创建docker私有仓库 使用YAML、htpasswd
创建docker私有仓库
在一台Centos7机器上搭建docker私有仓库,TLS证书使用自签名证书(官方不推荐使用自签名证书)
docker私有仓库实际上是一个docker镜像,镜像名称为registry
一、准备工作
假设已经安装好docker(Docker version 1.13.1, build 774336d/1.13.1),并且docker daemon已启动
1、主机名及IP
| 主机名 | IP |
|---|---|
| dockerRegistry | 10.1.1.193 |
2、生成私钥和证书
请注意,Common Name为Registry服务的域名或者IP地址
创建certs文件夹,使用openssl生成证书和私钥
mkdir -p certs
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 3650 -out certs/domain.crtGenerating a 4096 bit RSA private key
......................................................................++
.....++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:UFS
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:10.1.1.193
Email Address []:[email protected]3、证书使用ip做为hostname的设置
当使用ip(非域名)提交镜像,如果报... because it doesn't contain any IP SANs ,需要修改openssl.cnf,该文件在/etc/pki/tls/openssl.cnf或 /etc/ssl/openssl.cnf。找到[v3_ca]段,注释原有subjectAltName,设置为 subjectAltName=IP:10.1.1.193 ,这里的10.1.1.193换成证书服务器IP地址,仅在Registry服务器进行设置
4、让docker信任自签名证书
之前生成好的domain.crt,拷贝到/etc/docker/<证书服务器IP地址:端口号>/ca.crt
cp domain.crt /etc/docker/certs.d/10.1.1.193\:5001/ca.crt以相同的方式将该文件拷贝到所有需要访问服务器的客户端上
5、关闭SELinux
Centos7默认启用SELinux,如果对SELinux设置不熟悉,建议先关闭,否则会影响docker功能,比如挂载宿主机目录有可能会报permission denied
查看
/usr/sbin/sestatus -vSELinux status: disabled
或者
getenforceDisabled
临时关闭
##设置SELinux 成为permissive模式
##setenforce 1 设置SELinux 成为enforcing模式
setenforce 0永久关闭
vi /etc/selinux/config将SELINUX=enforcing改为SELINUX=disabled
设置后需要重启才能生效二、创建docker私有仓库
1、拉取registry镜像
可以直接使用docker run方式拉取并启动镜像,中间可能会有网络问题,建议分开操作
docker pull registry:2出现超时提示
Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)一种解决的方法,请参考Docker拉镜像无法访问 registry-x.docker.io 问题
2、启动仓库(启动参数方式,不带认证)
1)启动
docker run -d \
--restart=always \
--name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5001 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-p 5001:5001 \
registry:2- -v `pwd`/certs:/certs 将当前目录下certs挂载到容器certs目录下
- -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 registry默认使用5000端口,可以改成其它端口,注意-p对应容器内端口修改成相应端口
2)确认容器是否启动
docker container list 或者 docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cb64a373d0a1 registry:2 "/entrypoint.sh /e..." 6 seconds ago Up 4 seconds 5000/tcp, 0.0.0.0:5001->5001/tcp registry用crul简单试一下,curlInfo.txt打印证书信息
curl -kv -1 --trace curlInfo.txt 'https://10.1.1.193:5001/v2/'[root@benserver dockercrets]# cat curlInfo.txt
== Info: About to connect() to 10.1.1.193 port 5001 (#0)
== Info: Trying 10.1.1.193...
== Info: Connected to 10.1.1.193 (10.1.1.193) port 5001 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: skipping SSL peer certificate verification
== Info: SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
== Info: Server certificate:
== Info: subject: CN=10.1.1.193,OU=Dev,O=UFS,L=Beijing,ST=Beijing,C=CN
== Info: start date: 7月 07 08:51:35 2018 GMT
== Info: expire date: 7月 04 08:51:35 2028 GMT
== Info: common name: 10.1.1.193
== Info: issuer: CN=10.1.1.193,OU=Dev,O=UFS,L=Beijing,ST=Beijing,C=CN3)PUSH镜像
docker tag ubuntu:14.04 10.1.1.193:5001/my-ubuntu
docker push 10.1.1.193:5001/my-ubuntu查询刚刚PUSH的镜像
curl -X GET https://10.1.1.193:5001/v2/_catalog -k返回 {"repositories":["my-ubuntu"]}3、启动仓库(YAML方式,htpasswd认证)
可以使用YAML方式配置Registry服务,它有提供默认值,可根据需要覆盖默认值。
使用YAML配置可以自定义存储、健康监控以及通知等功能。
本例需要创建两个文件,config.yml(Registry服务配置文件)、htpasswd(认证信息文件)
创建htpasswd
htpasswd是apache http的基本认证文件,使用htpasswd命令生成用户及密码文件
安装htpasswd
yum install -y httpd-tools创建两个用户testUser1、testUser2
htpasswd -Bc htpasswd testUser1
htpasswd -B htpasswd testUser2htpasswd文件创建在当前目录下,查看刚才创建的两个用户
cat htpasswd
testUser1:$2y$05$5yZ0eyiLNTEcpKoJmB2Niedn8tTTiTCHn/wXuCgOGQPIj6fDpevFy
testUser2:$2y$05$WDUY1vaid5VfyeqpA8sm9.qIdp0OYCXbYgm8ajSV.VTF48crtL1Ua创建config.yml文件
本例只定义tls和用户认证
version: 0.1
log:
level: debug
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
htpasswd:
realm: basic-realm
path: /etc/docker/registry/htpasswd
http:
addr: :5001
host: https://10.1.1.193:5001
tls:
certificate: /certs/domain.crt
key: /certs/domain.key
secret: asecretforlocaldevelopment
headers:
X-Content-Type-Options: [nosniff]启动registry
当前目录结构
├── certs
│ ├── domain.crt
│ └── domain.key
├── config.yml
└── htpasswd执行创建命令
docker run -d -p 5001:5001 --restart=always --name registry \
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
-v `pwd`/certs:/certs \
-v `pwd`/htpasswd:/etc/docker/registry/htpasswd \
registry:2登录、提交验证
docker login -u testUser1 -p test 10.1.1.193:5001Flag --email has been deprecated, will be removed in 1.14.
Login Succeeded