本帖最后由 42ew222 于 2016-3-15 08:31 编辑
最近公司测试环境需要用docker,个人也觉得docker的build one Run Anywhere非常强大。
由于目前大多数的镜像下载网站都是在国外站点,国内用户在下镜像的时候就时常遇到下载速度超慢的情况;而且在将Docker应用到生产环境的过程中,还会面临下载过来的Docker镜像是否安全的问题。因些在生产环境下搭建私有的Docker Registry,就是一个一举二得的方案了。 但目前国内的大多数企业使用的发行版,为Redhat体系,其中又以Centos环境居多。而网上的资料和出版的书籍在介绍Docker的时候都是以ubuntu为基础进行讲解和配置,而CentOS6.x以上版本访问私有的 Docker
Registry 都需要SSL的支持。因此使用CentOS来搭建此服务最大的难点是配置和使用SSL,并让做为反向代理的nginx支持SSL传输和认证。
环境
- 服务器IP:192.168.0201
- 服务器域名:registry.com
#https的SSL证书生成时不能用IP地址因此这里随意设置一个域名即可,不一定为真实域名。 - 客户端IP:192.168.0.203
- 代理服务器:nignx (反向代理)
一.在Registry服务器上配置SSL
1.安装相关的依赖。
1
| yum install -y gcc pcre-devel pcre-static openssl openssl-devel httpd-tools
|
- gcc 是编译器;
- pcre-devel pcre-static 是编译nginx时需要的依赖包;
- openssl openssl-devel 用于生成SSL根证书及密钥并进行nignx证书的签发;
- httpd-tools 用来生成登录https服务的帐号及密码。
2.添加域名到本地/etc/hosts
1
| echo "192.168.0.201 registry.com" >> /etc/hosts
|
3.生成跟秘钥
1
2
| cd /etc/pki/CA
rm -rf cacert.pem index.txt index.txt.attr index.txt.old serial serial.oldopenssl genrsa -out private/cakey.pem 2048
|
运行结果: Generating RSA private key, 2048 bit long modulus...................................................+++....................................................................................+++e is 65537 (0x10001)4.生成根证书
1
2
| cd /etc/pki/CA
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
|
运行结果:
1
2
3
4
5
6
7
8
9
10
11
| You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:cmzstevenstudio
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.cmzsteven.com
Email Address []:
|
在运行过程中会提示一些信息用于生成私有的CA根证书。需要特别注意的是倒数第二行“Common Name”,这里需要输入的是事先准备好的服务器域名
生成的证书存放的位置:/etc/pki/CA/cacert.pem
5.为nginx生成ssl密钥
1
2
3
| mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out nginx.key 2048
|
运行结果:
1
| Generating RSA private key, 2048 bit long modulus...............................................................+++......................................+++e is 65537 (0x10001)
|
*CA中心服务与要申请证书的Nginx服务应该运行在同一台服务器上,否则应该是在需要运行Nginx服务的服务器上生成证书。
6.为nginx生成证书签署请求
1
| openssl req -new -key nginx.key -out nginx.csr
|
运行结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| Generating RSA private key, 2048 bit long modulus...............................................................+++......................................+++e is 65537 (0x10001)[iyunv@DockerRegistry ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:cmzstevenstudio
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.cmzsteven.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
生成过程与之前生成CA根证书的过程差不多。
“Common Name”需要填写事先准备好的域名。
最后多出的几行”challenge passwd”和”optional company name”可以为空。
7、使用私有CA根据Nginx的请求来签发证书
1
2
3
4
| touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
|
运行结果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity Not Before: Oct 24 03:13:32 2015 GMT Not After : Oct 23 03:13:32 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = liaoning
organizationName = cmzstevenstudio
commonName = registry.cmzsteven.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 59:6D:08:34:57:47:F4:5E:28:62:D5:60:3C:CF:37:10:45:70:53:66
X509v3 Authority Key Identifier:
keyid:AC:06:A4:97:32:75:46:13:BC:15:78:EC:F9:35:19:B9:22:DE:0D:B7
Certificate is to be certified until Oct 23 03:13:32 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entries
Data Base Updated
|
在提示需要输入”[y/n]”时,都输入”y”就可以了。
三、在服务器上编译安装Nginx,并配置为反向代理1、下载Nginx源文件
2、编译安装Nginx
1
2
3
4
5
| tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --prefix=/usr/local/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_modulemake
make install
|
3、编译Nginx配置文件
1
2
| cd cd /usr/local/nginx/conf
vim nginx.conf
|
内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
| user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;worker_rlimit_nofile 51200;
events{
use epoll;
worker_connections 6000;
}
http{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]' '$host "$request_uri" $status' '"$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm application/xml;
upstream registry { server 127.0.0.1:5000;
}
server { listen 443; server_name 10.0.0.201;#服务器的IP
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / { auth_basic "registry";
auth_basic_user_file
/usr/local/nginx/conf/.htpasswd;
root html;
index index.html index.htm;
proxy_pass
http://registry;
proxy_set_header Host$ttp_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Authorization "";
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_temp_file_write_size 64k;
}
location /_ping {
auth_basic off;
proxy_pass http://registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://registry;
}
}
}
|
验证配置是否正确:
1
2
3
| [iyunv@DockerRegistry nginx]# sbin/nginx -t nginx:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
|
4、启动Nginx服务
4.1、新建启动角本
touch /etc/init.d/nginxchmod 755 /etc/init.d/nginxvim /etc/init.d/nginx
角本内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
| #!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN=
"/usr/local/nginx/sbin/nginx"
NGINX_CONF=
"/usr/local/nginx/conf/nginx.conf"
NGINX_PID=
"/usr/local/nginx/logs/nginx.pid"
RETVAL=
0
prog=
"Nginx"
start
() {
echo
-n $
"Starting
$prog
: "
mkdir -p /dev/shm/nginx_temp
daemon
$NGINX_SBIN
-c
$NGINX_CONF
RETVAL=$?
