setup Docker private registry

ndlli

　　
　　一、 普通模式， no ssl

　　setup private docker registry (参考 https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04 and http://www.dropbit.ch/private-docker-registry-with-nginx-on-centos-7/   )

　　On dedicated Docker private registry host, we use CentOS7:

　　add CentOS-Extras repository
　　yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry
　　

　　install docker to pull images you needed, then
　　vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'

systemctl restart docker

　　
docker tag image-id registry-host-name:5000/ubuntu:14.04.2 , etc

docker push registry-host-name:5000/ubuntu:14.04.2, etc
　　

　　查看docker private registry:
　　curl http://registry-host-name:5000/v1/search
　　

　　on normal docker hosts that want to use this private registry:
　　CentOS7:
vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'

systemctl restart docker
docker pull docker-registry-host:5000/ubuntu:14.04.2
　　

　　CentOS6:
vi /etc/sysconfig/docker
other_args="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=docker-registry-host:5000"
　　
service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2

Ubuntu 14.04.2
vi /etc/default/docker
DOCKER_OPTS="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=192.168.1.6:5000"

service docker restart
docker pull docker-registry-host:5000/ubuntu:14.04.2
　　

　　Notes: docker run -d -p 5000:5000 -v /opt/docker/registry:/tmp/registry registry:latest
　　

　　一、 安全模式， with ssl
　　On dedicated Docker private registry host, we use CentOS7:

add CentOS-Extras repository
yum -y install docker-registry
systemctl start docker-registry
systemctl enable docker-registry

1. Installing Nginx:
add EPEL repository
yum -y install nginx
systemctl enable nginx
systemctl start nginx

2. Configure access through Nginx to your private docker registry
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

mkdir /etc/nginx/sites-available
vi /etc/nginx/sites-available/docker-registry
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream private-docker-registry {
server localhost:5000;
}

server {
listen 443;
server_name www.ilovedocker.com;

#ssl on;
#ssl_certificate /etc/pki/tls/certs/www.ilovedocker.com.crt;
#ssl_certificate_key /etc/pki/tls/private/www.ilovedocker.com.key;

proxy_set_header Host       $http_host;   # required for Docker client sake
proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;

location / {
     # let Nginx know about our auth file
     auth_basic              "Restricted";
     auth_basic_user_file    docker-registry.htpasswd;

     proxy_pass http://private-docker-registry;
}
location /_ping {
     auth_basic off;
     proxy_pass http://private-docker-registry;
}
location /v1/_ping {
     auth_basic off;
     proxy_pass http://private-docker-registry;
}

}

vi /etc/sysconfig/docker-registry
REGISTRY_ADDRESS=127.0.0.1

systemctl restart docker-registry

yum -y install httpd-tools
htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME
Open the file /etc/nginx/nginx.conf and add after the line “include /etc/nginx/conf.d/*.conf;”the following:
include /etc/nginx/sites-enabled/*;

mkdir /etc/nginx/sites-enabled
ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
systemctl reload nginx

curl USER:PASSWORD@www.ilovedocker.com:443


3. Configure Nginx to use ssl
mkdir ~/certs
cd ~/certs

create a new root key:
openssl genrsa -out dockerCA.key 2048

create a root certificate, you don’t have to answer the upcoming question, just hit enter:
openssl req -x509 -new -nodes -key dockerCA.key -days 3650 -out dockerCA.crt

create a private key for your Nginx Server:
openssl genrsa -out www.ilovedocker.com.key 2048

Next a certificate signing request is needed:
openssl req -new -key www.ilovedocker.com.key -out www.ilovedocker.com.csr
Answer the upcoming question for “Common Name” with the domain of your server, e.g: www.ilovedocker.com. Don’t provide a challenge password.

sign the certificate request:
openssl x509 -req -in www.ilovedocker.com.csr -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out www.ilovedocker.com.crt -days 3650

vi /etc/nginx/sites-available/docker-registry to uncomment ssl lines

cp www.ilovedocker.com.crt /etc/pki/tls/certs/
cp www.ilovedocker.com.key /etc/pki/tls/private/

update-ca-trust enable
cp dockerCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
systemctl reload nginx

curl https://USER:PASSWORD@www.ilovedocker.com

4. on remote docker host

　　docker with your private remote docker registry
Ubuntu 14.04:
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

copy dockerCA.crt to /usr/local/share/ca-certificates
update-ca-certificates

CentOS6/7:
vi /etc/hosts
ip-address-of-docker-registry    www.ilovedocker.com

copy dockerCA.crt to /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract

docker login https://www.ilovedocker.com
docker pull ubuntu
docker tag ubuntu www.ilovedocker.com/ubuntu:hj
docker push www.ilovedocker.com/ubuntu:hj