Docker registry V2 nginx 搭建
一 环境
俩台centos 7 64位
Docker 版本
Client:
Version: 1.8.2
API version: 1.20
Package Version: docker-1.8.2-7.el7.centos.x86_64
Go version: go1.4.2
Git commit: bb472f0/1.8.2
Built:
OS/Arch: linux/amd64
Server:
Version: 1.8.2
API version: 1.20
Package Version:
Go version: go1.4.2
Git commit: bb472f0/1.8.2
Built:
OS/Arch: linux/amd64
Register V2.0
Register server 镜像服务器 192.168.33.75
Register client 测试镜像docker服务器 192.168.153.86
二 搭建过程
在Register server 上(192.168.33.75)
2.1 安装需要的软件
yum install gcc make pcre-devel pcre openssl-devel httpd-tools -y
其中 pcre-devel pcre 是在nginx需要的用的软件包
Openssl-devel 是制作key的时候需要用的软件包
Httpd-tools 是生成nginx用户密码需要用的软件包
2.2 更改hosts,添加
[[email protected] ~]# vim /etc/hosts
192.168.33.75 dockertest.xxxx.com
2.3 生成根密钥
先看下/etc/pki/CA 下有没有
Cacert.pem index.txt index.txt.attr index.txt.old serial serial.old
有的话全部删除,然后
[[email protected] ~]# cd /etc/pki/CA/
生成根密钥
[[email protected] ~]#openssl genrsa -out private/cakey.pem 2048
生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出,其中最主要的是红色表明的
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:beijing
Organizational Unit Name (eg, section) []:beijing
Common Name (eg, your name or your server‘s hostname) []:dockertest.xxxx.com
Email Address []:[email protected]
其中CN一定要写自己的私有镜像库的域名
Email要记住,后面要用到
上面的自签证书cacert.pem在/etc/pki/CA/目录下
2.4 为nginx web服务器生成ssl密钥
[[email protected] CA]# mkdir /usr/local/nginx/ssl
[[email protected] CA]# cd /usr/local/nginx/ssl
[[email protected] CA]# openssl genrsa -out nginx.key 2048
为nginx生成证书签署请求
[[email protected] CA]# openssl req -new -key nginx.key -out nginx.csr
输出,其中最主要的是红色表明的
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:beijing
Organizational Unit Name (eg, section) []:beijing
Common Name (eg, your name or your server‘s hostname) []:dockertest.xxxx.com
Email Address []:[email protected]
A challenge password []:
An optional company name []:
其中Common Name 和email要和上面的一样,challenge password不填
私有CA根据请求来签发证书
[[email protected] CA]# touch /etc/pki/CA/index.txt
[[email protected] CA]# touch /etc/pki/CA/serial
[[email protected] CA]# echo 00 > /etc/pki/CA/serial
[[email protected] CA]#openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 11 06:04:22 2016 GMT
Not After : Jan 10 06:04:22 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = beijing
organizationalUnitName = beijing
commonName = dockertest.hc360.org
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:2C:A4:5D:55:92:2E:E0:38:26:9A:A0:F2:7E:29:6A:24:3D:FE:DF
X509v3 Authority Key Identifier:
keyid:60:BE:EA:F3:43:79:DC:46:D3:A2:00:2A:2E:8A:D6:10:93:5C:54:59
Certificate is to be certified until Jan 10 06:04:22 2017 GMT (365 days)
Sign the certificate? [y/n]:y
直接输入y,确认就好了。
三 安装配置nginx
3.1 安装nginx
Nginx 版本必须大于1.7.5,我使用的是1.8的
[[email protected] CA]# tar zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
mkdir /usr/local/nginx
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_addition_module --with-http_realip_module --with-http_flv_module
make && make install
3.2 生成htpasswd
[[email protected]]# htpasswd -cb /usr/local/nginx/conf/.htpasswd admin admin
生成的用户名和密码都是admin,到时登录私有仓库的时候用。
3.3 配置nginx
[[email protected]]# cd /usr/local/nginx/conf/
[[email protected]]# cp nginx.conf nginx.conf.bak
[[email protected]]# vim nginx.conf
user root root;
worker_processes auto;
error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘
‘$status $body_bytes_sent "$http_referer" ‘
‘"$http_user_agent" "$http_x_forwarded_for"‘;
access_log logs/access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name 192.168.33.75;
add_header Docker-Distribution-Api-Version registry/2.0 always;
