当前位置:16教程网 > 网页设计 > DIV+CSS教程 >

搭建Docker私有仓库的详细教程
栏目分类:DIV+CSS教程   发布日期:2016-09-18   浏览次数:次   发布:www.16jiaocheng.com

本文记录的个人完整搭建docker registry操作过程,官方虽然提供了Docker Hub作为一个公开的集中仓库,但是天朝的网络可想而知,第一次pull一个镜像不是失败就是时间很长,为了解决这个问题需要创建一个私有的仓库在本地pull 本地push。
1.Docker registry 说明

  本文记录的个人完整搭建docker registry操作过程,官方虽然提供了Docker Hub作为一个公开的集中仓库,但是天朝的网络可想而知,第一次pull一个镜像不是失败就是时间很长,为了解决这个问题需要创建一个私有的仓库在本地pull 本地push。我使用的docker版本是:1.5.0

  2、安装docker-registry

  代码如下:

  docker run -d -e SETTINGS_FLAVOR=dev -e STORAGE_PATH=/tmp/registry -v /alidata/registry:/tmp/registry -p 5000:5000 registry

  # 如果本地没有下载过docker-registry,则首次会pull registry 运行时会映射路径和端口,以后就可以从/data/registry下找到私有仓库

  3、客户端上的操作

  #从本地仓库上获取有哪些镜像

  代码如下:

  curl -X GET http://registry.wpython.com:5000/v1/search

  curl http://registry.wpython.com:5000/v1/search

  {"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}

  # 拉取到本地

  代码如下:

  docker pull library/centos6

  # tag 一个镜像

  代码如下:

  docker tag 8552ea9a16f9 registry.wpython.com:5000/centos6_x86_64.mini

  # 将新的docker images push 到本地仓库

  代码如下:

  docker push registry.wpython.com:5000/centos6_x86_64.mini

  4、加入nginx认证

  Docker 启动监听端口后,使用的是 http,可以远程来管理 Docker 主机。

  这样的场景存在弊端,API 层面是没有提供用户验证、Token 之类身份验证功能,任何人都可以通过地址加端口来控制 Docker 主机,为了避免这样的情况发生,Docker 官方也支持 https 方式,不过需要我们自己来生成证书。

  新版本的docker 也强制必须使用https否则会报错

  # 安装nginx过程略

  创建一个登陆用户(如果没有htpasswd命令 请安装httpd-tools这个包)

  代码如下:

  htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin

  New password:

  Re-type new password:

  Adding password for user admin

  # 生成根密钥

  代码如下:

  cd /etc/pki/CA/

  openssl genrsa -out private/cakey.pem 2048

  # 生成根证书

  代码如下:

  openssl req -new -x509 -key private/cakey.pem -out cacert.pem

  Country Name (2 letter code) [AU]:CN

  State or Province Name (full name) [Some-State]:Brijing

  Locality Name (eg, city) []:Chaoyang

  Organization Name (eg, company) [Internet Widgits Pty Ltd]:

  Organizational Unit Name (eg, section) []:

  Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com

  Email Address []:

  # 为nginx服务器生成ssl密钥

  代码如下:

  cd /alidata/server/nginx/ssl

  openssl genrsa -out nginx.key 2048

  # 为nginx生成的证书签署请求

  代码如下:

  openssl req -new -key nginx.key -out nginx.csr

  You are about to be asked to enter information that will be incorporated

  into your certificate request.

  What you are about to enter is what is called a Distinguished Name or a DN.

  There are quite a few fields but you can leave some blank

  For some fields there will be a default value,

  If you enter '.', the field will be left blank.

  -----

  Country Name (2 letter code) [AU]:CN

  State or Province Name (full name) [Some-State]:Beijing

  Locality Name (eg, city) []:Chaoyang

  Organization Name (eg, company) [Internet Widgits Pty Ltd]:

  Organizational Unit Name (eg, section) []:

  Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com

  Email Address []:

  Please enter the following 'extra' attributes

  to be sent with your certificate request

  A challenge password []:

  An optional company name []:

  # 私有CA根据请求来签发证书

  代码如下:

  openssl ca -in nginx.csr -out nginx.crt

  # 如果报如下错误:

  Using configuration from /usr/local/ssl/openssl.cnf

  /etc/pki/CA/index.txt: No such file or directory

  unable to open '/etc/pki/CA/index.txt'

  140137408210600:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')

  140137408210600:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

  # 执行以下命令

  代码如下:

  cd /etc/pki/CA/

  mkdir newcerts

  touch index.txt

  touch serial

  echo 01 > serial

  cd -

  openssl ca -in nginx.csr -out nginx.crt

  Using configuration from /usr/local/ssl/openssl.cnf

  Check that the request matches the signature

  Signature ok

  Certificate Details:

  Serial Number: 1 (0x1)

  Validity

  Not Before: May 12 04:15:08 2015 GMT

  Not After : May 11 04:15:08 2016 GMT

  Subject:

  countryName = CN

  stateOrProvinceName = Beijing

  organizationName = Internet Widgits Pty Ltd

  commonName = registry.wpython.com

  emailAddress = 739827282@qq.com

  X509v3 extensions:

  X509v3 Basic Constraints:

  CA:FALSE

  Netscape Comment:

  OpenSSL Generated Certificate

  X509v3 Subject Key Identifier:

  B5:20:C7:47:26:D9:26:54:12:F7:36:7E:4E:3A:F0:D9:0E:2C:F7:BD

  X509v3 Authority Key Identifier:

  keyid:93:F7:86:72:1B:2B:24:CD:AF:24:EF:53:F4:E1:FA:EC:E7:70:1A:90

  Certificate is to be certified until May 11 04:15:08 2016 GMT (365 days)

  Sign the certificate? [y/n]:y

  1 out of 1 certificate requests certified, commit? [y/n]y

  Write out database with 1 new entries

  Data Base Updated

  # 发现根证书

  代码如下:

  # cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 备份以防出错

  # cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

  # 创建nginx配置文件

  代码如下:

  # vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf

  upstream docker-registry {

  server localhost:5000;

  }

  server {

  listen 8080;

  server_name registry.wpython.com;

  # enabled ssl

  ssl on;

  ssl_certificate /alidata/server/nginx/ssl/nginx.crt;

  ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;

  proxy_set_header Host $http_host;

  proxy_set_header X-Real-IP $remote_addr;

  client_max_body_size 0;

  chunked_transfer_encoding on;

  location / {

  auth_basic "Restricted";

  auth_basic_user_file docker-registry.htpasswd;

  proxy_pass http://docker-registry;

  }

  location /_ping {

  auth_basic off;

  proxy_pass http://docker-registry;

  }

  location /v1/_ping {

  auth_basic off;

  proxy_pass http://docker-registry;

  }

  }

  # 完成测试

  代码如下:

  # docker login https://registry.wpython.com:8080

  Username: admin

  Password:

  Email: 739827282@qq.com

  Login Succeeded

相关热词: Docker私有仓库

Copyright © 2002-2016 16教程网 版权所有     
电脑教程 Office教程 平面设计 PS教程 室内设计 网页设计