Centos6.5 create a private docker Repository

Source: Internet
Author: User
Tags ssl certificate docker hub docker registry

Centos6.5 create a private docker Repository
Docker private Registry Installation Guide under centos 6.x

Note:

docker.yy.comThis is the domain name of the docker registry server, that is, the host address of your company's docker private server. Assume that the ip address is192.168.2.114Because the https SSL certificate cannot use an IP address, I can name it.

registryThe server acts as the upstream server to process the final upload and download of docker images, using an official image.

nginx 1.4.xIs a reverse proxy server using nginx

I. Docker Server Configuration

Install dependency
yum-yinstallgccmakefile&&\yum-yinstalltarpcre-develpcre-staticopensslopenssl-develhttpd-tools

Configure SSL

(1) Edit/etc/hostsdocker.yy.comFor example:
192.168.2.114docker.yy.com

(2) generate the Root Key

First

/Etc/pki/CA/cacert. pem
/Etc/pki/CA/index.txt
/Etc/pki/CA/index.txt. attr
/Etc/pki/CA/index.txt. old
/Etc/pki/CA/serial
/Etc/pki/CA/serial. old

Deleted!

cd/etc/pki/CA/opensslgenrsa-outprivate/cakey.pem2048
(3) generate the root certificate
opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem

Output:

Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:beijingLocalityName(eg,city)[DefaultCity]:beijingOrganizationName(eg,company)[DefaultCompanyLtd]:youyuanOrganizationalUnitName(eg,section)[]:CommonName(eg,yournameoryourserver'shostname)[]:docker.yy.comEmailAddress[]:

You will be prompted to enter some content, because it is private, so you can enter it at will. It is best to remember to keep it consistent with the following, especially "Common Name ". The preceding self-signed certificate cacert. pem should be generated under/etc/pki/CA.

(4) generate an ssl Key for our nginx web Server
mkdir-p/etc/nginx/sslcd/etc/nginx/sslopensslgenrsa-outnginx.key2048

Our CA center is the same as the server for certificate application. Otherwise, it should be generated on another server that requires certificate.

(5) generate a Certificate Signing Request for nginx
opensslreq-new-keynginx.key-outnginx.csr

Output:

Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:beijingLocalityName(eg,city)[DefaultCity]:beijingOrganizationName(eg,company)[DefaultCompanyLtd]:youyuanOrganizationalUnitName(eg,section)[]:CommonName(eg,yournameoryourserver'shostname)[]:docker.yy.comEmailAddress[]:Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:Anoptionalcompanyname[]:

You will also be prompted to enter some content. Commone Name must be the server domain Name or host Name you want to grant the certificate to, and challenge password is not required.

(6) The Private CA issues the certificate according to the request
touch/etc/pki/CA/index.txttouch/etc/pki/CA/serialecho00>/etc/pki/CA/serialopensslca-innginx.csr-outnginx.crt

Output:

Usingconfigurationfrom/etc/pki/tls/openssl.cnfCheckthattherequestmatchesthesignatureSignatureokCertificateDetails:SerialNumber:0(0x0)ValidityNotBefore:Dec909:59:202014GMTNotAfter:Dec909:59:202015GMTSubject:countryName=CNstateOrProvinceName=beijingorganizationName=youyuancommonName=docker.yy.comX509v3extensions:X509v3BasicConstraints:CA:FALSENetscapeComment:OpenSSLGeneratedCertificateX509v3SubjectKeyIdentifier:5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66X509v3AuthorityKeyIdentifier:keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41CertificateistobecertifieduntilDec909:59:202015GMT(365days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated

You will also be prompted to enter some content and selectyThat's it!

