您的位置：首页 > 运维架构 > Docker

ubuntu 14.04(trusty)下搭建本地docker regestry

2015-06-16 17:44 766 查看

http://www.justfbt.com/

Step One - 先决条件

# apt-get update
# apt-get -y install build-essential python-dev libevent-dev python-pip liblzma-dev

Step Two — 安装&配置Docker Registry

# pip install docker-registry

默认情况下

docker

Step Three - 将Docker Registry作为一个服务启动

创建存放log文件的目录：

# mkdir -p /var/log/docker-registry

创建开机启动脚本

# vim /etc/init/docker-registry.conf

description "Docker Registry"

start on runlevel [2345]
stop on runlevel [016]

respawn
respawn limit 10 5

script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w 8 docker_registry.wsgi:application
end script

# ln -s /etc/init/docker-registry.conf /etc/init.d/docker-registry

测试:

# service docker-registry status
docker-registry stop/waiting

# service docker-registry start
docker-registry start/running, process 16287

Step Four — 配置nginx，使Docker Registry更安全

第一步配置验证，禁止任何人都能登录我们的server

安装

nginx

和

apache2-utils

（用来创建验证用的文件）包

# apt-get -y install nginx apache2-utils

现在来创建

Docker

的验证用户：

# htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME

根据提示输入登录

docker registr

y时的密码

如果需要添加多个用户，只需重复上面命令（但是要去掉

-c

选项）

# htpasswd /etc/nginx/docker-registry.htpasswd USERNAME_2

接下来配置

nginx

doker-registry

的请求

# vim /etc/nginx/sites-available/docker-registry

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
server localhost:5000;
}

server {
listen 8080;
server_name xxxx;

# ssl on;
# ssl_certificate /etc/ssl/certs/docker-registry;
# ssl_certificate_key /etc/ssl/private/docker-registry;

proxy_set_header Host       $http_host;   # required for Docker client sake
proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;

location / {
# let Nginx know about our auth file
auth_basic              "Restricted";
auth_basic_user_file    docker-registry.htpasswd;

proxy_pass http://docker-registry; }
location /_ping {
auth_basic off;
proxy_pass http://docker-registry; }
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry; }

}

# ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
# service nginx reload

测试：确认

docker-registry

# curl localhost:5000
"\"docker-registry server\""

确认

nginx

# curl localhost:8080
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>

确认

nginx

验证：

# curl USERNAME:PASSWORD@localhost:8080
"\"docker-registry server\""

Step Five — 配置SSL

打开nginx配置文件并编辑：

# vim /etc/nginx/sites-available/docker-registry #做如下修改：
ssl on;
ssl_certificate /etc/ssl/certs/docker-registry;
ssl_certificate_key /etc/ssl/private/docker-registry;

保存退出

现在

nginx

已经支持

ssl

了并且根据配置可以知道

ssl key

分别为

/etc/ssl/certs/docker-registry

和

/etc/ssl/private/docker-registry

接下来生成自签名证书：

首先创建一个目录来存放新的证书文件

# mkdir ~/certs
# cd ~/certs

生成一个新的

root key

：

# openssl genrsa -out devdockerCA.key 2048

生成一个

root certificate

：

openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

然后为你的

server

生成一个

key

（这个key稍后会copy到/etc/ssl/private/docker-registry给nginx使用）

openssl genrsa -out dev-docker-registry.com.key 2048

现在我们来生成一个证书请求文件：

当你执行这个命令时，OpenSSL会提示你回答一些问题，（

译者注：

后面两不知怎么翻译，大意应该是：其他的可以随便写，但是

"Common Name"

的输入值必须要是你准备使用的

域名

）

Write whatever you’d like for the first few, but when OpenSSL prompts you to enter the “Common Name” make sure to type in the domain of your server.

openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr

例如，如果你的Docker registry将会绑定到

www.ilovedocker.com

域名上运行，那么输入如下：

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.ilovedocker.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

最后不要输入密码，接着来签名证书请求

openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out dev-docker-registry.com.crt -days 10000

现在我们已经生成了验证所需的所有文件，将这些文件copy到当前的证书存放的位置

先copy

certificate

和

key

到nginx引用的路径下：

# cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry
# cp dev-docker-registry.com.key /etc/ssl/private/docker-registry

Since the certificates we just generated aren’t verified by any known certificate authority (e.g., VeriSign), we need to tell any clients that are going to be using this Docker registry that this is a legitimate certificate. Let’s do this locally so that we can use Docker from the Docker registry server itself:

# mkdir /usr/local/share/ca-certificates/docker-dev-cert
# cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
# update-ca-certificates

You’ll have to repeat this step for every machine that connects to this Docker registry ! Otherwise you will get SSL errors and be unable to connect. These steps are shown in the client test section as well.

