一、实验背景
Nexus3是Sonatype提供的仓库管理平台,Nuexus Repository OSS3能够支持Maven、npm、Docker、YUM、Helm等格式数据的存储和发布,并且能够与Jekins、SonaQube和Eclipse等工具进行集成。
Nexus3支持作为宿主和代理存储库的Docker存储库,可以直接将这些存储库暴露给客户端工具,也可以以存储库组的方式暴露给客户端工具,存储库组是合并了多个存储库的内容的存储库,能够通过一个URL将多个存储库暴露给客户端工具,从而便于用户的使用。
通过nexus3自建能够有效减少访问获取镜像的时间和对带宽使用,并能够通过自有的镜像仓库共享企业自己的镜像。
二、实验环境
操作系统: CentOS7.5 Minimal
nexus服务器: 192.168.1.103
nexus客户端(安装docker): 192.168.1.102
三、安装包下载
Java SE Runtime Environment 8
jre-8u221-linux-x64.tar.gz
https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
Nexus Repository Manager 3.5.0-02
nexus-3.5.0-02-unix.tar.gz
http://download.sonatype.com/nexus/3/nexus-3.5.0-02-unix.tar.gz
四、安装java运行环境jre
nexus的运行,依赖于java虚拟机,所以安装nexus前,我们需要先安装jre,JAVA运行环境。
# rpm -e --nodeps $(rpm -qa | grep -i openjdk)
# tar zxvf jre-8u221-linux-x64.tar.gz -C /opt
# echo 'JAVA_HOME="/opt/jre1.8.0_221"' > /etc/profile.d/jre.sh
# source /etc/profile.d/jre.sh
# echo "export PATH=$JAVA_HOME/bin:$PATH" >> /etc/profile.d/jre.sh
# source /etc/profile.d/jre.sh
# java -version
五、安装nexus
关闭selinux
# setenforce 0
# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
解压软件包
# tar zxvf nexus-3.5.0-02-unix.tar.gz -C /opt
# ll /opt
创建服务运行用户
# groupadd -g 2019 nexus
# useradd -u 2019 -g 2019 nexus
定义服务运行用户
# vim /opt/nexus-3.5.0-02/bin/nexus.rc
#################################
run_as_user="nexus"
#################################
# vim /opt/nexus-3.5.0-02/bin/nexus
####################################
INSTALL4J_JAVA_HOME="/opt/jre1.8.0_221"
####################################
创建服务的unit文件
# vim /etc/systemd/system/nexus.service
##################################
[Unit]
Description=nexus service
After=network.target
[Service]
Type=forking
User=nexus
ExecStart=/opt/nexus-3.5.0-02/bin/nexus start
ExecStop=/opt/nexus-3.5.0-02/bin/nexus stop
LimitNOFILE=65536
Restart=on-abort
[Install]
WantedBy=multi-user.target
#############################################
更改nexus目录的属主属组
# chown -R nexus:nexus /opt/nexus-3.5.0-02
# chown -R nexus:nexus /opt/sonatype-work
注:/opt/nexus-3.5.0-02 为nexus的安装目录,/opt/sonatype-work 为nexus的数据目录
# systemctl daemon-reload
# systemctl start nexus.service
# systemctl enable nexus.service
# ss -tan | grep 8081
创建java自签名证书
# keytool \
-genkeypair \
-keystore /opt/nexus-3.5.0-02/etc/ssl/keystore.jks \
-alias nexus \
-keypass Nexus@123 \
-storepass Nexus@456 \
-keyalg RSA \
-keysize 2048 \
-validity 3650 \
-dname "CN=*.test.com,OU=Test,O=Test,L=ShenZhen,ST=GuangDong,C=CN" \
-ext "SAN=IP:192.168.1.103" \
-ext "BC=ca:true"
更新目录、文件权限,属主属组
# chown -R nexus:nexus /opt/nexus-3.5.0-02
# chown -R nexus:nexus /opt/sonatype-work
# find /opt/nexus-3.5.0-02/etc/* -type d -exec chmod 700 {} \;
# find /opt/nexus-3.5.0-02/etc/ -type f -exec chmod 600 {} \;
# vim /opt/sonatype-work/nexus3/etc/nexus.properties
############################################################################################
application-host=192.168.1.103
application-port-ssl=8443
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml
##############################################################################################
如果想要设置重定向 redirect http request to http requests (可选),再加配置字段 ,${jetty.etc}/jetty-http-redirect-to-https.xml
# vim /opt/nexus-3.5.0-02/etc/jetty/jetty-https.xml
如果定期修改证书文件 keystore.jks:
1.用keytool工具用新密码重新生成keystore.jks,此处配置文件相应修改
2.如果使用root用户生成,注意将数主 数组 chown 为相应的nexus运行用户
3.默认生成的nexus.jks文件权限为644,安全起见,请将nexus.jks文件权限 chmod 为 600
重启服务
# systemctl restart nexus
# systemctl status nexus
# ss -tan
# ss -tan | grep 8081
# ss -tan | grep 8443
临时关闭防火墙
# systemctl stop firewalld
浏览器访问 http://192.168.1.103:8081
浏览器访问 https://192.168.1.103:8443
注意:如果设置启用了重定向,那么nexus 只会监听 8081端口,但是访问8081会被重定向到8443,所以设置防火墙策略时也要开放8443端口,如果没有设置启用重定向,那么nexus server 会同时监听 8081 和8443 端口。
六、创建仓库和账号
访问 https://192.168.1.103:8443
默认登录用户名密码: admin/admin123
登录后需要按 F5 手动刷新页面
创建docker仓库
创建对接账号
创建一个role,role是一个权限的集合,可以将其授予某个用户
现在我们成功创建了一个docker仓库
dokcer仓库名称:test
dokcer仓库地址:192.168.1.103:2019
登录用户:admin/admin123 test/Test@123
六、自定义防火墙策略
CentOS7.x 默认使用firewalld服务,防火墙daemon服务为firewalld
# systemctl start firewalld.service
# systemctl enable firewalld.service
# firewall-cmd --zone=public --add-port=8443/tcp --permanent
# firewall-cmd --zone=public --add-port=2019/tcp --permanent
# firewall-cmd --reload
如果我们需要使用iptables,并使得通过iptables语法设置的防火墙策略开机自启,怎么处理?
