一、 普通模式, no ssl
setup private docker registry (参考 https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04 and http://www.dropbit.ch/private-docker-registry-with-nginx-on-centos-7/ )
On dedicated Docker private registry host, we use CentOS7:
add CentOS-Extras repository
yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry
install docker to pull images you needed, then
vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'
systemctl restart docker
docker tag image-id registry-host-name:5000/ubuntu:14.04.2 , etc
docker push registry-host-name:5000/ubuntu:14.04.2, etc
查看docker private registry:
curl http://registry-host-name:5000/v1/search
on normal docker hosts that want to use this private registry:
CentOS7:
vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'
systemctl restart docker
docker pull docker-registry-host:5000/ubuntu:14.04.2
CentOS6:
vi /etc/sysconfig/docker
other_args="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=docker-registry-host:5000"
service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2
Ubuntu 14.04.2
vi /etc/default/docker
DOCKER_OPTS="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=192.168.1.6:5000"
service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2
Notes: docker run -d -p 5000:5000 -v /opt/docker/registry:/tmp/registry registry:latest
一、 安全模式, with ssl
On dedicated Docker private registry host, we use CentOS7:
add CentOS-Extras repository
yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry
1. Installing Nginx:
add EPEL repository
yum -y install nginx
systemctl enable nginx
systemctl start nginx
2. Configure access through Nginx to your private docker registry
vi /etc/hosts
ip-address-of-docker-registry www.ilovedocker.com
mkdir /etc/nginx/sites-available
vi /etc/nginx/sites-available/docker-registry
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream private-docker-registry {
server localhost:5000;
}
server {
listen 443;
server_name www.ilovedocker.com;
#ssl on;
#ssl_certificate /etc/pki/tls/certs/www.ilovedocker.com.crt;
#ssl_certificate_key /etc/pki/tls/private/www.ilovedocker.com.key;
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://private-docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://private-docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://private-docker-registry;
}
}
vi /etc/sysconfig/docker-registry
REGISTRY_ADDRESS=127.0.0.1
systemctl restart docker-registry
yum -y install httpd-tools
htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME
Open the file /etc/nginx/nginx.conf and add after the line “include /etc/nginx/conf.d/*.conf;”the following:
include /etc/nginx/sites-enabled/*;
mkdir /etc/nginx/sites-enabled
ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
systemctl reload nginx
curl USER:[email protected]:443
3. Configure Nginx to use ssl
mkdir ~/certs
cd ~/certs
create a new root key:
openssl genrsa -out dockerCA.key 2048
create a root certificate, you don’t have to answer the upcoming question, just hit enter:
openssl req -x509 -new -nodes -key dockerCA.key -days 3650 -out dockerCA.crt
create a private key for your Nginx Server:
openssl genrsa -out www.ilovedocker.com.key 2048
Next a certificate signing request is needed:
openssl req -new -key www.ilovedocker.com.key -out www.ilovedocker.com.csr
Answer the upcoming question for “Common Name” with the domain of your server, e.g: www.ilovedocker.com. Don’t provide a challenge password.
sign the certificate request:
openssl x509 -req -in www.ilovedocker.com.csr -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out www.ilovedocker.com.crt -days 3650
vi /etc/nginx/sites-available/docker-registry to uncomment ssl lines
cp www.ilovedocker.com.crt /etc/pki/tls/certs/
cp www.ilovedocker.com.key /etc/pki/tls/private/
update-ca-trust enable
cp dockerCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
systemctl reload nginx
curl https://USER:[email protected]
4. on remote docker host
docker with your private remote docker registry
Ubuntu 14.04:
vi /etc/hosts
ip-address-of-docker-registry www.ilovedocker.com
copy dockerCA.crt to /usr/local/share/ca-certificates
update-ca-certificates
CentOS6/7:
vi /etc/hosts
ip-address-of-docker-registry www.ilovedocker.com
copy dockerCA.crt to /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract
docker login https://www.ilovedocker.com
docker pull ubuntu
docker tag ubuntu www.ilovedocker.com/ubuntu:hj
docker push www.ilovedocker.com/ubuntu:hj