Docker私有Registry在CentOS6.X下安装指南
说明:
docker.yy.com这是docker registry服务器的域名也就是你的公司docker私有服务器的主机地址,假定ip是192.168.2.114;因为https的SSL证书不能用IP地址,我就随便起了个名字。
registry服务器作为上游服务器处理docker镜像的最终上传和下载,用的是官方的镜像。
nginx 1.4.x是一个用nginx作为反向代理服务器
一、Docker Server端配置
安装依赖
yum -y install gcc make file && \ yum -y install tar pcre-devel pcre-staticopenssl openssl-devel httpd-tools
配置SSL
(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:
192.168.2.114 docker.yy.com
(2) 生成根密钥
先把
/etc/pki/CA/cacert.pem
/etc/pki/CA/index.txt
/etc/pki/CA/index.txt.attr
/etc/pki/CA/index.txt.old
/etc/pki/CA/serial
/etc/pki/CA/serial.old
删除掉!
cd /etc/pki/CA/openssl genrsa -out private/cakey.pem 2048
(3) 生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出:
You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:youyuan Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:docker.yy.com Email Address []:
会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。上面的自签证书cacert.pem应该生成在/etc/pki/CA下。
(4) 为我们的nginx web服务器生成ssl密钥
mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl openssl genrsa -out nginx.key 2048
我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成。
(5) 为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr
输出:
You are about to be asked to enter information that will be incorporatedinto your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:youyuan Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:docker.yy.com Email Address []: Please enter the following 'extra' attributesto be sent with your certificate request A challenge password []: An optional company name []:
同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。
(6) 私有CA根据请求来签发证书
touch /etc/pki/CA/index.txt touch /etc/pki/CA/serial echo 00 > /etc/pki/CA/serial openssl ca -in nginx.csr -out nginx.crt
输出:
Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 9 09:59:20 2014 GMT Not After : Dec 9 09:59:20 2015 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = youyuan commonName = docker.yy.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66 X509v3 Authority Key Identifier: keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41Certificate is to be certified until Dec 9 09:59:20 2015 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
同样会提示输入一些内容,选择
y就可以了!
二、安装,配置,运行nginx
(1) 添加组和用户:
groupadd www -g 58 useradd -u 58 -g www www
(2) 下载nginx源文件:
cd /tmp wget http://nginx.org/download/nginx-1.4.6.tar.gzcp ./nginx-1.4.6.tar.gz /tmp/
(3) 编译,安装nginx:
tar zxvf ./nginx-1.4.6.tar.gz cd ./nginx-1.4.6 && \ ./configure --user=www --group=www --prefix=/opt/nginx \ --with-pcre \ --with-http_stub_status_module \ --with-http_ssl_module \ --with-http_addition_module \ --with-http_realip_module \ --with-http_flv_module && \ make && \ make install cd /tmp rm -rf /tmp/nginx-1.4.6/rm /tmp/nginx-1.4.6.tar.gz
(4) 生成htpasswd
htpasswd -cb /opt/nginx/conf/.htpasswd ${USER} ${PASSWORD}
(5) 编辑/opt/nginx/conf/nginx.conf文件
#daemon off;
# 使用的用户和组user www www;
# 指定工作进程数(一般等于CPU总核数)worker_processes auto;
# 指定错误日志的存放路径,错误日志记录级别选项为:[debug | info | notic | warn | error | crit]error_log /var/log/nginx_error.log error;
#指定pid存放的路径
#pid logs/nginx.pid;
# 指定文件描述符数量
worker_rlimit_nofile 51200;
events {
# 使用的网络I/O模型,Linux推荐epoll;FreeBSD推荐kqueue
use epoll;
# 允许的最大连接数
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$upstream_addr"';
access_log /var/log/nginx_access.log main;
# 服务器名称哈希表的桶大小,该默认值取决于CPU缓存
server_names_hash_bucket_size 128;
# 客户端请求的Header头缓冲区大小
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
# 启用sendfile()函数
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
upstream registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name 192.168.2.114;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
client_max_body_size 0;
# disable any limits to avoid HTTP 413 for large p_w_picpath uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "registry";
auth_basic_user_file /opt/nginx/conf/.htpasswd;
root html;
index index.html index.htm;
proxy_pass http://registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k; #如果系统很忙的时候可以申请更大的proxy_buffers 官方推荐*2
proxy_temp_file_write_size 64k; #proxy缓存临时文件的大小
}
location /_ping {
auth_basic off;
proxy_pass http://registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://registry;
}
}
}
(6) 验证配置
/opt/nginx/sbin/nginx -t
输出:
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
(7) 启动nginx:
/opt/nginx/sbin/nginx
(8) 验证nginx是否启动:
ps -ef | grep -i 'nginx'
如下输出就表明nginx一切正常!
root 27133 1 0 18:58 ? 00:00:00 nginx: master process /opt/nginx/sbin/nginx www 27134 27133 0 18:58 ? 00:00:00 nginx: worker process www 27135 27133 0 18:58 ? 00:00:00 nginx: worker process www 27136 27133 0 18:58 ? 00:00:00 nginx: worker process www 27137 27133 0 18:58 ? 00:00:00 nginx: worker process root 27160 42863 0 18:58 pts/0 00:00:00 grep -i nginx
三、配置,运行Docker
(1) 停止docker
service docker stop
(2)编辑/etc/sysconfig/docker文件,加上如下一行
DOCKER_OPTS="--insecure-registry docker.yy.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
(3) 把根证书复制到/etc/docker/certs.d/docker.yy.com/目录下
mkdir -p /etc/docker/certs.d/docker.yy.com/ cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.yy.com/ca-certificates.crt
(4) 启动docker
service docker start
四、下载,配置,运行registryp_w_picpath
(1) 获取Image
docker pull registry
(2) 运行Image
mkdir -p /opt/registrydocker run -d -e STORAGE_PATH=/registry -v /opt/registry:/registry -p 127.0.0.1:5000:5000 --name registry registry
命令稍加解释一下:
-p 127.0.0.1:5000:5000registry 作为上游服务器,这个 5000 端口可以不用映射出来,因为所有的外部访问都是通过前端的nginx来提供,nginx 可以在私有网络访问 registry 。
(3) 验证registry:
用浏览器输入:
https://docker.yy.com
或者:curl -i -k https://abc:[email protected]
服务端的配置就到此完成!
五、Docker客户端配置
(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:
192.168.2.114 docker.yy.com
(2) 把docker registry服务器端的根证书追加到ca-certificates.crt文件里
先从docker registry服务器端把文件/etc/pki/CA/cacert.pem拷贝到本机,然后执行命令:
cat ./cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
(3) 验证docker.yy.com下的registry:
用浏览器输入:
https://docker.yy.com
或者:curl -i -k https://abc:[email protected]
(4) 使用私有registry步骤:
登录:
docker login -u abc -p 123 -e "[email protected]" https://docker.yy.com给container起另外一个名字:
docker tag centos:centos6 docker.yy.com/centos:centos6发布:
docker push docker.yy.com/centos:centos6
六、Server端,操作私有仓库的步骤:
1. 从官方pull下来p_w_picpath!
docker push centos:centos6
2. 查看p_w_picpath的id
执行docker p_w_picpaths
输出:
root@pts/0 # docker p_w_picpathsREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE centos centos6 25c5298b1a36 8 days ago 215.8 MB
3. 给p_w_picpath赋予一个私有仓库的tag
docker tag 25c5298b1a36 docker.yy.com/centos:centos6
4. push到私有仓库
docker push docker.yy.com/centos:centos6
5. 查看p_w_picpath
docker p_w_picpaths
输出:
root@pts/0 # docker p_w_picpathsREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE centos centos6 25c5298b1a36 8 days ago 215.8 MB docker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MB
七、 Client端,操作私有仓库的步骤:
1. 从私有仓库pull下来p_w_picpath!
docker pull docker.yy.com/centos:centos6
2. 查看p_w_picpath
docker p_w_picpaths
输出:
root@pts/0 # docker p_w_picpathsREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE docker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MB
附录:
(1) 弊端:
server端可以login到官方的Docker Hub,可以pull,push官方和私有仓库!
client端只能操作搭设好的私有仓库!
私有仓库不能search!
(2) 优点:
所有的build,pull,push操作只能在私有仓库的server端操作,降低企业风险!
(3) 当client端docker login到官方的https://index.docker.io/v1/网站,出现x509: certificate signed by unknown authority错误时
重命名根证书!
mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak
重启docker服务!service docker restart!