本例子使用两台centos7服务器作为测试
node1:192.168.56.102
registry没有认证方式的启动
使用域名搭建https的私有仓库
1、node1作为私服服务器,配置主机hosts映射
192.168.56.102 abiao.com
既然使用https,那么我们需要生成证书,本文讲解的是使用openssl自签名证 书,当然也可以使用诸如 Let’s Encrypt 等工具生成证书,首先在node1机 器上生成生成密钥文件::
[root@iz51hzu4zdjgpnz ~]# mkdir -p /srv/data/registry/certs
[root@iz51hzu4zdjgpnz ~]# cd /srv/data/registry/certs
[root@iz51hzu4zdjgpnz certs]# openssl req -newkey rsa:4096 -nodes
-sha256 -keyout ./abiao.key -x509 -days 365 -out ./abiao.crt
输入信息
Country Name (2 letter code) [XX]:86 State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Changping
Organization Name (eg, company) [Default Company Ltd]:foo
Organizational Unit Name (eg, section) []:bar
Common Name (eg, your name or your server's hostname) []:abiao.com
Email Address []:[email protected]
这样自签名证书就制作完成了。
由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker 的根证书中,Docker在CentOS 7中,证书存放路径是 :
node1 端:
[root@iz51hzu4zdjgpnz certs]# mkdir -p /etc/docker/certs.d/abiao.com:5000
[root@iz51hzu4zdjgpnz certs]# cp abiao.crt /etc/docker/certs.d/abiao.com:5000/
制作registry2 的docke-compose.yml文件
[root@iz51hzu4zdjgpnz certs]# mkdir -p /srv/docker-compose/registry
[root@iz51hzu4zdjgpnz certs]# cd /srv/docker-compose/registry/
[root@iz51hzu4zdjgpnz certs]# vim docker-compose.yml
docker-compose.yml的详情如下:
version: '2.0'
services:
server-registry:
restart: unless-stopped
image: docker.io/registry:2.6.2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/abiao.crt
REGISTRY_HTTP_TLS_KEY: /certs/abiao.key
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
- /srv/data/registry/certs:/certs
启动registry2容器
[root@iz51hzu4zdjgpnz registry]# docker-compose up -d
测试一下
[root@iz51hzu4zdjgpnz registry]# docker pull hello-world
[root@iz51hzu4zdjgpnz registry]# docker tag docker.io/hello-world abiao.com:5000/hello-world
[root@iz51hzu4zdjgpnz registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 4 weeks ago 199 MB
docker.io/docker latest cf0bbd4500c6 6 weeks ago 135 MB
docker.io/registry 2.6.2 d1fd7d86a825 3 months ago 33.3 MB
abiao.com:5000/hello-world latest f2a91732366c 5 months ago 1.85 kB
docker.io/hello-world latest f2a91732366c 5 months ago 1.85 kB
将刚tag的镜像上传至私有仓库
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Pushed
latest: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524
在node0上进行测试
docker pull lhdocker.com/kitematic/hello-world-nginx
到这里我们的docker私有仓库就搭建完成了。
这是没有认证方式的启动方式。
registry带有认证方式
在很多场景下,我们需要用户登录后才能访问私有仓库,那么我们可以如下操作: 建立在上文生成证书,同时重启过Docker服务的前提下,我们讲解一下如何配置:
[root@iz51hzu4zdjgpnz docker-compose]# cd ~
[root@iz51hzu4zdjgpnz ~]# cd /srv/data/registry/
[root@iz51hzu4zdjgpnz registry]# mkdir auth
[root@iz51hzu4zdjgpnz registry]# docker run --entrypoint htpasswd registry:2.2 -Bbn miss 123123 > auth/htpasswd
修改之前的docker-compose.yml文件
version: '2.0'
services:
server-registry:
restart: unless-stopped
image: docker.io/registry:2.6.2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/abiao.crt
REGISTRY_HTTP_TLS_KEY: /certs/abiao.key
REGISTRY_AUTH: htppasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
- /srv/data/registry/certs:/certs
- /srv/data/registry/auth:/auth
停掉已经运行的registry容器,并删除容器,运行docker-compose命令
[root@iz51hzu4zdjgpnz registry]# docker-compose up -d
这个时候再次测试向私有仓库上传镜像
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
不出意外会出现如下提示
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Preparing