测试 SSL

重启

nginx

以加载新的配置

# service nginx restart
# curl https://USERNAME:PASSWORD@YOUR-DOMAIN:8080[/code] 
如果正常，你应该能看到如下返回:

"\"docker-registry server\""


如果没有，返回上一步重新check SSL
和nginx
的配置以确保所有的配置都正确

现在我们就有了一个运行在由nginx提供验证和SSL加密的Docker registry服务

Step Six — 从其他的机器上访问Docker Registry
要访问Docker registry
，首先要添加SSL certificate
到客户端上。

在registry server上,cat certificate文件:

cat ~/certs/devdockerCA.crt


输出大概像这样：

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJANiXy7fHSPrmMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwOTIxMDYwODE2WhcNNDIwMjA2MDYwODE2WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuK4kNFaY3k/0RdKRK1XLj9+IrpR7WW5lrNaFB0OIiItHV9FjyuSWK2mj
ObR1IWJNrVSqWvfZ/CLGay6Lp9DJvBbpT68dhuS5xbVw3bs3ghB24TntDYhHMAc8
GWor/ZQTzjccHUd1SJxt5mGXalNHUharkLd8mv4fAb7Mh/7AFP32W4X+scPE2bVH
OJ1qH8ACo7pSVl1Ohcri6sMp01GoELyykpXu5azhuCnfXLRyuOvQb7llV5WyKhq+
SjcE3c2C+hCCC5g6IzRcMEg336Ktn5su+kK6c0hoD0PR/W0PtwgH4XlNdpVFqMST
vthEG+Hv6xVGGH+nTszN7F9ugVMxewIDAQABo1AwTjAdBgNVHQ4EFgQULek+WVyK
dJk3JIHoI4iVi0FPtdwwHwYDVR0jBBgwFoAULek+WVyKdJk3JIHoI4iVi0FPtdww
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkignESZcgr4dBmVZqDwh
YsrKeWSkj+5p9eW5hCHJ5Eg2X8oGTgItuLaLfyFWPS3MYWWMzggxgKMOQM+9o3+k
oH5sUmraNzI3TmAtkqd/8isXzBUV661BbSV0obAgF/ul5v3Tl5uBbCXObC+NUikM
O0C3fDmmeK799AM/hP5CTDehNaFXABGoVRMSlGYe8hZqap/Jm6AaKThV4g6n4F7M
u5wYtI9YDMsxeVW6OP9ZfvpGZW/n/88MSFjMlBjFfFsorfRd6P5WADhdfA6CBECG
LP83r7/MhqO06EOpsv4n2CJ3yoyqIr1L1+6C7Erl2em/jfOb/24y63dj/ATytt2H
6g==
-----END CERTIFICATE-----


复制上面的输出到client
上。

在client
端，创建certificate
目录：

sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert


然后执行：

nano /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt


粘贴上面复制的内容并保存

再次确认:

cat /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt


接着更新certificates
:

sudo update-ca-certificates


输出大概如下 (留意 “1 added
“)

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.


如果你还没有在client端安装docker，do so now.

On most versions of Ubuntu you can quickly install a recent version of Docker by following the next few commands. If your client is on a different distro or you have issues then seeDocker’s installation documentation for other ways to install Docker.

Add the repository key:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9;


Create a file to list the Docker repository:

sudo nano /etc/apt/sources.list.d/docker.list


Add the following line to the file:

deb https://get.docker.io/ubuntu docker main


Update your package lists:

sudo apt-get update


Install Docker:

sudo apt-get install -y --force-yes lxc-docker


To make working with Docker a little easier, let’s add our current user to the Docker group and re-open a new shell:

sudo gpasswd -a ${USER} docker
sudo su -l $USER #(enter your password at the prompt if needed)


Restart Docker to make sure it reloads the system’s CA certificates.

sudo service docker restart


You should now be able to log in to your Docker registry from the client machine:

docker login https://YOUR-HOSTNAME:8080[/code] 
Note that you’re using https://
 and port 8080
 here. Enter the username
 and password
 you set up earlier (enter whatever you’d like for email if prompted). You should see a Login Succeeded message.

