docker(2)搭建私有仓库
1、安装依赖包
yum-y install pcre-devel zlib-devel openssl openssl-devel
2、配置SSL
(1) hostnamectl set-hostname docker.peng.com 修改主机名
echo "192.168.0.105 docker.peng.com" >>/etc/hosts 使局域网可以解析
(2) 生成根**(如果已有,需要删掉)
cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048
(3) 生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
(4) 为nginx web服务器生成ssl**
mkdir ssl
cd ssl/
openssl genrsa -out nginx.key 2048
(5) 为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr
(6) 私有CA根据请求来签发证书
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 >/etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
3、安装配置运行nginx
(1) 添加组和用户
useradd -M -s /sbin/nologin www
(2) 编译安装nginx(在http://nginx.org/download/nginx-1.11.2.tar.gz)
tarzxf nginx-1.11.2.tar.gz
cdnginx-1.11.2/
./configure--user=www --group=www --prefix=/usr/local/nginx --with-pcre --with-http_stub_status_module--with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module
make&&make install
(3) 编辑nginx.conf文件
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.1.107:5000;
}
server {
listen 443 ssl;
server_name docker.benet.com;
ssl_certificate /etc/pki/CA/ssl/nginx.crt;
ssl_certificate_key /etc/pki/CA/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
}
}
}
(4) 检验配置文件,并启动
ln-s /usr/local/nginx/sbin/nginx /usr/local/sbin/
nginx–t
nginx
(5) 停止docker,编辑/etc/sysconfig/docker
systemctl stop docker
DOCKER_OPTS="--insecure-registry docker.peng.com --tlsverify--tlscacert /etc/pki/CA/cacert.pem"
(6) 把根证书复制到/etc/docker/certs.d/docker.peng.com
mkdir-p /etc/docker/certs.d/docker.peng.com
cp/etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.peng.com/ca-certificates.crt
(7) 启动docker
systemctlstart docker
4、运行私有仓库
(1)下载registry docker pull registry
mkdir -p /opt/data/registry
(2) 运行registry生成容器
docker run -itd -p 5000:5000 -v/opt/data/registry:/tmp/registry docker.io/registry
-v 用来将镜像文件存放在本地的指定路径
(3) 验证
curl -i -k https://docker.peng.com
5、docker客户端配置
(1) 配置可以解析服务器端
echo"192.168.0.105 docker.peng.com" >>/etc/hosts
(2) 将docker registry服务器端的根证书追加到本地ca-certificates.crt
scp [email protected]:/etc/pki/CA/cacert.pem ./
catcacert.pem >>/etc/pki/tls/certs/ca-certificates.crt
(3) 验证服务器端的registry
(4) 登陆私有registry (客户端安装docker)
docker login https://docker.peng.com (可以使用docker logout退出登陆)
(5) 服务器端可以从共有仓库拉取镜像,修改标签后存入私有仓库
docker pull docker.io/willfarrell/ping
docker tag 14447af43451 docker.peng.com/ping
docker push docker.peng.com/ping:latest
(6) 可以使用tree /opt/data/registry/repositories 查看私有仓库镜像
(7) 客户端也可以修改标签后放入私有仓库(同服务器端一样)
Server端可以login到官方的Docker Hub,可以pull,push官方和私人仓库
Client只能操作搭建好的私有仓库
私有仓库不能search
(当client端docker login登陆官方出现x509:certificates错时,可以mv /etc/pki/tls/certs/ca-certificates.crt/etc/pki/tls/certs/ca-certificates.crt.bak,然后重启docker)