我们在本地开发时,如果内网能部署一台Docker服务器,无疑会极大的方便镜像的分享发布,有些私有镜像就是可以直接放到内网服务器上,省去了不必要的网络下载。
本课程需要配两个虚拟机,一台作为私有仓库部署,一台作为工作机。
```
//Docker仓库部署-虚拟机
docker-machine create -d virtualbox registry
//Docker工作机
docker-machine create -d virtualbox default
```
```
mkdir ~/docker-registry && cd $_
mkdir data
```
//mate指的是textmate -我在MAC上做了一个软链接,方便使用
//类似也可以将chrome浏览器做软链接 这样就可以直接在命令行启动chrome www.baidu.com
mate docker-compose.yml
registry: image: registry ports: - 127.0.0.1:5000:5000 environment: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data volumes: - ./data:/data
执行
docker-compose up
mkdir ~/docker-registry/nginx
mate docker-compose.yml
```
nginx:
image: "nginx"
ports:
- 443:443
links:
- registry:registry
volumes:
- ./nginx/:/etc/nginx/conf.d:ro
registry:
image: registry
ports:
- 5000:5000
environment:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- ./data:/data
```
mate ~/docker-registry/nginx/registry.conf
```
upstream docker-registry {
server registry:5000;
}
server {
listen 443;
server_name registry.51yixiao.com;
# SSL
# ssl on;
# ssl_certificate /etc/nginx/conf.d/domain.crt;
# ssl_certificate_key /etc/nginx/conf.d/domain.key;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 ( https://github.com/docker/docker/issues/148 6)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
" user agents
$" ) {return 404;
}
# To add basic authentication
# auth_basic "registry.localhost";
# auth_basic_user_file /etc/nginx/conf.d/registry.password;
# add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
```
执行
docker-compose up //测试 curl http://www.registry.com:443 curl http://www.registry.com:5000
```
cd ~/docker-registry/nginx
htpasswd -c registry.password USERNAME
//USERNAME替换自己想添加的用户名,比如:markthink,如果要继续添加其他用户
//htpasswd registry.password USERNAME
```
mate ~/docker-registry/nginx/registry.conf
```
#To add basic authentication
auth_basic "registry.localhost";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
add_header 'Docker-Distribution-Api-Version' 'registry' always;
```
执行
cd ~/docker-registry docker-compose up
curl http://www.registry.com:443/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.11</center>
</body>
</html>
//使用HTTP验证访问-用上面配置的用户名和密码
curl123456a@www.registry.com:443/" rel="nofollow" target="_blank">http://markthink: 123456a@www.regist ry.com:443/
使用HTTP验证并不安全,因为连接没有加密传输,下面启用SSL配置
mate ~/docker-registry/nginx/registry.conf
```
# SSL
ssl on;
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
```
为我们的域名购买一个证书或申请一个 免费SSL证书
沃通CA(WoSign CA) https://buy.wosign.com/free/#myorder https://buy.wosign.com/FreeSSL.html
用申请好的证书更新nginx配置文件
mate /etc/hosts //宿主机添加 192.168.99.100 registry.51yixiao.com
```
docker-machine start default
//重新分配IP
docker-machine regenerate-certs default
docker-machine ssh default
sudo -i
vi /etc/hosts
192.168.99.100 registry.51yixiao.com
docker login https://registry.51yixiao.com
//输入前面配置的用户和密码 登陆成功
eval $(docker-machine env default)
docker images
//为本地镜像打标签
docker pull busybox
docker tag busybox registry.51yixiao.com/busybox
//登陆服务器
docker login https://registry.51yixiao.com
//向服务器推送镜像
docker push registry.51yixiao.com/busybox
curl https://markthink:123456a%40re ... m/v2/
//网页直接访问
https://markthink:123456a%40re ... m/v2/
//退出服务器
docker logout https://registry.51yixiao.com
//查看镜像仓库已有的镜像
https://markthink:123456a%40re ... talog
docker-machine start default
docker-machine regenerate-certs default
docker-machine ssh default
sudo -i
vi /etc/hosts
//添加IP地址
192.168.99.100 registry.51yixiao.com
//登陆服务器
docker login https://registry.51yixiao.com
//下载镜像
docker pull registry.51yixiao.com/busybox
//镜像改名
docker tag registry.51yixiao.com/busybox busybox
```
由于Dokcer目前不允许使用自签名的SSL证书,这一步比平时更加复杂,我们必须建立自己的系统,对我们自己的证书签名授权。
1.生成根密钥
cd ~/docker-registry/nginx //生成新的根密钥 openssl genrsa -out devdockerCA.key 2048
2.生成根证书-Common Name填写证书签发者的域名 比如: www.trjcn.com
openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt
3.为nginx生成ssl密钥
//生成nginx域名的SSL证书 openssl genrsa -out domain.key 2048
我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成
4.为nginx生成证书签署请求
//生成ssl_certificate_key证书 openssl req -new -key domain.key -out dev-docker-registry.com.csr
需要注意的是Common Name必须输入我们要授予证书的服务器IP或域名
5.私有CA根据请求来签发证书
```
//签署证书申请
openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000
``
此过程用到了前两步生成的根密钥和根证书
至此SSL证书制作完成,但是我们生成的证书没有已经的证书颁发机构验证,因此需要在Docker Registry中注册。
下面是基于centsos的部署过程
scp ./devdockerCA.crt registry:/home/docker/ docker-machine ssh registry sudo -i mkdir /usr/local/share/ca-certificates/docker-dev-cert mv /home/docker/devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert/ //update-ca-certificates
重启Docker daemon守护进程
docker-machine restart registry //service docker restart