|
|
更多内容可移驾至我的独立Blog: http://www.justfbt.com/
Step One - 先决条件
# apt-get update
# apt-get -y install build-essential python-dev libevent-dev python-pip liblzma-dev
Step Two — 安装&配置Docker Registry
# pip install docker-registry
默认情况下docker相关数据保存在/tmp目录下,下面创建新的目录来保存我们的数据:
# mkdir /var/docker-registry
Docker-registry需要一个配置文件
# cd /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/
# cp config_sample.yml config.yml
现在来配置config.yml文件,找到以sqlalchemy_index_database:开始的行:
## at line 22
sqlalchemy_index_database:
_env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/docker-registry.db
把db路径改为:/var/docker-registry,如下:
sqlalchemy_index_database:
_env:SQLALCHEMY_INDEX_DATABASE:sqlite:////var/docker-registry/docker-registry.db
接着修改“local:” ,如下:
## at line 72
local: &local
storage: local
storage_path: _env:STORAGE_PATH:/tmp/registry
改为:
local: &local
storage: local
storage_path: _env:STORAGE_PATH:/var/docker-registry/registry
模板配置文件中其他值保持默认即可,不需要修改。如果你需要其他复杂的功能,如为你的docker data配置使用内部存储。更多内容可以参考docker-registry文档
测试:
# gunicorn --access-logfile - --debug -k gevent -b 0.0.0.0:5000 -w 1 docker_registry.wsgi:application
正常情况下你应该能看到如下输出:
2014-07-27 07:12:24 [29344] [INFO] Starting gunicorn 18.0
2014-07-27 07:12:24 [29344] [INFO] Listening at: http://0.0.0.0:5000 (29344)
2014-07-27 07:12:24 [29344] [INFO] Using worker: gevent
2014-07-27 07:12:24 [29349] [INFO] Booting worker with pid: 29349
2014-07-27 07:12:24,807 DEBUG: Will return docker-registry.drivers.file.Storage
Step Three - 将Docker Registry作为一个服务启动
创建存放log文件的目录:
# mkdir -p /var/log/docker-registry
创建开机启动脚本
# vim /etc/init/docker-registry.conf
description "Docker Registry"
start on runlevel [2345]
stop on runlevel [016]
respawn
respawn limit 10 5
script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w 8 docker_registry.wsgi:application
end script
# ln -s /etc/init/docker-registry.conf /etc/init.d/docker-registry
测试:
# service docker-registry status
docker-registry stop/waiting
# service docker-registry start
docker-registry start/running, process 16287
Step Four — 配置nginx,使Docker Registry更安全
第一步 配置验证,禁止任何人都能登录我们的server
安装nginx和apache2-utils(用来创建验证用的文件)包
# apt-get -y install nginx apache2-utils
现在来创建Docker的验证用户:
# htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME
根据提示输入登录docker registry时的密码
如果需要添加多个用户,只需重复上面命令(但是要去掉-c选项)
# htpasswd /etc/nginx/docker-registry.htpasswd USERNAME_2
接下来配置nginx转发doker-registry的请求
# vim /etc/nginx/sites-available/docker-registry
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary
upstream docker-registry {
server localhost:5000;
}
server {
listen 8080;
server_name xxxx;
# ssl on;
# ssl_certificate /etc/ssl/certs/docker-registry;
# ssl_certificate_key /etc/ssl/private/docker-registry;
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Restricted";
auth_basic_user_file docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
# ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
# service nginx reload
测试: 确认docker-registry:
# curl localhost:5000
"\"docker-registry server\""
确认nginx:
# curl localhost:8080
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>
确认nginx验证:
# curl USERNAME:PASSWORD@localhost:8080
"\"docker-registry server\""
Step Five — 配置SSL
打开nginx配置文件并编辑:
# vim /etc/nginx/sites-available/docker-registry #做如下修改:
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;
保存退出
现在nginx已经支持ssl了并且根据配置可以知道ssl key分别为/etc/ssl/certs/docker-registry和 /etc/ssl/private/docker-registry
接下来生成自签名证书:
首先创建一个目录来存放新的证书文件
# mkdir ~/certs
# cd ~/certs
生成一个新的root key:
# openssl genrsa -out devdockerCA.key 2048
生成一个root certificate:
openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt
然后为你的server生成一个key(这个key稍后会copy到/etc/ssl/private/docker-registry给nginx使用)
openssl genrsa -out dev-docker-registry.com.key 2048
现在我们来生成一个证书请求文件:
当你执行这个命令时,OpenSSL会提示你回答一些问题,(译者注:后面两不知怎么翻译,大意应该是:其他的可以随便写,但是"Common Name"的输入值必须要是你准备使用的域名)
Write whatever you’d like for the first few, but when OpenSSL prompts you to enter the “Common Name” make sure to type in the domain of your server.
openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr
例如,如果你的Docker registry将会绑定到www.ilovedocker.com域名上运行,那么输入如下:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.ilovedocker.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
最后不要输入密码,接着来签名 证书请求
openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out dev-docker-registry.com.crt -days 10000
现在我们已经生成了验证所需的所有文件,将这些文件copy到当前的证书存放的位置
先copy certificate和key到nginx引用的路径下:
# cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry
# cp dev-docker-registry.com.key /etc/ssl/private/docker-registry
Since the certificates we just generated aren’t verified by any known certificate authority (e.g., VeriSign), we need to tell any clients that are going to be using this Docker registry that this is a legitimate certificate. Let’s do this locally so that we can use Docker from the Docker registry server itself:
# mkdir /usr/local/share/ca-certificates/docker-dev-cert
# cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
# update-ca-certificates
You’ll have to repeat this step for every machine that connects to this Docker registry ! Otherwise you will get SSL errors and be unable to connect. These steps are shown in the client test section as well.
测试 SSL
重启nginx以加载新的配置
# service nginx restart
# curl https://USERNAME:PASSWORD@YOUR-DOMAIN:8080
如果正常,你应该能看到如下返回:
"\"docker-registry server\""
如果没有,返回上一步重新check SSL和nginx的配置以确保所有的配置都正确
现在我们就有了一个运行在由nginx提供验证和SSL加密的Docker registry服务
Step Six — 从其他的机器上访问Docker Registry
要访问Docker registry,首先要添加SSL certificate到客户端上。
在registry server上,cat certificate文件:
cat ~/certs/devdockerCA.crt
输出大概像这样:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJANiXy7fHSPrmMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwOTIxMDYwODE2WhcNNDIwMjA2MDYwODE2WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuK4kNFaY3k/0RdKRK1XLj9+IrpR7WW5lrNaFB0OIiItHV9FjyuSWK2mj
ObR1IWJNrVSqWvfZ/CLGay6Lp9DJvBbpT68dhuS5xbVw3bs3ghB24TntDYhHMAc8
GWor/ZQTzjccHUd1SJxt5mGXalNHUharkLd8mv4fAb7Mh/7AFP32W4X+scPE2bVH
OJ1qH8ACo7pSVl1Ohcri6sMp01GoELyykpXu5azhuCnfXLRyuOvQb7llV5WyKhq+
SjcE3c2C+hCCC5g6IzRcMEg336Ktn5su+kK6c0hoD0PR/W0PtwgH4XlNdpVFqMST
vthEG+Hv6xVGGH+nTszN7F9ugVMxewIDAQABo1AwTjAdBgNVHQ4EFgQULek+WVyK
dJk3JIHoI4iVi0FPtdwwHwYDVR0jBBgwFoAULek+WVyKdJk3JIHoI4iVi0FPtdww
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkignESZcgr4dBmVZqDwh
YsrKeWSkj+5p9eW5hCHJ5Eg2X8oGTgItuLaLfyFWPS3MYWWMzggxgKMOQM+9o3+k
oH5sUmraNzI3TmAtkqd/8isXzBUV661BbSV0obAgF/ul5v3Tl5uBbCXObC+NUikM
O0C3fDmmeK799AM/hP5CTDehNaFXABGoVRMSlGYe8hZqap/Jm6AaKThV4g6n4F7M
u5wYtI9YDMsxeVW6OP9ZfvpGZW/n/88MSFjMlBjFfFsorfRd6P5WADhdfA6CBECG
LP83r7/MhqO06EOpsv4n2CJ3yoyqIr1L1+6C7Erl2em/jfOb/24y63dj/ATytt2H
6g==
-----END CERTIFICATE-----
复制上面的输出到client上。
在client端,创建certificate目录:
sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
然后执行:
nano /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
粘贴上面复制的内容并保存
再次确认:
cat /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
接着更新certificates:
sudo update-ca-certificates
输出大概如下 (留意 “1 added“)
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
如果你还没有在client端安装docker,do so now.
On most versions of Ubuntu you can quickly install a recent version of Docker by following the next few commands. If your client is on a different distro or you have issues then seeDocker’s installation documentation for other ways to install Docker.