关闭禁用firewalld
# systemctl stop firewalld
# systemctl disable firewalld
创建防火墙策略文件
# iptables-save -t raw > /etc/iptables.rules
# iptables-save -t mangle >> /etc/iptables.rules
# iptables-save -t nat >> /etc/iptables.rules
# iptables-save -t filter >> /etc/iptables.rules
# vim /etc/iptables.rules
将filter默认策略改为DROP,只放行特定端口
################################################################
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:47:16 2019
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Jul 24 23:47:16 2019
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:47:22 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Jul 24 23:47:22 2019
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:47:33 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Jul 24 23:47:33 2019
# Generated by iptables-save v1.4.21 on Wed Jul 24 23:47:40 2019
*filter
:INPUT DROP [119:68389]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64:18420]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2019 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Completed on Wed Jul 24 23:47:40 2019
################################################################
创建iptables的service文件
# vim /etc/systemd/system/iptables.service
############################################
[Unit]
Description=iptables rules service
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables.rules
ExecStop=/usr/sbin/iptables -P INPUT ACCEPT
ExecStop=/usr/sbin/iptables -F
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
############################################
# systemctl daemon-reload
# systemctl start iptables.service
# systemctl enable iptables.service
# systemctl status iptables.service
查看加载的防火墙策略
# iptables -nvL --line
安全加固后的nexus服务器8081端口被封了,所以 http://192.168.1.103:8081 无法访问,要访问走 https://192.168.1.103:8443
测试端口
# echo > /dev/tcp/192.168.1.103/8081
# echo > /dev/tcp/192.168.1.103/8443
七、客户端安装docker
安装docker
# yum -y install yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# yum list docker-ce --showduplicates | sort -r
# yum -y install docker-ce-18.06.0.ce
# systemctl start docker
# systemctl status docker
# systemctl enable docker
# docker version
设置镜像加速
# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
# systemctl restart docker
# cat /etc/docker/daemon.json
八、登录仓库的两种方式
方式一:安装keytool工具获取nexus证书
# yum -y install java
# java -version
# keytool --help
# keytool -printcert -sslserver 192.168.1.103:2019 -rfc
# keytool -printcert -sslserver 192.168.1.103:2019 -rfc > /etc/pki/ca-trust/source/anchors/nexus.crt
# cat /etc/pki/ca-trust/source/anchors/nexus.crt
# update-ca-trust
# systemctl restart docker
方式二:不获取nexus证书,设置客户端docker信任仓库
# systemctl status docker
# vim /usr/lib/systemd/system/docker.service
#####################################################
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.103:2019
######################################################
# systemctl daemon-reload
# systemctl restart docker
登录创建的docker仓库
# docker login 192.168.1.103:2019 -u test -p "Test@123"
# docker login 192.168.1.103:2019 -u admin -p "admin123"
# cat /root/.docker/config.json
admin用户可以pull/push镜像,test用户,根据我们上面的role中权限设置,只能用于pull镜像。
测试镜像的pull/push
# docker pull busybox:latest
# docker tag busybox:latest 192.168.1.103:2019/busybox:v1
# docker push 192.168.1.103:2019/busybox:v1
访问 https://192.168.1.103:8443
admin/admin123
关于登出docker仓库
# docker logout 192.168.1.103:2019
# cat /root/.docker/config.json
九、参考
https://www.sonatype.org
https://sonatype-download.global.ssl.fastly.net/nexus/3/nexus-3.5.0-02-unix.tar.gz
http://books.sonatype.com/nexus-book/pdf3/nxbook-pdf.pdf
http://www.eclipse.org/jetty/documentation/9.3.x/configuring-ssl.html
https://docs.docker.com/engine/reference/commandline/login
https://docs.docker.com/engine/reference/commandline/login/#parent-command
https://github.com/codeclou/docker-sonatype-nexus-repository-oss
http://blog.codecp.org/2016/05/23/Nexus%20oss%203.0%20%E6%9E%84%E5%BB%BAdocker%E4%BB%93%E5%BA%93
https://docs.docker.com/registry/insecure/#docker-still-complains-about-the-certificate-when-using-authentication
systemd.service 中文手册
http://www.jinbuguo.com/systemd/systemd.service.html