echo
return
$RETVAL
}
stop
() {
echo
-n $
"Stopping
$prog
: "
killproc -p
$NGINX_PID
$NGINX_SBIN
-TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return
$RETVAL
}
reload
(){
echo
-n $
"Reloading
$prog
: "
killproc -p
$NGINX_PID
$NGINX_SBIN
-HUP
RETVAL=$?
echo
return
$RETVAL
}
restart
(){
stop
start
}
configtest
(){
$NGINX_SBIN
-c
$NGINX_CONF
-t
return
0
}
case
"
$1
"
in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo
$
"Usage:
$0
{start|stop|reload|restart|configtest}"
RETVAL=
1
esac
exit
$RETVAL
|
4.2、启动服务
chkconfig nginx on
service nginx start
5、生成登录https服务的账户和密码
htpasswd -cb /usr/local/nginx/conf/.htpasswd docker 123456
四、服务器上安装配置Docker Registry服务
1、安装Docker
yum -y install docker-io1
2、修改Docker配置文件
echo "DOCKER_OPTS=\"--insecure-registry docker.yy.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem\"" >> /etc/sysconfig/docker1
3、启动Docker服务
chkconfig docker onservice docker start12
4、下载registry镜像
docker pull registry1
5、运行registry镜像
mkdir /docker_registry #在宿主机上新建用于存放镜像的文件夹docker run -d -p 5000:5000 -v /docker_registry:/tmp/registry --name=docker_registry registry12
命令详解:
-p 5000:5000 将本地5000端口映射到容器的5000端口上;
-v 将本地的文件夹/docker_registry映射到容器存放镜像文件的/tmp/registry文件夹;
–name 将生成的容器命名为:docker_registry。
查看生成的容器:
[iyunv@DockerRegistry nginx]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES2185389323f5 registry "docker-registry" 14 seconds ago Up 12 seconds 0.0.0.0:5000->5000/tcp docker_registry123
6、将容器docker_registry设置为开自自启动
echo "docker start 2185389323f5" >> /etc/rc.local1
7、测试通过Nginx访问registry服务
[iyunv@DockerRegistry nginx]# curl -i -k -u docker:147258 https://registry.cmzsteven.com:443HTTP/1.1 200 OKServer: nginx/1.8.0Date: Sat, 24 Oct 2015 05:24:22 GMT Content-Type: application/json Content-Length: 28Connection: keep-aliveExpires: -1Pragma: no-cache Cache-Control: no-cache"\"docker-registry server\""123456789101112
如果测试结果出现“HTTP/1.1 200 OK”和 “\”docker-registry server\”” 说明registry服务器已经搭建成功。
五、客户端配置SSL
1、在客户端上添加registry的域名解析
echo "172.20.31.201 registry.cmzsteven.com" >> /etc/hosts1
2、将registry服务器上的根证书内容复制到客户端ca-certificates.crt里
服务器查看根证书内容:
[iyunv@DockerRegistry nginx]# cat /etc/pki/CA/cacert.pem1
根证书内容样例:
-----BEGIN CERTIFICATE-----MIIDrzCCApegAwIBAgIJAOIsiUqgCNd+MA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxGDAWBgNVBAoMD2NtenN0ZXZlbnN0dWRpbzEfMB0GA1UEAwwWcmVnaXN0cnkuY216c3RldmVuLmNvbTAeFw0xNTEwMjQwMjUwNTlaFw0xNTExMjMwMjUwNTlaMG4xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxGDAWBgNVBAoMD2NtenN0ZXZlbnN0dWRpbzEfMB0GA1UEAwwWcmVnaXN0cnkuY216c3RldmVuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCGouLPUJpFQXMLZlG1CORskWXd9HK2s1Vd2lwb6ufePZ7WMBtS59cdQmcXHZSdSGzwmZtUY+M647x4Har9T+4RGiBvD2AvFqQ9SxziKzI4u3BTROmeEJocsEaW6LXDqlsh9tYfVAbR10/392WvGNTIgL5iPd+depEcilV7M7i3vd3sTmJ3JCDm6yATTs9B5vNeBlYyuQP6rQjBla2+KOZeUJ8u4VCl8FZWzuepQBMMwF8yOujBFP4xuhumzeg7bqYnxQeeMjyxK2jZc+cRLNdJ5qi66MQJksRt5F2EU402P80dbaJH7Aqc2/rEAbjLCTsPuI3VBUVZpec69ZmtudMCAwEAAaNQME4wHQYDVR0OBBYEFKwGpJcydUYTvBV47Pk1Gbki3g23MB8GA1UdIwQYMBaAFKwGpJcydUYTvBV47Pk1Gbki3g23MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIWcx606kPeA6CA4KcPZgDULMu5ZmOwHoXCGKez8EbRI5Vc3IgteFXalRf4Z6PrOh/u4qY0LxgeSOcD5Ws6qA0hAexRqrxsH2mYcbADMwnL5xUp22y5HxuZ2NpRV4rEe8s8vUEgrJECJgfbyMKXPHGwLCnIYu0YxYParYkfLHd4nE3h0ZiXhry6p3k2//0WwLQdW8lnRO3mTNOtfJVUzoNtIOCK/kkKTMqPX+U+zb0j65mlTLqTkhebtETiLd6XwO5QsNXU6iQ5iJgSrAlQVX/2VMgOXsqX6QJBetYiemfGqaZIpppcffUpDdP8WNv1t4nLac2gEQZjNo5GY5APCs2A=-----END