搭建docker私有库registry

li26598296 · 发表于 2018-5-29 12:21:00

　　最近公司测试环境需要用docker，个人也觉得docker的build one Run Anywhere非常强大。
　　

由于目前大多数的镜像下载网站都是在国外站点，国内用户在下镜像的时候就时常遇到下载速度超慢的情况；而且在将Docker应用到生产环境的过程中，还会面临下载过来的Docker镜像是否安全的问题。因些在生产环境下搭建私有的Docker Registry，就是一个一举二得的方案了。
但目前国内的大多数企业使用的发行版，为Redhat体系，其中又以Centos环境居多。而网上的资料和出版的书籍在介绍Docker的时候都是以ubuntu为基础进行讲解和配置，而CentOS6.x以上版本访问私有的 Docker
Registry 都需要SSL的支持。因此使用CentOS来搭建此服务最大的难点是配置和使用SSL，并让做为反向代理的nginx支持SSL传输和认证。

环境

　　服务器IP：192.168.0201
　　服务器域名：registry.com
#https的SSL证书生成时不能用IP地址因此这里随意设置一个域名即可，不一定为真实域名。
　　客户端IP：192.168.0.203
　　代理服务器：nignx (反向代理)

　　一.在Registry服务器上配置SSL

　　1.安装相关的依赖。
yum install -y gcc pcre-devel pcre-static openssl openssl-devel httpd-tools

　　gcc 是编译器；
　　pcre-devel pcre-static 是编译nginx时需要的依赖包；
　　openssl openssl-devel 用于生成SSL根证书及密钥并进行nignx证书的签发；
　　httpd-tools 用来生成登录https服务的帐号及密码。

　　2.添加域名到本地/etc/hosts

echo "192.168.0.201 registry.com" >> /etc/hosts　　3.生成跟秘钥
cd /etc/pki/CA
rm -rf cacert.pem index.txt index.txt.attr index.txt.old serial serial.oldopenssl genrsa -out private/cakey.pem 2048运行结果：
Generating RSA private key, 2048 bit long modulus...................................................+++....................................................................................+++e is 65537 (0x10001)　　4.生成根证书
cd /etc/pki/CA
openssl req -new -x509 -key private/cakey.pem -out cacert.pem　　运行结果:
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:cmzstevenstudio
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.cmzsteven.com
Email Address []:　　在运行过程中会提示一些信息用于生成私有的CA根证书。需要特别注意的是倒数第二行“Common Name”，这里需要输入的是事先准备好的服务器域名
生成的证书存放的位置：/etc/pki/CA/cacert.pem
　　
　　5.为nginx生成ssl密钥
mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out nginx.key 2048　　运行结果:
Generating RSA private key, 2048 bit long modulus...............................................................+++......................................+++e is 65537 (0x10001)　　*CA中心服务与要申请证书的Nginx服务应该运行在同一台服务器上，否则应该是在需要运行Nginx服务的服务器上生成证书。
　　
　　6.为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr　　运行结果：
Generating RSA private key, 2048 bit long modulus...............................................................+++......................................+++e is 65537 (0x10001)[root@DockerRegistry ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:cmzstevenstudio
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.cmzsteven.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:　　生成过程与之前生成CA根证书的过程差不多。
“Common Name”需要填写事先准备好的域名。
最后多出的几行”challenge passwd”和”optional company name”可以为空。
　　7、使用私有CA根据Nginx的请求来签发证书
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt　　运行结果
Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature ok
Certificate Details:
      Serial Number: 0 (0x0)
      Validity          Not Before: Oct 24 03:13:32 2015 GMT          Not After : Oct 23 03:13:32 2016 GMT
      Subject:
         countryName             = CN
         stateOrProvinceName    = liaoning
         organizationName       = cmzstevenstudio
         commonName             = registry.cmzsteven.com
      X509v3 extensions:
         X509v3 Basic Constraints:
            CA:FALSE
         Netscape Comment:
            OpenSSL Generated Certificate
         X509v3 Subject Key Identifier:             59:6D:08:34:57:47:F4:5E:28:62:D5:60:3C:CF:37:10:45:70:53:66
         X509v3 Authority Key Identifier:
            keyid:AC:06:A4:97:32:75:46:13:BC:15:78:EC:F9:35:19:B9:22:DE:0D:B7
Certificate is to be certified until Oct 23 03:13:32 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entries
Data Base Updated　　在提示需要输入”[y/n]”时，都输入”y”就可以了。
　　

