2021-05-12 14:32:11
Docker私有Registry在CentOS6.X下安裝指南
2020-06-16 17:51:17
Docker私有Registry在CentOS6.X下安裝指南
說明:
“
docker.yy.com 這是docker registry伺服器的域名也就是你的公司docker私有伺服器的主機地址,假定ip是192.168.2.114;因為https的SSL證書不能用IP地址,我就隨便起了個名字。
registry 伺服器作為上游伺服器處理docker映象的最終上傳和下載,用的是官方的映象。
nginx 1.4.x 是一個用nginx作為反向代理伺服器
”
[X] Docker Server端設定
安裝依賴
yum -y install gcc make file &&
yum -y install tar pcre-devel pcre-staticopenssl openssl-devel httpd-tools
設定SSL
(1) 編輯/etc/hosts,把docker.yy.com的ip地址新增進來,例如:
192.168.2.114 docker.yy.com
(2) 生成根金鑰
先把
“
/etc/pki/CA/cacert.pem
/etc/pki/CA/index.txt
/etc/pki/CA/index.txt.attr
/etc/pki/CA/index.txt.old
/etc/pki/CA/serial
/etc/pki/CA/serial.old
”
刪除掉!
cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048
(3) 生成根證書
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
輸出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:youyuan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.yy.com
Email Address []:
“
會提示輸入一些內容,因為是私有的,所以可以隨便輸入,最好記住能與後面保持一致,特別是"Common Name”。上面的自簽證書cacert.pem應該生成在/etc/pki/CA下。
”
(4) 為我們的nginx web伺服器生成ssl金鑰
mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out nginx.key 2048
“
我們的CA中心與要申請證書的伺服器是同一個,否則應該是在另一台需要用到證書的伺服器上生成。
”
(5) 為nginx生成證書簽署請求
openssl req -new -key nginx.key -out nginx.csr
輸出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:youyuan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.yy.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
“
同樣會提示輸入一些內容,Commone Name一定要是你要授予證書的伺服器域名或主機名,challenge password不填。
”
(6) 私有CA根據請求來簽發證書
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
輸出:
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 9 09:59:20 2014 GMT
Not After : Dec 9 09:59:20 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = youyuan
commonName = docker.yy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66
X509v3 Authority Key Identifier:
keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41
Certificate is to be certified until Dec 9 09:59:20 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
“
同樣會提示輸入一些內容,選擇y就可以了!
”
安裝,設定,執行nginx
(1) 新增組和使用者:
groupadd www -g 58
useradd -u 58 -g www www
(2) 下載nginx原始檔:
cd /tmp
wget http://nginx.org/download/nginx-1.4.6.tar.gz
cp ./nginx-1.4.6.tar.gz /tmp/
(3) 編譯,安裝nginx:
tar zxvf ./nginx-1.4.6.tar.gz
cd ./nginx-1.4.6 &&
./configure --user=www --group=www --prefix=/opt/nginx
--with-pcre
--with-http_stub_status_module
--with-http_ssl_module
--with-http_addition_module
--with-http_realip_module
--with-http_flv_module &&
make &&
make install
cd /tmp
rm -rf /tmp/nginx-1.4.6/
rm /tmp/nginx-1.4.6.tar.gz
(4) 生成htpasswd
htpasswd -cb /opt/nginx/conf/.htpasswd ${USER} ${PASSWORD}
(5) 編輯/opt/nginx/conf/nginx.conf檔案
#daemon off;
# 使用的使用者和組
user www www;
# 指定工作進程數(一般等於CPU總核數)
worker_processes auto;
# 指定錯誤紀錄檔的存放路徑,錯誤紀錄檔記錄級別選項為:[debug | info | notic | warn | error | crit]
error_log /var/log/nginx_error.log error;
#指定pid存放的路徑
#pid logs/nginx.pid;
# 指定檔案描述符數量
worker_rlimit_nofile 51200;
events {
# 使用的網路I/O模型,Linux推薦epoll;FreeBSD推薦kqueue
use epoll;
# 允許的最大連線數
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$upstream_addr"';
access_log /var/log/nginx_access.log main;
# 伺服器名稱雜湊表的桶大小,該預設值取決於CPU快取
server_names_hash_bucket_size 128;
# 用戶端請求的Header頭緩衝區大小
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
# 啟用sendfile()函數
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
upstream registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name 192.168.2.114;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location / {
auth_basic "registry";
auth_basic_user_file /opt/nginx/conf/.htpasswd;
root html;
index index.html index.htm;
proxy_pass http://registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 8k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k; #如果系統很忙的時候可以申請更大的proxy_buffers 官方推薦*2
proxy_temp_file_write_size 64k; #proxy快取臨時檔案的大小
}
location /_ping {
auth_basic off;
proxy_pass http://registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://registry;
}
}
}
(6) 驗證設定
/opt/nginx/sbin/nginx -t
輸出:
“
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
”
(7) 啟動nginx:
/opt/nginx/sbin/nginx
(8) 驗證nginx是否啟動:
ps -ef | grep -i 'nginx'
如下輸出就表明nginx一切正常!
