转载

配置一个私有的Docker仓库

我们在本地开发时,如果内网能部署一台Docker服务器,无疑会极大的方便镜像的分享发布,有些私有镜像就是可以直接放到内网服务器上,省去了不必要的网络下载。

本课程需要配两个虚拟机,一台作为私有仓库部署,一台作为工作机。

```

//Docker仓库部署-虚拟机

docker-machine create -d virtualbox registry

//Docker工作机

docker-machine create -d virtualbox default

```

Setup1 安装并配置Registry

```

mkdir ~/docker-registry && cd $_

mkdir data

```

//mate指的是textmate -我在MAC上做了一个软链接,方便使用

//类似也可以将chrome浏览器做软链接 这样就可以直接在命令行启动chrome www.baidu.com

mate docker-compose.yml

registry:   image: registry   ports:    - 127.0.0.1:5000:5000   environment:    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data   volumes:    - ./data:/data

执行

docker-compose up

Setp2配置Nginx容器

mkdir ~/docker-registry/nginx

mate docker-compose.yml

```

nginx:

image: "nginx"

ports:

- 443:443

links:

- registry:registry

volumes:

- ./nginx/:/etc/nginx/conf.d:ro

registry:

image: registry

ports:

- 5000:5000

environment:

REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data

volumes:

- ./data:/data

```

mate ~/docker-registry/nginx/registry.conf

```

upstream docker-registry {

server registry:5000;

}

server {

listen 443;

server_name registry.51yixiao.com;

# SSL

# ssl on;

# ssl_certificate /etc/nginx/conf.d/domain.crt;

# ssl_certificate_key /etc/nginx/conf.d/domain.key;

# disable any limits to avoid HTTP 413 for large image uploads

client_max_body_size 0;

# required to avoid HTTP 411: see Issue #1486 ( https://github.com/docker/docker/issues/148 6)

chunked_transfer_encoding on;

location /v2/ {

# Do not allow connections from docker 1.5 and earlier

# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go

" user agents

$" ) {

return 404;

}

# To add basic authentication

# auth_basic "registry.localhost";

# auth_basic_user_file /etc/nginx/conf.d/registry.password;

# add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

proxy_pass http://docker-registry;

proxy_set_header Host $http_host; # required for docker client's sake

proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_read_timeout 900;

}

}

```

执行

docker-compose up  //测试  curl http://www.registry.com:443  curl http://www.registry.com:5000

Setup3 设置HTTP验证

```

cd ~/docker-registry/nginx

htpasswd -c registry.password USERNAME

//USERNAME替换自己想添加的用户名,比如:markthink,如果要继续添加其他用户

//htpasswd registry.password USERNAME

```

mate ~/docker-registry/nginx/registry.conf

```

#To add basic authentication

auth_basic "registry.localhost";

auth_basic_user_file /etc/nginx/conf.d/registry.password;

add_header 'Docker-Distribution-Api-Version' 'registry' always;

```

执行

cd ~/docker-registry  docker-compose up

curl http://www.registry.com:443/

<html>

<head><title>401 Authorization Required</title></head>

<body bgcolor="white">

<center><h1>401 Authorization Required</h1></center>

<hr><center>nginx/1.9.11</center>

</body>

</html>

//使用HTTP验证访问-用上面配置的用户名和密码

curl123456a@www.registry.com:443/" rel="nofollow" target="_blank">http://markthink: 123456a@www.regist ry.com:443/

Setup4设置SSL验证

使用HTTP验证并不安全,因为连接没有加密传输,下面启用SSL配置

mate ~/docker-registry/nginx/registry.conf

```

# SSL

ssl on;

ssl_certificate /etc/nginx/conf.d/domain.crt;

ssl_certificate_key /etc/nginx/conf.d/domain.key;

```

为我们的域名购买一个证书或申请一个 免费SSL证书

Setup5申请免费证书

沃通CA(WoSign CA)   https://buy.wosign.com/free/#myorder  https://buy.wosign.com/FreeSSL.html

用申请好的证书更新nginx配置文件

Setup6配置域名

mate /etc/hosts  //宿主机添加  192.168.99.100 registry.51yixiao.com

Setup7测试

```

docker-machine start default

//重新分配IP

docker-machine regenerate-certs default

docker-machine ssh default

sudo -i

vi /etc/hosts

192.168.99.100 registry.51yixiao.com

docker login https://registry.51yixiao.com

//输入前面配置的用户和密码 登陆成功

Setup8从工作机推送镜像至服务器

eval $(docker-machine env default)

docker images

//为本地镜像打标签

docker pull busybox

docker tag busybox registry.51yixiao.com/busybox

//登陆服务器

docker login https://registry.51yixiao.com

//向服务器推送镜像

docker push registry.51yixiao.com/busybox

curl https://markthink:123456a%40re ... m/v2/

//网页直接访问

https://markthink:123456a%40re ... m/v2/

//退出服务器

docker logout https://registry.51yixiao.com

//查看镜像仓库已有的镜像

https://markthink:123456a%40re ... talog

Setup9从镜像服务器下载镜像至工作机

docker-machine start default

docker-machine regenerate-certs default

docker-machine ssh default

sudo -i

vi /etc/hosts

//添加IP地址

192.168.99.100 registry.51yixiao.com

//登陆服务器

docker login https://registry.51yixiao.com

//下载镜像

docker pull registry.51yixiao.com/busybox

//镜像改名

docker tag registry.51yixiao.com/busybox busybox

```

制作自己的证书(比较复杂不推荐)

由于Dokcer目前不允许使用自签名的SSL证书,这一步比平时更加复杂,我们必须建立自己的系统,对我们自己的证书签名授权。

1.生成根密钥

cd ~/docker-registry/nginx  //生成新的根密钥  openssl genrsa -out devdockerCA.key 2048

2.生成根证书-Common Name填写证书签发者的域名 比如: www.trjcn.com

openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

3.为nginx生成ssl密钥

//生成nginx域名的SSL证书  openssl genrsa -out domain.key 2048

我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成

4.为nginx生成证书签署请求

//生成ssl_certificate_key证书   openssl req -new -key domain.key -out dev-docker-registry.com.csr

需要注意的是Common Name必须输入我们要授予证书的服务器IP或域名

5.私有CA根据请求来签发证书

```

//签署证书申请

openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000

``

此过程用到了前两步生成的根密钥和根证书

至此SSL证书制作完成,但是我们生成的证书没有已经的证书颁发机构验证,因此需要在Docker Registry中注册。

下面是基于centsos的部署过程

scp ./devdockerCA.crt registry:/home/docker/  docker-machine ssh registry  sudo -i  mkdir /usr/local/share/ca-certificates/docker-dev-cert  mv /home/docker/devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert/  //update-ca-certificates

重启Docker daemon守护进程

docker-machine restart registry  //service docker restart
原文  http://dockone.io/article/1086
正文到此结束
Loading...