三、在服务器上编译安装Nginx，并配置为反向代理
　　1、下载Nginx源文件

cd /usr/local/src
yum install -y wget
wget http://nginx.org/download/nginx-1.8.0.tar.gz　　2、编译安装Nginx
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
./configure --prefix=/usr/local/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_modulemake
make install　　3、编译Nginx配置文件
cd cd /usr/local/nginx/conf
vim nginx.conf　　内容如下
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;worker_rlimit_nofile 51200;
events{
use epoll;
worker_connections 6000;
}
http{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]' '$host "$request_uri" $status' '"$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
   client_body_timeout 3m;
   send_timeout 3m;
   connection_pool_size 256;
   client_header_buffer_size 1k;
   large_client_header_buffers 8 4k;
   request_pool_size 4k;
   output_buffers 4 32k;
   postpone_output 1460;
   client_max_body_size 10m;
   client_body_buffer_size 256k;
      client_body_temp_path /usr/local/nginx/client_body_temp;
      proxy_temp_path /usr/local/nginx/proxy_temp;
   fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
   fastcgi_intercept_errors on;
   tcp_nodelay on;
   gzip on;
      gzip_min_length 1k;
      gzip_buffers 4 8k;
      gzip_comp_level 5;
      gzip_http_version 1.1;
         gzip_types text/plain application/x-javascript text/css text/htm application/xml;
      upstream registry {       server 127.0.0.1:5000;
}
      server { listen 443; server_name  10.0.0.201;#服务器的IP
      ssl  on;
      ssl_certificate /etc/nginx/ssl/nginx.crt;
      ssl_certificate_key /etc/nginx/ssl/nginx.key;
      location / {    auth_basic "registry";
      auth_basic_user_file
      /usr/local/nginx/conf/.htpasswd;
      root html;
      index index.html index.htm;
      proxy_pass
      http://registry;
      proxy_set_header  Host$ttp_host;
      proxy_set_header  X-Real-IP    $remote_addr;
      proxy_set_header  Authorization  "";
      client_body_buffer_size    128k;
      proxy_connect_timeout    90;
      proxy_send_timeout       90;
      proxy_read_timeout       90;
      proxy_temp_file_write_size  64k;
      }
         location /_ping {
         auth_basic off;
         proxy_pass http://registry;
                  }
               location /v1/_ping {
                  auth_basic off;
                  proxy_pass http://registry;
            }
            }
      }　　验证配置是否正确：
[root@DockerRegistry nginx]# sbin/nginx -t nginx:
the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful　　4、启动Nginx服务
4.1、新建启动角本
　　touch /etc/init.d/nginx
chmod 755 /etc/init.d/nginx
vim /etc/init.d/nginx
　　角本内容如下
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN=
"/usr/local/nginx/sbin/nginx"
NGINX_CONF=
"/usr/local/nginx/conf/nginx.conf"
NGINX_PID=
"/usr/local/nginx/logs/nginx.pid"
RETVAL=
0
prog=
"Nginx"
start
() {
echo
-n $
"Starting
$prog
: "
      mkdir -p /dev/shm/nginx_temp
      daemon
$NGINX_SBIN
-c
$NGINX_CONF
      RETVAL=$?
echo

return
$RETVAL
}
stop
() {
echo
-n $
"Stopping
$prog
: "
      killproc -p
$NGINX_PID
$NGINX_SBIN
-TERM
      rm -rf /dev/shm/nginx_temp
      RETVAL=$?
echo

return
$RETVAL
}
reload
(){
echo
-n $
"Reloading
$prog
: "
      killproc -p
$NGINX_PID
$NGINX_SBIN
-HUP
      RETVAL=$?
echo

return
$RETVAL
}
restart
(){
      stop
      start
}
configtest
(){
$NGINX_SBIN
-c
$NGINX_CONF
-t
return
0
}
case
"
$1
"
in
  start)
      start
      ;;
  stop)
      stop
      ;;
  reload)
      reload
      ;;
  restart)
      restart
      ;;
  configtest)
      configtest
      ;;
  *)
echo
$
"Usage:
$0
{start|stop|reload|restart|configtest}"
      RETVAL=
1
esac
exit
$RETVAL　　4.2、启动服务
　　chkconfig nginx on
　　service nginx start
　　5、生成登录https服务的账户和密码
　　htpasswd -cb /usr/local/nginx/conf/.htpasswd docker 123456
　　四、服务器上安装配置Docker Registry服务

