搭建Docker私有倉(cāng)庫的詳細(xì)教程

小強(qiáng)的博客 發(fā)布時(shí)間：2015-08-18 17:28:41 作者：佚名

這篇文章主要介紹了搭建Docker私有倉(cāng)庫的詳細(xì)教程,主要依靠Docker Registry這個(gè)工具,需要的朋友可以參考下

1.Docker registry 說明
本文記錄的個(gè)人完整搭建docker registry操作過程，官方雖然提供了Docker Hub作為一個(gè)公開的集中倉(cāng)庫，但是天朝的網(wǎng)絡(luò)可想而知，第一次pull一個(gè)鏡像不是失敗就是時(shí)間很長(zhǎng)，為了解決這個(gè)問題需要?jiǎng)?chuàng)建一個(gè)私有的倉(cāng)庫在本地pull 本地push。我使用的docker版本是:1.5.0

2、安裝docker-registry

復(fù)制代碼

代碼如下:

docker run -d -e SETTINGS_FLAVOR=dev -e STORAGE_PATH=/tmp/registry -v /alidata/registry:/tmp/registry -p 5000:5000 registry

# 如果本地沒有下載過docker-registry，則首次會(huì)pull registry 運(yùn)行時(shí)會(huì)映射路徑和端口，以后就可以從/data/registry下找到私有倉(cāng)庫

3、客戶端上的操作
#從本地倉(cāng)庫上獲取有哪些鏡像

復(fù)制代碼

代碼如下:

curl -X GET http://registry.wpython.com:5000/v1/search

curl http://registry.wpython.com:5000/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}

# 拉取到本地

復(fù)制代碼

代碼如下:

docker pull library/centos6

# tag 一個(gè)鏡像

復(fù)制代碼

代碼如下:

docker tag 8552ea9a16f9 registry.wpython.com:5000/centos6_x86_64.mini

# 將新的docker images push 到本地倉(cāng)庫

復(fù)制代碼

代碼如下:

docker push registry.wpython.com:5000/centos6_x86_64.mini

4、加入nginx認(rèn)證
Docker 啟動(dòng)監(jiān)聽端口后，使用的是 http，可以遠(yuǎn)程來管理 Docker 主機(jī)。
這樣的場(chǎng)景存在弊端，API 層面是沒有提供用戶驗(yàn)證、Token 之類身份驗(yàn)證功能，任何人都可以通過地址加端口來控制 Docker 主機(jī)，為了避免這樣的情況發(fā)生，Docker 官方也支持 https 方式，不過需要我們自己來生成證書。
新版本的docker 也強(qiáng)制必須使用https否則會(huì)報(bào)錯(cuò)

# 安裝nginx過程略
創(chuàng)建一個(gè)登陸用戶(如果沒有htpasswd命令請(qǐng)安裝httpd-tools這個(gè)包)

復(fù)制代碼

代碼如下:

htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin
New password:
Re-type new password:
Adding password for user admin

# 生成根密鑰

復(fù)制代碼

代碼如下:

cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048

# 生成根證書

復(fù)制代碼

代碼如下:

openssl req -new -x509 -key private/cakey.pem -out cacert.pem

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Brijing
Locality Name (eg, city) []:Chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com
Email Address []:

# 為nginx服務(wù)器生成ssl密鑰

復(fù)制代碼

代碼如下:

cd /alidata/server/nginx/ssl
openssl genrsa -out nginx.key 2048

# 為nginx生成的證書簽署請(qǐng)求

復(fù)制代碼

代碼如下:

openssl req -new -key nginx.key -out nginx.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 私有CA根據(jù)請(qǐng)求來簽發(fā)證書

復(fù)制代碼

代碼如下:

openssl ca -in nginx.csr -out nginx.crt

# 如果報(bào)如下錯(cuò)誤：
Using configuration from /usr/local/ssl/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140137408210600:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
140137408210600:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

# 執(zhí)行以下命令

復(fù)制代碼

代碼如下:

cd /etc/pki/CA/
mkdir newcerts
touch index.txt
touch serial
echo 01 > serial
cd -

openssl ca -in nginx.csr -out nginx.crt

Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 12 04:15:08 2015 GMT
            Not After : May 11 04:15:08 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Internet Widgits Pty Ltd
            commonName                = registry.wpython.com
            emailAddress              = 739827282@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B5:20:C7:47:26:D9:26:54:12:F7:36:7E:4E:3A:F0:D9:0E:2C:F7:BD
            X509v3 Authority Key Identifier:
                keyid:93:F7:86:72:1B:2B:24:CD:AF:24:EF:53:F4:E1:FA:EC:E7:70:1A:90

Certificate is to be certified until May 11 04:15:08 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# 發(fā)現(xiàn)根證書

復(fù)制代碼

代碼如下:

# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 備份以防出錯(cuò)
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

# 創(chuàng)建nginx配置文件

復(fù)制代碼

代碼如下:

# vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf
upstream docker-registry {

server localhost:5000;
}

server {
listen 8080;
server_name registry.wpython.com;

# enabled ssl
ssl on;
ssl_certificate /alidata/server/nginx/ssl/nginx.crt;
ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;

location / {

auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;

}

location /_ping {

auth_basic off;
proxy_pass http://docker-registry;

}

location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}

# 完成測(cè)試

復(fù)制代碼

代碼如下:

# docker login https://registry.wpython.com:8080
Username: admin
Password:
Email: 739827282@qq.com
Login Succeeded