sslon;
ssl_certificate /usr/local/nginx/ssl/nginx.crt; #crt的位置
ssl_certificate_key /usr/local/nginx/ssl/nginx.key; #key的位置
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "registry";
auth_basic_user_file /usr/local/nginx/conf/.htpasswd; #htpasswd的位置
root html;
index index.html index.htm;
proxy_pass http://registry;
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k; #如果系统很忙的时候可以申请更大的proxy_buffers 官方推荐*2
proxy_temp_file_write_size 64k; #proxy缓存临时文件的大小
}
location /_ping {
auth_basic off;
proxy_pass http://registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://registry;
}
}
}
其中红色标明的地方一定要注意
如果不添加add_header Docker-Distribution-Api-Version registry/2.0 always;
无法用https访问私有仓库
如果不注解掉
#proxy_set_header Host $http_host;
这个的话,私有仓库可以用https登录,但是push的时候会报错,
The push refers to a repository [dockertest.hc360.org/ubuntu_v1] (len: 1)
af88597ec24b: Pushing
dial tcp 192.168.33.75:80: connection refused
不注解的话它连接的是真实ip地址,无法代理
这个具体含义,大家查下nginx 反向代理 proxy_set_header
3.4验证配置
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
如果没有错误的话,启动nginx
[[email protected] ~]# /usr/local/nginx/sbin/nginx
四 搭建docker registry V2
4.1 更改docker配置文件
[[email protected] ~]# systemctl stop docker
[[email protected] ~]# vim /etc/sysconfig/docker
OPTIONS=‘--selinux-enabled --insecure-registry dockertest.xxxx.com‘
更改成这样,添加--insecure-registry dockertest.xxxx.com 红色的是私有仓库的域名,更前面生成密钥时候的域名对应
配置密钥文件
Mkdir -p /etc/docker/certs.d/hc.docker.io
Cp /etc/pki/CA/cacert.pem ./hc.docker.io/ca-certificates.crt
cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
[[email protected] ~]#systemctl restart docker
[[email protected] ~]#vim config.yml
version: 0.1
log:
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
delete:
enabled: true
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
secret: admin
[[email protected] ~]#mkdir data
docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/config.yml:/etc/docker/registry/config.yml -v `pwd`/data:/var/lib/registry registry:2
4.2 验证
[[email protected] ~]# curl https://admin:[email protected]/v2/
结果返回{}
登录
[[email protected] ~]docker login https://dockertest.xxxx.com
Username: admin
Password: #admin
Email: [email protected]
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
4.3 验证push镜像到私有仓库
在登录的前题下,本机验证
[[email protected] ~]# docker pull centos
[[email protected] ~]# docker images
daocloud.io/centos latest 60e65a8e4030 2 weeks ago 196.6 MB
[[email protected] ~]# docker tag 60e65a8e4030 dockertest.hc360.org/centos_test_v12
[[email protected] ~]# docker push dockertest.xxxx.com/centos_test_v12
The push refers to a repository [dockertest.xxxx.com/centos_test_v12] (len: 1)
60e65a8e4030: Pushed
60e65a8e4030: Preparing
838c1c5c4f83: Pushed
838c1c5c4f83: Preparing
latest: digest: sha256:3019f69254dcceb22a65859a3a414386ffbdd2908afba1b39e73220845c6cec8 size: 7228
查看push结果
[[email protected] ~]# curl https://admin:[email protected]/v2/_catalog
{"repositories":["centos_test_v12"]}
五 在client端测试
5.1 配置密钥
[[email protected] ~]#scp /etc/pki/CA/cacert.pem [email protected]:/root/
在192.168.153.86这台服务器上
[[email protected] ~]# cat /root/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
[[email protected] ~]#vim /etc/sysconfig/docker
OPTIONS=‘--selinux-enabled --insecure-registry dockertest.xxxx.com‘
[[email protected] ~]# systemctl restart docker
最好重启下服务器吧,我第一次更改完无法登录。重启后可以登录了,可能是没有加载密钥
[[email protected] ~]# docker login https://dockertest.hc360.org
Username: admin
Password:
Email: [email protected]
WARNING: login credentials saved in /root/.docker/config.json
Login Succeeded
5.2 验证
和上面验证方法一样
能登录上传基本没有什么问题