Add the repository key:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9;
Create a file to list the Docker repository:
sudo nano /etc/apt/sources.list.d/docker.list
Add the following line to the file:
deb https://get.docker.io/ubuntu docker main
Update your package lists:
sudo apt-get update
Install Docker:
sudo apt-get install -y --force-yes lxc-docker
To make working with Docker a little easier, let’s add our current user to the Docker group and re-open a new shell:
sudo gpasswd -a ${USER} docker
sudo su -l $USER #(enter your password at the prompt if needed)
Restart Docker to make sure it reloads the system’s CA certificates.
sudo service docker restart
You should now be able to log in to your Docker registry from the client machine:
docker login https://YOUR-HOSTNAME:8080
Note that you’re using https:// and port 8080 here. Enter the username and password you set up earlier (enter whatever you’d like for email if prompted). You should see a Login Succeeded message.
At this point your Docker registry is up and running! Let’s make a test image to push to the registry.
Step Seven — 发布到你的Docker Registry
On the client server, create a small empty image to push to our new registry.
docker run -t -i ubuntu /bin/bash
After it finishes downloading you’ll be inside a Docker prompt. Let’s make a quick change to the filesystem:
touch /SUCCESS
Exit out of the Docker container:
exit
Commit the change:
docker commit $(docker ps -lq) test-image
If you run docker images now, you’ll see that you have a new test-image in the image list:
# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
test-image latest 1f3ce8008165 9 seconds ago 192.7 MB
ubuntu trusty ba5877dc9bec 11 days ago 192.7 MB
This image only exists locally right now, so let’s push it to the new registry we’ve created.
First, log in to the registry with Docker. Note that you want to use https:// and port 8080:
docker login https://<YOUR-DOMAIN>:8080
相应的我运行的结果:
# docker login https://docker-registry.example.com:8080
Username (dkuser): dkuser
WARNING: login credentials saved in /root/.dockercfg.
Login Succeeded
Enter the username and password you set up earlier:
Username: USERNAME Password: PASSWORD Email:
Account created. Please see the documentation of the registry http://localhost:5000/v1/ for instructions how to activate it.
Docker has an unusual mechanism for specifying which registry to push to. You have to tag an image with the private registry’s location in order to push to it. Let’s tag our image to our private registry:
docker tag test-image YOUR-DOMAIN:8080/test-image
相应的我运行的结果:
# docker tag test-image docker-registry.example.com:8080/test-image
Note that you are using the local name of the image first, then the tag you want to add to it. The tag is not using https://, just the domain, port, and image name.
Now we can push that image to our registry. This time we’re using the tag name only:
docker push <YOUR-DOMAIN>:8080/test-image
相应的我运行的结果:
# docker push docker-registry.example.com:8080/test-image
The push refers to a repository [docker-registry.example.com:8080/test-image] (len: 1)
Sending image list
Pushing repository docker-registry.example.com:8080/test-image (1 tags)
428b411c28f0: Image successfully pushed
435050075b3f: Image successfully pushed
9fd3c8c9af32: Image successfully pushed
6d4946999d4f: Image successfully pushed
220f9fa943e0: Image successfully pushed
Pushing tag for rev [220f9fa943e0] on {https://docker-registry.example.com:8080/v1/repositories/test-image/tags/latest}
This will take a moment to upload to the registry server. You should see output that includesImage successfully pushed.
Step Eight - Pull from Your Docker Registry
To make sure everything worked let’s go back to our original server (where you installed the Docker registry) and pull the image we just pushed from the client. You could also test this from a third server.
If Docker is not installed on your test pull server, go back and follow the installation instructions (and if it’s a third server, the SSL instructions) from Step Six.
Log in with the username and password you set up previously.
docker login https://<YOUR-DOMAIN>:8080
And now pull the image. You want just the "tag" image name, which includes the domain name, port, and image name (but not https://):
docker pull <YOUR-DOMAIN>:8080/test-image
相应的我运行的结果:
#docker pull docker-registry.example.com:8080/test-image
Pulling repository docker-registry.example.com:8080/test-image
220f9fa943e0: Download complete
428b411c28f0: Download complete
435050075b3f: Download complete
9fd3c8c9af32: Download complete
6d4946999d4f: Download complete
Status: Downloaded newer image for docker-registry.example.com:8080/test-image:latest
Docker will do some downloading and return you to the prompt. If you run the image on the new machine you’ll see that the SUCCESS file we created earlier is there:
docker run -t -i <YOUR-DOMAIN>:8080/test-image /bin/bash
相应的我运行的结果:
# docker run -t -i docker-registry.example.com:8080/test-image /bin/bash
List your files:
ls
You should see the SUCCESS file we created earlier:
SUCCESS bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
Congratulations! You’ve just used your own private Docker registry to push and pull your first Docker container! Happy Docker-ing! |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-10-13 10:47:28
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