　　
1、安装Docker
yum -y install docker-io12、修改Docker配置文件
echo "DOCKER_OPTS=\"--insecure-registry docker.yy.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem\"" >> /etc/sysconfig/docker13、启动Docker服务
chkconfig docker onservice docker start124、下载registry镜像
docker pull registry15、运行registry镜像
mkdir /docker_registry  #在宿主机上新建用于存放镜像的文件夹docker run -d -p 5000:5000 -v /docker_registry:/tmp/registry --name=docker_registry registry12命令详解：

　　-p 5000：5000 将本地5000端口映射到容器的5000端口上；

　　-v 将本地的文件夹/docker_registry映射到容器存放镜像文件的/tmp/registry文件夹；

　　–name 将生成的容器命名为：docker_registry。

查看生成的容器：
[root@DockerRegistry nginx]# docker ps -aCONTAINER ID       IMAGE             COMMAND          CREATED          STATUS             PORTS                   NAMES2185389323f5       registry          "docker-registry" 14 seconds ago    Up 12 seconds    0.0.0.0:5000->5000/tcp docker_registry1236、将容器docker_registry设置为开自自启动
echo "docker start 2185389323f5" >> /etc/rc.local17、测试通过Nginx访问registry服务
[root@DockerRegistry nginx]# curl -i -k -u docker:147258  https://registry.cmzsteven.com:443HTTP/1.1 200 OKServer: nginx/1.8.0Date: Sat, 24 Oct 2015 05:24:22 GMT
Content-Type: application/json
Content-Length: 28Connection: keep-aliveExpires: -1Pragma: no-cache
Cache-Control: no-cache"\"docker-registry server\""123456789101112如果测试结果出现“HTTP/1.1 200 OK”和 “\”docker-registry server\”” 说明registry服务器已经搭建成功。
五、客户端配置SSL
1、在客户端上添加registry的域名解析
echo "172.20.31.201 registry.cmzsteven.com" >> /etc/hosts12、将registry服务器上的根证书内容复制到客户端ca-certificates.crt里
服务器查看根证书内容：
[root@DockerRegistry nginx]# cat /etc/pki/CA/cacert.pem1根证书内容样例：
-----BEGIN CERTIFICATE-----MIIDrzCCApegAwIBAgIJAOIsiUqgCNd+MA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxGDAWBgNVBAoMD2NtenN0ZXZlbnN0dWRpbzEfMB0GA1UEAwwWcmVnaXN0cnkuY216c3RldmVuLmNvbTAeFw0xNTEwMjQwMjUwNTlaFw0xNTExMjMwMjUwNTlaMG4xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxGDAWBgNVBAoMD2NtenN0ZXZlbnN0dWRpbzEfMB0GA1UEAwwWcmVnaXN0cnkuY216c3RldmVuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCGouLPUJpFQXMLZlG1CORskWXd9HK2s1Vd2lwb6ufePZ7WMBtS59cdQmcXHZSdSGzwmZtUY+M647x4Har9T+4RGiBvD2AvFqQ9SxziKzI4u3BTROmeEJocsEaW6LXDqlsh9tYfVAbR10/392WvGNTIgL5iPd+depEcilV7M7i3vd3sTmJ3JCDm6yATTs9B5vNeBlYyuQP6rQjBla2+KOZeUJ8u4VCl8FZWzuepQBMMwF8yOujBFP4xuhumzeg7bqYnxQeeMjyxK2jZc+cRLNdJ5qi66MQJksRt5F2EU402P80dbaJH7Aqc2/rEAbjLCTsPuI3VBUVZpec69ZmtudMCAwEAAaNQME4wHQYDVR0OBBYEFKwGpJcydUYTvBV47Pk1Gbki3g23MB8GA1UdIwQYMBaAFKwGpJcydUYTvBV47Pk1Gbki3g23MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIWcx606kPeA6CA4KcPZgDULMu5ZmOwHoXCGKez8EbRI5Vc3IgteFXalRf4Z6PrOh/u4qY0LxgeSOcD5Ws6qA0hAexRqrxsH2mYcbADMwnL5xUp22y5HxuZ2NpRV4rEe8s8vUEgrJECJgfbyMKXPHGwLCnIYu0YxYParYkfLHd4nE3h0ZiXhry6p3k2//0WwLQdW8lnRO3mTNOtfJVUzoNtIOCK/kkKTMqPX+U+zb0j65mlTLqTkhebtETiLd6XwO5QsNXU6iQ5iJgSrAlQVX/2VMgOXsqX6QJBetYiemfGqaZIpppcffUpDdP8WNv1t4nLac2gEQZjNo5GY5APCs2A=-----END CERTIFICATE-----12345678910111213141516171819202122上你搭建的服务器上的根证书的内容复制到