root 27133 1 0 18:58 ? 00:00:00 nginx: master process /opt/nginx/sbin/nginx
www 27134 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27135 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27136 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27137 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27138 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27139 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27140 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27141 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27142 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27143 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27144 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27145 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27146 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27147 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27148 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27149 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27150 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27151 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27152 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27153 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27154 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27155 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27156 27133 0 18:58 ? 00:00:00 nginx: worker process
www 27157 27133 0 18:58 ? 00:00:00 nginx: worker process
root 27160 42863 0 18:58 pts/0 00:00:00 grep -i nginx
設定,執行Docker
(1) 停止docker
service docker stop
(2)編輯/etc/sysconfig/docker檔案,加上如下一行
DOCKER_OPTS="--insecure-registry docker.yy.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
(3) 把根證書複製到/etc/docker/certs.d/docker.yy.com/目錄下
mkdir -p /etc/docker/certs.d/docker.yy.com/
cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.yy.com/ca-certificates.crt
(4) 啟動docker
service docker start
下載,設定,執行registryimage
(1) 獲取Image
docker pull registry
(2) 執行Image
mkdir -p /opt/registry
docker run -d -e STORAGE_PATH=/registry -v /opt/registry:/registry -p 127.0.0.1:5000:5000 --name registry registry
“
命令稍加解釋一下:
-p 127.0.0.1:5000:5000 registry 作為上游伺服器,這個 5000 埠可以不用對映出來,因為所有的外部存取都是通過前端的nginx來提供,nginx 可以在私有網路存取 registry 。
”
(3) 驗證registry:
“
用瀏覽器輸入: https://docker.yy.com
或者:curl -i -k https://abc:123@docker.yy.com
”
伺服器端的設定就到此完成!
[X] Docker用戶端設定
(1) 編輯/etc/hosts,把docker.yy.com的ip地址新增進來,例如:
192.168.2.114 docker.yy.com
(2) 把docker registry伺服器端的根證書追加到ca-certificates.crt檔案裡
先從docker registry伺服器端把檔案/etc/pki/CA/cacert.pem拷貝到本機,然後執行命令:
cat ./cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
(3) 驗證docker.yy.com下的registry:
“
用瀏覽器輸入: https://docker.yy.com
或者:curl -i -k https://abc:123@docker.yy.com
”
(4) 使用私有registry步驟:
•登入: docker login -u abc -p 123 -e "test@gmail.com" https://docker.yy.com
•給container起另外一個名字: docker tag centos:centos6 docker.yy.com/centos:centos6
•發布: docker push docker.yy.com/centos:centos6
[X] Server端,操作私有倉庫的步驟:
1. 從官方pull下來image!
docker push centos:centos6
2. 檢視image的id
執行docker images
輸出:
root@pts/0 # docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos6 25c5298b1a36 8 days ago 215.8 MB
3. 給image賦予一個私有倉庫的tag
docker tag 25c5298b1a36 docker.yy.com/centos:centos6
4. push到私有倉庫
docker push docker.yy.com/centos:centos6
5. 檢視image
docker images
輸出:
root@pts/0 # docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos6 25c5298b1a36 8 days ago 215.8 MB
docker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MB
[X] Client端,操作私有倉庫的步驟:
1. 從私有倉庫pull下來image!
docker pull docker.yy.com/centos:centos6
2. 檢視image
docker images
輸出:
root@pts/0 # docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
docker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MB
Docker的Web管理介面Shipyard
[0] 編輯/etc/sysconfig/docker檔案
在DOCKER_OPTS裡新增-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock,例如:
DOCKER_OPTS="-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock --insecure-registry docker.yy.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem --registry-mirror=http://d194d5cb.m.daocloud.io"
[1] Start an data volume instance of RethinkDB:
docker run -it -d --name shipyard-rethinkdb-data --entrypoint /bin/bash shipyard/rethinkdb -l
[2] Start RethinkDB with using the data volume container:
docker run -it -P -d --name shipyard-rethinkdb --volumes-from shipyard-rethinkdb-data shipyard/rethinkdb
“
If your server is directly accessible on Internet,
please note your RethinkDB installation may publicly listen to
ports 49153 (local instance), 49154 (cluster) and 49155 (web interface) and so accessible to all.
”
[3] Start the Shipyard controller:
docker run -it -p 8080:8080 -d --name shipyard --link shipyard-rethinkdb:rethinkdb shipyard/shipyard
“
Shipyard will create a default user account with the usernameadmin and the passwordshipyard.
You should then be able to open a browser tohttp://<your-host-ip>:8080and see the Shipyard login.
”
附錄:
(1) 弊端:
“
server端可以login到官方的Docker Hub,可以pull,push官方和私有倉庫!
client端只能操作搭設好的私有倉庫!
私有倉庫不能search!
”
(2) 優點:
“
所有的build,pull,push操作只能在私有倉庫的server端操作,降低企業風險!
”
(3) 當client端docker login到官方的https://index.docker.io/v1/網站,出現x509: certificate signed by unknown authority錯誤時
“
重新命名根證書! mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak
重新啟動docker服務! service docker restart!
更多Docker相關教學見以下內容:
Docker安裝應用(CentOS 6.5_x64) http://www.linuxidc.com/Linux/2014-07/104595.htm
Ubuntu 14.04安裝Docker http://www.linuxidc.com/linux/2014-08/105656.htm
Ubuntu使用VNC執行基於Docker的桌面系統 http://www.linuxidc.com/Linux/2015-08/121170.htm
阿里雲CentOS 6.5 模板上安裝 Docker http://www.linuxidc.com/Linux/2014-11/109107.htm
Ubuntu 15.04下安裝Docker http://www.linuxidc.com/Linux/2015-07/120444.htm
在Ubuntu Trusty 14.04 (LTS) (64-bit)安裝Docker http://www.linuxidc.com/Linux/2014-10/108184.htm
在 Ubuntu 15.04 上如何安裝Docker及基本用法 http://www.linuxidc.com/Linux/2015-09/122885.htm
相關文章