• 企业400电话
  • 微网小程序
  • AI电话机器人
  • 电商代运营
  • 全 部 栏 目

    企业400电话 网络优化推广 AI电话机器人 呼叫中心 网站建设 商标✡知产 微网小程序 电商运营 彩铃•短信 增值拓展业务
    搭建Docker私有仓库的详细教程

    1.Docker registry 说明
    本文记录的个人完整搭建docker registry操作过程,官方虽然提供了Docker Hub作为一个公开的集中仓库,但是天朝的网络可想而知,第一次pull一个镜像不是失败就是时间很长,为了解决这个问题需要创建一个私有的仓库在本地pull 本地push。我使用的docker版本是:1.5.0

    2、安装docker-registry


    复制代码
    代码如下:
    docker run -d -e SETTINGS_FLAVOR=dev -e STORAGE_PATH=/tmp/registry -v /alidata/registry:/tmp/registry -p 5000:5000 registry

    # 如果本地没有下载过docker-registry,则首次会pull registry 运行时会映射路径和端口,以后就可以从/data/registry下找到私有仓库

    3、客户端上的操作
    #从本地仓库上获取有哪些镜像
     

    复制代码
    代码如下:
    curl -X GET http://registry.wpython.com:5000/v1/search

    curl http://registry.wpython.com:5000/v1/search
    {"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}

    # 拉取到本地
     

    复制代码
    代码如下:
    docker pull library/centos6

    # tag 一个镜像
     

    复制代码
    代码如下:
    docker tag 8552ea9a16f9 registry.wpython.com:5000/centos6_x86_64.mini

    # 将新的docker images push 到本地仓库
     

    复制代码
    代码如下:
    docker push registry.wpython.com:5000/centos6_x86_64.mini

    4、加入nginx认证
    Docker 启动监听端口后,使用的是 http,可以远程来管理 Docker 主机。
    这样的场景存在弊端,API 层面是没有提供用户验证、Token 之类身份验证功能,任何人都可以通过地址加端口来控制 Docker 主机,为了避免这样的情况发生,Docker 官方也支持 https 方式,不过需要我们自己来生成证书。
    新版本的docker 也强制必须使用https否则会报错

    # 安装nginx过程略
    创建一个登陆用户(如果没有htpasswd命令 请安装httpd-tools这个包)

     

    复制代码
    代码如下:
    htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin
    New password:
    Re-type new password:
    Adding password for user admin

    # 生成根密钥
     

    复制代码
    代码如下:
    cd /etc/pki/CA/
    openssl genrsa -out private/cakey.pem 2048

    # 生成根证书
     

    复制代码
    代码如下:
    openssl req -new -x509 -key private/cakey.pem -out cacert.pem

    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Brijing
    Locality Name (eg, city) []:Chaoyang
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com
    Email Address []:

    # 为nginx服务器生成ssl密钥
     

    复制代码
    代码如下:
    cd /alidata/server/nginx/ssl
    openssl genrsa -out nginx.key 2048

    # 为nginx生成的证书签署请求
     

    复制代码
    代码如下:
    openssl req -new -key nginx.key -out nginx.csr

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Beijing
    Locality Name (eg, city) []:Chaoyang
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com
    Email Address []:
     
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    # 私有CA根据请求来签发证书
     

    复制代码
    代码如下:
    openssl ca -in nginx.csr -out nginx.crt

     
     
    # 如果报如下错误:
    Using configuration from /usr/local/ssl/openssl.cnf
    /etc/pki/CA/index.txt: No such file or directory
    unable to open '/etc/pki/CA/index.txt'
    140137408210600:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
    140137408210600:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
     
    # 执行以下命令

    复制代码
    代码如下:
    cd /etc/pki/CA/
    mkdir newcerts
    touch index.txt
    touch serial
    echo 01 > serial
    cd -

    openssl ca -in nginx.csr -out nginx.crt

     
    Using configuration from /usr/local/ssl/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: May 12 04:15:08 2015 GMT
                Not After : May 11 04:15:08 2016 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = Beijing
                organizationName          = Internet Widgits Pty Ltd
                commonName                = registry.wpython.com
                emailAddress              = 739827282@qq.com
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    B5:20:C7:47:26:D9:26:54:12:F7:36:7E:4E:3A:F0:D9:0E:2C:F7:BD
                X509v3 Authority Key Identifier:
                    keyid:93:F7:86:72:1B:2B:24:CD:AF:24:EF:53:F4:E1:FA:EC:E7:70:1A:90
     
    Certificate is to be certified until May 11 04:15:08 2016 GMT (365 days)
    Sign the certificate? [y/n]:y
     
     
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    # 发现根证书
     


    复制代码
    代码如下:
    # cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 备份以防出错
    # cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

    # 创建nginx配置文件
     

    复制代码
    代码如下:
    # vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf
    upstream docker-registry {

    server localhost:5000;
    }

    server {
    listen 8080;
    server_name registry.wpython.com;

    # enabled ssl
    ssl on;
    ssl_certificate /alidata/server/nginx/ssl/nginx.crt;
    ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    client_max_body_size 0;
    chunked_transfer_encoding on;

    location / {

    auth_basic "Restricted";
    auth_basic_user_file docker-registry.htpasswd;
    proxy_pass http://docker-registry;

    }

    location /_ping {

    auth_basic off;
    proxy_pass http://docker-registry;

    }

    location /v1/_ping {
    auth_basic off;
    proxy_pass http://docker-registry;
    }
    }

    # 完成测试

     

    复制代码
    代码如下:
    # docker login https://registry.wpython.com:8080
    Username: admin
    Password:
    Email: 739827282@qq.com
    Login Succeeded

    上一篇:记录一次博客迁移到Docker上的操作
    下一篇:VMware 8.0虚拟机怎么设置成U盘引导启动?
  • 相关文章
  • 

    © 2016-2020 巨人网络通讯 版权所有

    《增值电信业务经营许可证》 苏ICP备15040257号-8

    搭建Docker私有仓库的详细教程 搭建,Docker,私有,仓库,的,