no basic auth credentials
在执行push操作之前需要登录一下,输入上面的用户和密码就可以了
[root@iz51hzu4zdjgpnz certs]# docker login abiao.com:5000
Username: miss
Password:
Login Succeeded
再次执行push操作
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Pushed
latest: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524
如果要停止registry服务,执行下面的命令就行了
[root@iz51hzu4zdjgpnz certs]# docker stop registry && docker rm -v registry
httpd-tools工具
docker-registry-htpasswd文件中存储用户名和密码的格式为每一个用户名、密码对:
user1:password1
user2:password2
password字段存储的并不是明文,是使用crypt函数加密过的字符串,要生成加密后的字符串,可以是htpasswd工具。在Centos中年由httpd-tools提供。
安装httpd-tools
yum install httpd-tools -y
我们试着在创建一个用户,并添加加密
[root@iz51hzu4zdjgpnz registry]# htpasswd auth/htpasswd wang
New password:
Re-type new password:
Adding password for user wang
//这样我们便添加了一个用户‘wang’,并设置了密码。
用添加的这个用户登录,发现登录并不会成功,研究发现容器内的验证机制与宿主机不一致,可以用nginx代理转发来解决这个问题
Nginx+registry代理转发搭建私有仓库
具体步骤
1、编写docker-compose文件
version: '2.0'
services:
registry:
restart: always
image: library/registry:2.3.1
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
ports:
- 5000:5000
- 5001:5001 # required to access debug service
nginx:
restart: always
image: nginx:1.10.1
environment:
REGISTRY_HOST: "docker-registry"
REGISTRY_PORT: "5000"
SERVER_NAME: "localhost"
links:
- registry
volumes:
- /srv/data/nginx/conf/docker-registry.htpasswd:/etc/nginx/.htpasswd:ro
- /srv/data/nginx/conf/conf.d:/etc/nginx/conf.d
- /srv/data/registry/certs:/etc/nginx/ssl:ro
ports:
- 443:443
注意:先要在宿主机中新建.htpasswd文件,然后挂载到容器中去,笔者的文件创建在/srv/data/nginx/conf/目录下。
2、编写registry.conf配置文件
upstream docker-registry {
server 192.168.56.101:5000;
}
server {
listen 443 ssl;
server_name docker-registry;
add_header Docker-Distribution-Api-Version registry/2.0 always;
ssl on;
ssl_certificate /etc/nginx/ssl/abiao.crt;
ssl_certificate_key /etc/nginx/ssl/abiao.key;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Docker-Distribution-Api-Version registry/2.0;
location / {
auth_basic "please input username/password";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://docker-registry;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
在宿主机/srv/data/nginx/conf/目录下,新建conf.目录,将registry.conf放入conf.d目录下,再将宿主机的该目录挂载到容器中,如上的docker-compose.yml文件所示。
3、验证
用curl命令验证,查询成功,容器中的镜像是之前上传的(仓库的挂载文件夹依旧是原来的)
[root@iz51hzu4zdjgpnz certs]$ curl --cacert abiao.crt --user
miss:123 https://abiao.com:443/v2/_catalog
{"repositories":["hello-world"]}
用不存在的用户等一下,可以发现提示用户不认证不通过
[root@iz51hzu4zdjgpnz conf]# docker login abiao.com
Username: wulei
Password:
Error response from daemon: Get https://abiao.com/v1/users/: x509: certificate signed by unknown authority
新建一个用户
[root@iz51hzu4zdjgpnz conf]# cd /srv/data/nginx/conf/
[root@iz51hzu4zdjgpnz conf]# htpasswd docker-registry.htpasswd chen
New password:
Re-type new password:
Adding password for user chen
//这样我们便添加了一个用户‘chen’,并设置了密码。
用创建的用户来登录
[root@iz51hzu4zdjgpnz abiao.com:5000]# docker login abiao.com
Username: chen
Password:
Login Succeeded
向私有仓库上传镜像
//先打tag
[root@iz51hzu4zdjgpnz ~]$ docker tag docker.io/hello-world abiao.com/abiao/happy-world
//abiao.com/abiao/happy-world表示,上传到abiao.com的镜像库,镜像库空间标识为abiao,镜像名称为happy-world
//上传镜像
[root@iz51hzu4zdjgpnz ~]$ docker push abiao.com/abiao/happy-world
浏览器端查看,由于是自签名证书,故需要添加安全信任,注意访问方式是https
用户认证,输入用户名和密码
图片.png
如下所示,请求/v2/_catalog可查看到私有仓库镜像
至此,搭建完成,希望文章能给正在学习搭建docker私有仓库的同学提供帮助。