CERTIFICATE-----12345678910111213141516171819202122
上你搭建的服务器上的根证书的内容复制到
touch /etc/pki/tls/certs/ca-certificates.crtvim /etc/pki/tls/certs/ca-certificates.crt12
3、测试访问服务器registry
[iyunv@localhost ~]# curl -i -k -u docker:147258 https://registry.cmzsteven.comHTTP/1.1 200 OKServer: nginx/1.8.0Date: Sat, 24 Oct 2015 05:46:24 GMT Content-Type: application/json Content-Length: 28Connection: keep-aliveExpires: -1Pragma: no-cache Cache-Control: no-cache"\"docker-registry server\""123456789101112
OK!
4、客户端通过Docker登录registry服务
docker login -u docker -p 147258 https://registry.cmzsteven.com12
当client端 docker login出现 x509: certificate signed by unknown authority 错误时的解决方法:
#重命名根证书mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak#重启docker服务! service docker restart1234
六、客户端上传镜像
1、下载centos镜像用于测试*
docker pull centos1
下载后查看镜像:
[iyunv@localhost ~]# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEcentos latest 0f73ae75014f 6 weeks ago 172.3 MB123
2、给下载的镜像打个私有仓库的tag
docker tag centos:latest registrycom/centos:latest1
查看镜像:
[iyunv@localhost ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE registry.cmzsteven.com/centos latest 0f73ae75014f 6 weeks ago 172.3 MB centos latest 0f73ae75014f 6 weeks ago 172.3 MB1234
3、上传镜像到registry服务器
[iyunv@localhost ~]# docker push registry.cmzsteven.com/centos:latestThe push refers to a repository [registry.cmzsteven.com/centos] (len: 1) Sending image list Pushing repository registry.cmzsteven.com/centos (1 tags)47d44cb6f252: Image successfully pushedf6f39725d938: Image successfully pushedf9a8cbc8dd13: Image successfully pushedf37e6a610a37: Image successfully pushed0f73ae75014f: Image successfully pushed Pushing tag for rev [0f73ae75014f] on {https://registry.cmzsteven.com/v1/repositories/centos/tags/latest}12345678910
七、客户端下载镜像
1、从registry服务器下载镜像
为了测试先删除之前打过tag的镜像:
[iyunv@localhost ~]# docker rmi registry.cmzsteven.com/centos:latestUntagged: registry.cmzsteven.com/centos:latest12
下载镜像:
[iyunv@localhost ~]# docker pull registry.cmzsteven.com/centos:latestPulling repository registry.cmzsteven.com/centos0f73ae75014f: Download complete47d44cb6f252: Download completef6f39725d938: Download completef9a8cbc8dd13: Download completef37e6a610a37: Download completeStatus: Image is up to date for registry.cmzsteven.com/centos:latest12345678
2、查看下载的镜像
[iyunv@localhost ~]# docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE centos latest 0f73ae75014f 6 weeks ago 172.3 MB
参考博客 http://blog.csdn.net/cmzsteven/article/details/49382651
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2016-3-15 08:29:27
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