创建docker私有仓库
实验环境:
本地仓库域名:registry.cmh.cn
本地仓库:192.168.1.110
docker客户端:192.168.1.111
使用官方镜像创建registry仓库容器:
下载官方registry镜像:
|
1
|
#docker pull registry
|
创建registry仓库容器:
|
1
2
3
4
5
|
#mkdir -p /opt/data/registry
#docker run -idt -p 5000:5000 --name registry -v /opt/data/registry/:/tmp/registry registry
//
以上命令会创建一个名为registry的容器,并把容器中的5000端口映射到宿主机的5000端口上,并把容器中的
/tmp/registry
目录挂载到本地
/opt/data/registry
目录。
#curl http://192.168.1.110:5000
"\"docker-registry server\""
|
查看当前已有的镜像:
将centos:web镜像tag为192.168.1.110:5000/centos_web,并尝试上传到本地仓库192.168.1.110:5000。
|
1
2
|
#docker tag 126c81c6ea66 192.168.1.110:5000/centos_web
#docker push 192.168.1.110:5000/centos_web
|
提示报错,这是由于从docker1.3.2版本开始,docker registry开始默认使用https方式访问,所以这里必须配置ssl auth验证。当然,也可以关闭https模式,使用简单的不验证模式,即insecure模式。
配置registry insecure模式:
在启动时添加--insecure-registry参数,如下:
#vi /etc/init.d/docker
#service docker restart
修改普通模式后,push正常。
查看私有仓库中的镜像,可以查到刚刚上传的镜像:
配置registry https模式,结合nginx:
1:首先,配置nginx的https功能,并指定本地仓库的域名。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
# more /opt/apps_install/nginx/conf/vhost/docker.conf
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name registry.cmh.cn;
ssl on;
ssl_certificate
/etc/ssl/certs/nginx
.crt;
ssl_certificate_key
/etc/ssl/private/nginx
.key;
proxy_set_header Host $http_host;
# required for Docker client sake
proxy_set_header X-Real-IP $remote_addr;
# pass on real client IP
client_max_body_size 0;
# disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic
"Restricted"
;
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http:
//docker-registry
;
}
location
/_ping
{
auth_basic off;
proxy_pass http:
//docker-registry
;
}
location
/v1/_ping
{
auth_basic off;
proxy_pass http:
//docker-registry
;
}
}
|
2:配置ssl证书,以及密码文件。
生成根密钥文件:
|
1
2
|
#cd /etc/pki/CA/
#openssl genrsa -out private/cakey.pem 2048
|
生成根证书:
|
1
|
#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
|
为nginx生成ssl密钥,以及证书签署请求:
|
1
2
3
|
#cd /etc/ssl/
#openssl genrsa -out nginx.key 2048
#openssl req -new -key nginx.key -out nginx.csr
|
私有CA根据请求来签发证书:
|
1
|
#openssl ca -in nginx.csr -days 3650 -out nginx.crt
|
把证书复制到nginx相关的验证目录:
|
1
2
3
4
|
# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak}
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
# cp nginx.crt /etc/ssl/certs/
# cp nginx.key /etc/ssl/private
|
创建验证登陆的密码文件:
|
1
2
3
4
5
|
# yum -y install httpd-tools.x86_64
# htpasswd -c /opt/apps_install/nginx/conf/docker-registry.htpasswd cmh
New password:
Re-
type
new password:
Adding password
for
user cmh
|
从本地docker登陆,尝试push镜像:
|
1
2
3
4
5
|
# docker login -u cmh -p 123456 -e test@cmh.cn registry.cmh.cn
# docker tag registry registry.cmh.cn/registry:v2
# docker push registry.cmh.cn/registry:v2
# curl -u cmh:123456 https://registry.cmh.cn/v1/search
{
"num_results"
: 2,
"query"
:
""
,
"results"
: [{
"description"
:
""
,
"name"
:
"library/centos_web"
}, {
"description"
:
""
,
"name"
:
"library/registry"
}]}
|
可以看到仓库中已经包含了新push的images:
|
1
2
|
#curl -u cmh:123456 https://registry.cmh.cn/v1/search
{
"num_results"
: 2,
"query"
:
""
,
"results"
: [{
"description"
:
""
,
"name"
:
"library/centos_web"
}, {
"description"
:
""
,
"name"
:
"library/registry"
}]}
|
从客户端pull和push镜像:
110:拷贝证书到客户端
|
1
|
# scp /etc/pki/CA/cacert.pem root@192.168.1.111:/root
|
111:
|
1
2
3
|
# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak}
# cat cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
# service docker start
|
登陆,并从本地仓库pull一个镜像:
|
1
2
|
# docker login -u cmh -p 123456 -e test@cmh.cn https://registry.cmh.cn
# docker pull registry.cmh.cn/centos_web
|
上传一个tag过的镜像到本地仓库:
|
1
2
3
|
# docker tag registry.cmh.cn/centos_web registry.cmh.cn/centos_web2
# docker push registry.cmh.cn/centos_web2
# curl -u cmh:123456 https://registry.cmh.cn/v1/search
|
本文转自 icenycmh 51CTO博客,原文链接:http://blog.51cto.com/icenycmh/1746833,如需转载请自行联系原作者