touch /etc/pki/tls/certs/ca-certificates.crtvim /etc/pki/tls/certs/ca-certificates.crt123、测试访问服务器registry
[root@localhost ~]# curl -i -k -u docker:147258 https://registry.cmzsteven.comHTTP/1.1 200 OKServer: nginx/1.8.0Date: Sat, 24 Oct 2015 05:46:24 GMT
Content-Type: application/json
Content-Length: 28Connection: keep-aliveExpires: -1Pragma: no-cache
Cache-Control: no-cache"\"docker-registry server\""123456789101112OK!
4、客户端通过Docker登录registry服务
docker login -u docker -p 147258 https://registry.cmzsteven.com12当client端 docker login出现 x509: certificate signed by unknown authority 错误时的解决方法：
#重命名根证书mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak#重启docker服务! service docker restart1234六、客户端上传镜像
1、下载centos镜像用于测试*
docker pull centos1下载后查看镜像：
[root@localhost ~]# docker images  REPOSITORY                   TAG                IMAGE ID          CREATED          VIRTUAL SIZEcentos                         latest             0f73ae75014f       6 weeks ago       172.3 MB1232、给下载的镜像打个私有仓库的tag
docker tag centos:latest registrycom/centos:latest1查看镜像：
[root@localhost ~]# docker imagesREPOSITORY                   TAG                IMAGE ID          CREATED          VIRTUAL SIZE
registry.cmzsteven.com/centos latest             0f73ae75014f       6 weeks ago       172.3 MB
centos                         latest             0f73ae75014f       6 weeks ago       172.3 MB12343、上传镜像到registry服务器
[root@localhost ~]# docker push registry.cmzsteven.com/centos:latestThe push refers to a repository [registry.cmzsteven.com/centos] (len: 1)
Sending image list
Pushing repository registry.cmzsteven.com/centos (1 tags)47d44cb6f252: Image successfully pushedf6f39725d938: Image successfully pushedf9a8cbc8dd13: Image successfully pushedf37e6a610a37: Image successfully pushed0f73ae75014f: Image successfully pushed
Pushing tag for rev [0f73ae75014f] on {https://registry.cmzsteven.com/v1/repositories/centos/tags/latest}12345678910七、客户端下载镜像
1、从registry服务器下载镜像
为了测试先删除之前打过tag的镜像：
[root@localhost ~]# docker rmi registry.cmzsteven.com/centos:latestUntagged: registry.cmzsteven.com/centos:latest12下载镜像：
[root@localhost ~]# docker pull registry.cmzsteven.com/centos:latestPulling repository registry.cmzsteven.com/centos0f73ae75014f: Download complete47d44cb6f252: Download completef6f39725d938: Download completef9a8cbc8dd13: Download completef37e6a610a37: Download completeStatus: Image is up to date for registry.cmzsteven.com/centos:latest123456782、查看下载的镜像

[root@localhost ~]# docker imagesREPOSITORY                   TAG                IMAGE ID          CREATED          VIRTUAL SIZE
centos                         latest             0f73ae75014f       6 weeks ago       172.3 MB　　参考博客  http://blog.csdn.net/cmzsteven/article/details/49382651

账号		自动登录	找回密码
密码			立即注册

wirelessnetview好用的无线分析工具

亿图图示专家(EDraw Max) V7.9 中文破解版

zabbix3.4.1安装部署+微信推送信息+大屏显

Red Hat OpenShift I: Containers & Kubern

2025 年，C++ 还能“硬核”多久？

RH199 RHCSA Rapid Track

Red Hat RHCE 8 (EX294) Cert Guide

[经验分享] 搭建docker私有库registry

浏览过的版块

扫码加入运维网微信交流群