Centos 7中Docker私有倉(cāng)庫(kù)的搭建方法

更新時(shí)間：2017年04月10日 09:53:06 作者：Linux公社

本篇文章主要介紹了Centos 7中Docker私有倉(cāng)庫(kù)的搭建方法，小編覺得挺不錯(cuò)的，現(xiàn)在分享給大家，也給大家做個(gè)參考。一起跟隨小編過來看看吧

系統(tǒng)配置： CentOS 7 內(nèi)核 3.10.0-229.20.1.el7.x86_64 ， Docker version 1.8.2

運(yùn)行 docker registry

執(zhí)行下列命令：

復(fù)制代碼代碼如下:

docker run /     -d /     --name private_registry  --restart=always /     -e SETTINGS_FLAVOUR=dev /     -e STORAGE_PATH=/registry-storage /     -v /data/docker/private-registry/storage:/registry-storage /     -u root /     -p 5000:5000 /     registry:2

如果本地已有registry鏡像，它會(huì)直接運(yùn)行，否則它會(huì)到docker hub共有倉(cāng)庫(kù)下載之后再運(yùn)行， -v /data/docker/private-registry/storage:/registry-storage 該命令將之后私有倉(cāng)庫(kù)的鏡像存放到本地。

之后執(zhí)行：

復(fù)制代碼代碼如下:

docker tag docker.io/docker:1.8 192.168.100.9:5000/docker:1.8  docker push 192.168.100.9:5000/docker:1.8

這時(shí)會(huì)報(bào)很多錯(cuò)誤：

復(fù)制代碼代碼如下:

FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: tls: oversized record received with length 20527/. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add `--insecure-registry 192.168.100.9:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.100.9:5000/ca.crt

最簡(jiǎn)單的解決方法是修改 /etc/sysconfig/docker 文件添加 INSECURE_REGISTRY='--insecure-registry 192.168.100.9:5000' , Ubuntu 14.04 的配置文件在 /etc/default/docker 在該文件里添加 DOCKER_OPTS="--insecure-registry 192.168.100.9:5000" ，添加過之后重啟 docker ,重新運(yùn)行 docker registry 即可生效。這樣做的缺點(diǎn)是你的私有倉(cāng)庫(kù)不安全，其次，其他要下載或者上傳鏡像的機(jī)器都要修改相應(yīng)的配置文件。

安全的做法是去認(rèn)證機(jī)構(gòu)購(gòu)買簽名證書，在此我們使用自認(rèn)證的方式。

自簽名認(rèn)證

首先執(zhí)行：

復(fù)制代碼代碼如下:

# mkdir -p certs && openssl req /   -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key /   -x509 -days 365 -out certs/domain.crt  Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERCXTYF Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:192.168.100.9:5000 Email Address []:xxx.yyy@ymail.com

生成認(rèn)證證書和密鑰。接下來將剛生成的 certs/domain.crt 復(fù)制到 /etc/docker/certs.d/192.168.100.9:5000/ca.crt ，之后重啟 docker 并運(yùn)行：

復(fù)制代碼代碼如下:

docker run /     -d /     --name private_registry  --restart=always /     -e SETTINGS_FLAVOUR=dev /     -e STORAGE_PATH=/registry-storage /     -v /data/docker/private-registry/storage:/registry-storage /     -u root /     -p 5000:5000 /     -v /root/certs:/certs /     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt /     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key /     registry:2

這樣之后應(yīng)該可以成功了吧，于是執(zhí)行：

# docker push 192.168.100.9:5000/docker:1.8

結(jié)果它還是報(bào)錯(cuò)了：

復(fù)制代碼代碼如下:

The push refers to a repository 192.168.100.9:5000/docker:1.8 unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs

解決方法：修改 /etc/pki/tls/openssl.cnf 配置，在該文件中找到 [ v3_ca ] ，在它下面添加如下內(nèi)容：

復(fù)制代碼代碼如下:

[ v3_ca ] # Extensions for a typical CA subjectAltName = IP:123.56.157.144

之后再次重啟docker,并重新 run registry ，啟動(dòng)成功之后，執(zhí)行：

復(fù)制代碼代碼如下:

# docker push 192.168.100.9:5000/docker:1.8  The push refers to a repository [192.168.100.9:5000/docker] (len: 1) 793ab2f3d322: Pushed  e1232be51d09: Pushed  71ef33d4e0e5: Pushed  e9d235d200dc: Pushed  3fb9a265fbfc: Pushed  9f50b4b1f00b: Pushed  413668359dd0: Pushed  da0daae25b21: Pushed  f4fddc471ec2: Pushed  1.8: digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 size: 17621

至此，上傳終于成功。換臺(tái)機(jī)器下載剛上傳的鏡像：

復(fù)制代碼代碼如下:

# docker pull 192.168.100.9:5000/docker:1.8 Trying to pull repository 192.168.100.9:5000/docker ... failed unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: certificate signed by unknown authority v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: certificate signed by unknown authority

仔細(xì)分析錯(cuò)誤信息，發(fā)現(xiàn)是沒有證書，將在 192.168.100.9 上生成的證書拷貝到相應(yīng)的目錄下 /etc/docker/certs.d/192.168.100.9:5000/ca.crt ，拷貝之后重啟 docker ，再次執(zhí)行:

復(fù)制代碼代碼如下:

# docker pull  192.168.100.9:5000/docker:1.8  1.8: Pulling from docker 9d58b928bc15: Pull complete  dbe7e8a7807c: Pull complete  ce14982b73d4: Pull complete  b9f70905d763: Pull complete  b9c93a2fb3cf: Pull complete  1321a4d5d3ea: Pull complete  5941048a7e27: Pull complete  f57edf7c2e71: Pull complete  5de2ade00f1b: Pull complete  Digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 Status: Downloaded newer image for 192.168.100.9:5000/docker:1.8

至此， docker registry 私有倉(cāng)庫(kù)安裝成功。如果要部署到生產(chǎn)環(huán)境還需要進(jìn)一步的配置，具體可以參考Registry Configuration Reference。

以上就是本文的全部?jī)?nèi)容，希望對(duì)大家的學(xué)習(xí)有所幫助，也希望大家多多支持腳本之家。

您可能感興趣的文章: