一、 普通模式, no ssl

setup private docker registry (参考 https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04 and http://www.dropbit.ch/private-docker-registry-with-nginx-on-centos-7/   )

On dedicated Docker private registry host, we use CentOS7:

add CentOS-Extras repository

yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry


install docker to pull p_w_picpaths you needed, then

vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'

systemctl restart docker


docker tag p_w_picpath-id registry-host-name:5000/ubuntu:14.04.2 , etc

docker push registry-host-name:5000/ubuntu:14.04.2, etc


查看docker private registry:

curl http://registry-host-name:5000/v1/search


on normal docker hosts that want to use this private registry:

CentOS7:
vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'

systemctl restart docker
docker pull docker-registry-host:5000/ubuntu:14.04.2


CentOS6:
vi /etc/sysconfig/docker
other_args="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=docker-registry-host:5000"


service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2

Ubuntu 14.04.2
vi /etc/default/docker
DOCKER_OPTS="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=192.168.1.6:5000"

service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2


Notes: docker run -d -p 5000:5000 -v /opt/docker/registry:/tmp/registry registry:latest


一、 安全模式, with ssl

On dedicated Docker private registry host, we use CentOS7:

add CentOS-Extras repository
yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry

1. Installing Nginx:
add EPEL repository
yum -y install nginx
systemctl enable nginx
systemctl start nginx

2. Configure access through Nginx to your private docker registry
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

mkdir /etc/nginx/sites-available
vi /etc/nginx/sites-available/docker-registry
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream private-docker-registry {
 server localhost:5000;
}

server {
 listen 443;
 server_name www.ilovedocker.com;

 #ssl on;
 #ssl_certificate /etc/pki/tls/certs/www.ilovedocker.com.crt;
 #ssl_certificate_key /etc/pki/tls/private/www.ilovedocker.com.key;

 proxy_set_header Host       $http_host;   # required for Docker client sake
 proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

 client_max_body_size 0; # disable any limits to avoid HTTP 413 for large p_w_picpath uploads

 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 chunked_transfer_encoding on;

 location / {
     # let Nginx know about our auth file
     auth_basic              "Restricted";
     auth_basic_user_file    docker-registry.htpasswd;

     proxy_pass http://private-docker-registry;
 }
 location /_ping {
     auth_basic off;
     proxy_pass http://private-docker-registry;
 }
 location /v1/_ping {
     auth_basic off;
     proxy_pass http://private-docker-registry;
 }

}

vi /etc/sysconfig/docker-registry
REGISTRY_ADDRESS=127.0.0.1

systemctl restart docker-registry

yum -y install httpd-tools
htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME
Open the file /etc/nginx/nginx.conf and add after the line “include /etc/nginx/conf.d/*.conf;”the following:
include /etc/nginx/sites-enabled/*;

mkdir /etc/nginx/sites-enabled
ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
systemctl reload nginx

curl USER:[email protected]:443


3. Configure Nginx to use ssl
mkdir ~/certs
cd ~/certs

create a new root key:
openssl genrsa -out dockerCA.key 2048

create a root certificate, you don’t have to answer the upcoming question, just hit enter:
openssl req -x509 -new -nodes -key dockerCA.key -days 3650 -out dockerCA.crt

create a private key for your Nginx Server:
openssl genrsa -out www.ilovedocker.com.key 2048

Next a certificate signing request is needed:
openssl req -new -key www.ilovedocker.com.key -out www.ilovedocker.com.csr
Answer the upcoming question for “Common Name” with the domain of your server, e.g: www.ilovedocker.com. Don’t provide a challenge password.

sign the certificate request:
openssl x509 -req -in www.ilovedocker.com.csr -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out www.ilovedocker.com.crt -days 3650

vi /etc/nginx/sites-available/docker-registry to uncomment ssl lines

cp www.ilovedocker.com.crt /etc/pki/tls/certs/
cp www.ilovedocker.com.key /etc/pki/tls/private/

update-ca-trust enable
cp dockerCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
systemctl reload nginx

curl https://USER:[email protected]

4. on remote docker host

docker with your private remote docker registry
Ubuntu 14.04:
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

copy dockerCA.crt to /usr/local/share/ca-certificates
update-ca-certificates

CentOS6/7:
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

copy dockerCA.crt to /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract

docker login https://www.ilovedocker.com
docker pull ubuntu
docker tag ubuntu www.ilovedocker.com/ubuntu:hj
docker push www.ilovedocker.com/ubuntu:hj