 letter code) [au]:cn
state or province name (full name) [some-state]:beijing
locality name (eg, city) []:chaoyang
organization name (eg, company) [internet widgits pty ltd]:
organizational unit name (eg, section) []:
common name (e.g. server fqdn or your name) []:registry.wpython.com
email address []:
 
please enter the following 'extra' attributes
to be sent with your certificate request
a challenge password []:
an optional company name []:

# 私有ca根据请求来签发证书
 

复制代码
代码如下:
openssl ca -in nginx.csr -out nginx.crt

 
 
# 如果报如下错误:
using configuration from /usr/local/ssl/openssl.cnf
/etc/pki/ca/index.txt: no such file or directory
unable to open '/etc/pki/ca/index.txt'
140137408210600:error:02001002:system library:fopen:no such file or directory:bss_file.c:398:fopen('/etc/pki/ca/index.txt','r')
140137408210600:error:20074002:bio routines:file_ctrl:system lib:bss_file.c:400:
 
# 执行以下命令

复制代码
代码如下:
cd /etc/pki/ca/
mkdir newcerts
touch index.txt
touch serial
echo 01 > serial
cd -

openssl ca -in nginx.csr -out nginx.crt

 
using configuration from /usr/local/ssl/openssl.cnf
check that the request matches the signature
signature ok
certificate details:
        serial number: 1 (0x1)
        validity
            not before: may 12 04:15:08 2015 gmt
            not after : may 11 04:15:08 2016 gmt
        subject:
            countryname               = cn
            stateorprovincename       = beijing
            organizationname          = internet widgits pty ltd
            commonname                = registry.wpython.com
            emailaddress              = 739827282@qq.com
        x509v3 extensions:
            x509v3 basic constraints:
                ca:false
            netscape comment:
                openssl generated certificate
            x509v3 subject key identifier:
                b5:20:c7:47:26:d9:26:54:12:f7:36:7e:4e:3a:f0:d9:0e:2c:f7:bd
            x509v3 authority key identifier:
                keyid:93:f7:86:72:1b:2b:24:cd:af:24:ef:53:f4:e1:fa:ec:e7:70:1a:90
 
certificate is to be certified until may 11 04:15:08 2016 gmt (365 days)
sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
write out database with 1 new entries
data base updated

# 发现根证书
 


复制代码
代码如下:
# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 备份以防出错
# cat /etc/pki/ca/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

# 创建nginx配置文件
 

复制代码
代码如下:
# vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf
upstream docker-registry {

server localhost:5000;
}

server {
listen 8080;
server_name registry.wpython.com;

# enabled ssl
ssl on;
ssl_certificate /alidata/server/nginx/ssl/nginx.crt;
ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;

proxy_set_header host $http_host;
proxy_set_header x-real-ip $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;

location / {

auth_basic "restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;

}

location /_ping {

auth_basic off;
proxy_pass http://docker-registry;

}

location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}

# 完成测试

 

复制代码
代码如下:
# docker login https://registry.wpython.com:8080
username: admin
password:
email: 739827282@qq.com
login succeeded

您可能感兴趣的文章:

如对本文有疑问, 点击进行留言回复!!

相关文章:

验证码:
最近更新的文章
大家感兴趣的文章
移动技术网