At this point your Docker registry is up and running! Let’s make a test image to push to the registry.

Step Seven — 发布到你的Docker Registry
On the client server, create a small empty image to push to our new registry.

docker run -t -i ubuntu /bin/bash


After it finishes downloading you’ll be inside a Docker prompt. Let’s make a quick change to the filesystem:

touch /SUCCESS


Exit out of the Docker container:

exit


Commit the change:

docker commit $(docker ps -lq) test-image


If you run docker images now, you’ll see that you have a new test-image in the image list:

# docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
test-image          latest              1f3ce8008165        9 seconds ago       192.7 MB
ubuntu              trusty              ba5877dc9bec        11 days ago         192.7 MB


This image only exists locally right now, so let’s push it to the new registry we’ve created.

First, log in to the registry with Docker. Note that you want to use https://
 and port 8080
:

docker login https://<YOUR-DOMAIN>:8080[/code] 
相应的我运行的结果：

# docker login https://docker-registry.example.com:8080 Username (dkuser): dkuser
WARNING: login credentials saved in /root/.dockercfg.
Login Succeeded


Enter the username and password you set up earlier:

Username: USERNAME Password: PASSWORD Email:
Account created. Please see the documentation of the registry http://localhost:5000/v1/ for instructions how to activate it.


Docker has an unusual mechanism for specifying which registry to push to. You have to tag an image with the private registry’s location in order to push to it. Let’s tag our image to our private registry:

docker tag test-image YOUR-DOMAIN:8080/test-image


相应的我运行的结果：

# docker tag test-image docker-registry.example.com:8080/test-image


Note that you are using the local name of the image first, then the tag you want to add to it. The tag is not using https://
, just the domain
, port
, and image name
.

Now we can push that image to our registry. This time we’re using the tag name only:

docker push <YOUR-DOMAIN>:8080/test-image


相应的我运行的结果：

# docker push docker-registry.example.com:8080/test-image
The push refers to a repository [docker-registry.example.com:8080/test-image] (len: 1)
Sending image list
Pushing repository docker-registry.example.com:8080/test-image (1 tags)
428b411c28f0: Image successfully pushed
435050075b3f: Image successfully pushed
9fd3c8c9af32: Image successfully pushed
6d4946999d4f: Image successfully pushed
220f9fa943e0: Image successfully pushed
Pushing tag for rev [220f9fa943e0] on {https://docker-registry.example.com:8080/v1/repositories/test-image/tags/latest}


This will take a moment to upload to the registry server. You should see output that includesImage successfully pushed.

Step Eight - Pull from Your Docker Registry
To make sure everything worked let’s go back to our original server (where you installed the Docker registry) and pull the image we just pushed from the client. You could also test this from a third server.

If Docker is not installed on your test pull server, go back and follow the installation instructions (and if it’s a third server, the SSL instructions) from Step Six.

Log in with the username and password you set up previously.

docker login https://<YOUR-DOMAIN>:8080[/code] 
And now pull the image. You want just the "tag"
 image name, which includes the domain name
, port
, and image name
 (but not https://
):

docker pull <YOUR-DOMAIN>:8080/test-image


相应的我运行的结果：

#docker pull docker-registry.example.com:8080/test-image
Pulling repository docker-registry.example.com:8080/test-image
220f9fa943e0: Download complete
428b411c28f0: Download complete
435050075b3f: Download complete
9fd3c8c9af32: Download complete
6d4946999d4f: Download complete
Status: Downloaded newer image for docker-registry.example.com:8080/test-image:latest


Docker will do some downloading and return you to the prompt. If you run the image on the new machine you’ll see that the SUCCESS file we created earlier is there:

docker run -t -i <YOUR-DOMAIN>:8080/test-image /bin/bash


相应的我运行的结果：

# docker run -t -i docker-registry.example.com:8080/test-image /bin/bash


List your files:

ls


You should see the SUCCESS file we created earlier:

SUCCESS  bin  boot  dev  etc  home  lib  lib64  media   mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var


Congratulations! You’ve just used your own private Docker registry to push and pull your first Docker container! Happy Docker-ing!

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航