搭建环境
1.准备一台安转dokcer的机子
ip:10.254.100.225
2.我们将会把docker registry和portus都安装在同一台虚拟机上。一方面是比较方便,另一方面也避免了时钟同步问题。为了启动一个带认证的docker registry,首先要生成自签名证书:
cat << EOF > ssl.conf
[ req ]
prompt = no
distinguished_name = req_subj
x509_extensions = x509_ext
[ req_subj ]
CN = Localhost
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:true
subjectAltName = @alternate_names
[ alternate_names ]
DNS.1 = localhost
IP.1 = 10.254.100.225
EOF
2.证书生成好了,但是由于这是自签名证书,客户端还需要配置证书文件:
sudo mkdir -p /etc/docker/certs.d/10.254.100.225:5000
sudo cp /certs/server-crt.pem /etc/docker/certs.d/10.254.100.225:5000/ca.crt
sudo service docker restart
3.接下来生成一个registry的配置文件,里面指定刚才的证书和token方式的认证。认证服务器设置到一会儿要启动的portus去:
cat << EOF > config.yml
version: 0.1
loglevel: debug
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
delete:
enabled: true
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
tls:
certificate: /certs/server-crt.pem
key: /certs/server-key.pem
auth:
token:
realm: https://10.254.100.225/v2/token
service: 10.254.100.225:5000
issuer: 10.254.100.225
rootcertbundle: /certs/server-crt.pem
notifications:
endpoints:
- name: portus
url: https://10.254.100.225/v2/webhooks/events
timeout: 500ms
threshold: 5
backoff: 1s
EOF
4启动容器
启动registry容器:
docker run -d \
--name registry \
-p 5000:5000 \
--restart=always \
-v /var/lib/registry:/var/lib/registry \
-v /certs:/certs \
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
registry:2.3.0
启动MariaDB容器并配置:
docker run -d \
--name mariadb \
--net=host \
--restart=always \
-e MYSQL_ROOT_PASSWORD=123456 \
-e TERM=xterm \
mariadb:10.1.10
等数据库启动完成,我们连接上去:
docker exec -it mariadb mysql -uroot -p123456
为portus创建用户和数据库:
sql
create database portus;
GRANT ALL ON portus.* TO 'portus'@'%' IDENTIFIED BY 'portus';
exit
启动portus:
docker run -it -d \
--name portus \
--net host \
--restart=always \
-v /certs:/certs \
-v /usr/sbin/update-ca-certificates:/usr/sbin/update-ca-certificates \
-v /etc/ca-certificates:/etc/ca-certificates \
--env DB_ADAPTER=mysql2 \
--env DB_ENCODING=utf8 \
--env DB_HOST=10.254.100.225 \
--env DB_PORT=3306 \
--env DB_USERNAME=portus \
--env DB_PASSWORD=portus \
--env DB_DATABASE=portus \
--env RACK_ENV=production \
--env RAILS_ENV=production \
--env PUMA_SSL_KEY=/certs/server-key.pem \
--env PUMA_SSL_CRT=/certs/server-crt.pem \
--env PUMA_PORT=443 \
--env PUMA_WORKERS=4 \
--env MACHINE_FQDN=10.254.100.225 \
--env SECRETS_SECRET_KEY_BASE=secret-goes-here \
--env SECRETS_ENCRYPTION_PRIVATE_KEY_PATH=/certs/server-key.pem \
--env SECRETS_PORTUS_PASSWORD=portuspw \
h0tbird/portus:v2.0.2-1
5.测试:输入:https://10.254.100.225将会跳转到:portus的注册页面
6.配置同步 接下来我们试试定时同步任务。首先需要在容器里信任我们的自签名证书:
docker exec portus mkdir /usr/local/share/ca-certificates
docker cp /certs/server-crt.pem portus:/usr/local/share/ca-certificates/ca.crt
docker exec portus update-ca-certificates
然后启动定时同步任务,设置为每10秒钟同步一次:
docker exec -it portus bash
RAILS_ENV=production CATALOG_CRON="10.seconds" bundle exec crono
最后一步就是自动同步了,先把刚才的crono给Ctrl+C掉,Ctrl+D退出portus容器。由于docker registry需要调用portus的API,所以我们需要在registry容器里也信任这个证书:
docker cp /certs/server-crt.pem registry:/usr/local/share/ca-certificates/ca.crt
docker exec registry update-ca-certificates
sudo service docker restart
7.开啤酒庆祝,搭建完成!!!
参考文档:http://qinghua.github.io/portus/