Ii. install, configure, and run nginx

(1) Add groups and users:
groupaddwww-g58useradd-u58-gwwwwww

(2) download the nginx source file:
cd/tmpwgethttp://nginx.org/download/nginx-1.4.6.tar.gzcp./nginx-1.4.6.tar.gz/tmp/

(3) Compile and install nginx:
tarzxvf./nginx-1.4.6.tar.gzcd./nginx-1.4.6&&\./configure--user=www--group=www--prefix=/opt/nginx\--with-pcre\--with-http_stub_status_module\--with-http_ssl_module\--with-http_addition_module\--with-http_realip_module\--with-http_flv_module&&\make&&\makeinstallcd/tmprm-rf/tmp/nginx-1.4.6/rm/tmp/nginx-1.4.6.tar.gz

(4) generate htpasswd
htpasswd-cb/opt/nginx/conf/.htpasswd${USER}${PASSWORD}

(5) Edit/opt/nginx/conf/nginx.confFile
# Daemonoff; # the user and group userwwwwwwww used; # specify the number of worker processes (generally equal to the total number of CPU cores) worker_processesauto; # specify the path for storing error logs. The error log level option is: [debug | info | notic | warn | error | crit] error_log/var/log/nginx_error.logerror; # specify the pid storage path # pidlogs/nginx. pid; # specify the number of file descriptors worker_rlimit_nofile51200; events {# network I/O model used, epoll recommended for Linux; kqueueuseepoll recommended for FreeBSD; # maximum number of connections worker_connections51200; multi_accepton ;} http {includemime. types; log_formatmain '$ remote_addr-$ remote_user [$ time_local] "$ request" ''$ status $ response" $ http_referer "'' "$ http_user_agent" "$ upstream_addr "'; access_log/var/log/nginx_access.logmain; # The bucket size of the server name hash table. The default value is determined by the server_names_hash_bucket_size128; # client request Header buffer size client_header_buffer_size32k; # enable sendfile () function sendfileon; Disable; keepalive_timeout65; upstreamregistry {server127.0.0.1: 5000;} server {listen443; server_name192.168.2.114; sslon; ssl_certificate/etc/nginx/ssl. crt; ssl_certificate_key/etc/nginx/ssl/nginx. key; keys; # Keys # requiredtoavoidHTTP411: seeIssue #1486 (https://github.com/docker/docker/issues/1486) keys; location/{auth_basic "registry"; auth_basic_user_file/opt/nginx/conf/keys; proxy_passhttp: // registry; proxy_set_headerHost $ http_host; proxy_set_headerX-Real-IP $ remote_addr; temperature ""; temperature; proxy_connect_timeout90; proxy_send_timeout90; proxy_read_timeout90; temperature; # if the system is busy, you can apply for a larger proxy_buffers official recommendation * 2proxy_temp_file_write_size64k; # proxy Cache temporary file size} location/_ ping {auth_basicoff; proxy_passhttp: // registry ;} location/v1/_ ping {auth_basicoff; proxy_passhttp: // registry ;}}}

(6) Verify the configuration
/opt/nginx/sbin/nginx-t

Output:

Nginx: the configuration file/opt/nginx/conf/nginx. conf syntax is OK
Nginx: configuration file/opt/nginx/conf/nginx. conf test is successful

(7) Start nginx:
/opt/nginx/sbin/nginx

(8) verify whether nginx is started:
ps-ef|grep-i'nginx'

The following output indicates that nginx is normal!

root271331018:58?00:00:00nginx:masterprocess/opt/nginx/sbin/nginxwww2713427133018:58?00:00:00nginx:workerprocesswww2713527133018:58?00:00:00nginx:workerprocesswww2713627133018:58?00:00:00nginx:workerprocesswww2713727133018:58?00:00:00nginx:workerprocessroot2716042863018:58pts/000:00:00grep-inginx

3. Configure and run Docker

(1) Stop docker
servicedockerstop

(2) Edit/etc/sysconfig/dockerFile, add the following line
DOCKER_OPTS="--insecure-registrydocker.yy.com--tlsverify--tlscacert/etc/pki/CA/cacert.pem"

(3) copy the root certificate/etc/docker/certs.d/docker.yy.com/Directory
mkdir-p/etc/docker/certs.d/docker.yy.com/cp/etc/pki/CA/cacert.pem/etc/docker/certs.d/docker.yy.com/ca-certificates.crt

(4) Start docker
servicedockerstart

4. Download, configure, and runregistryImage

(1) obtain the Image
dockerpullregistry

(2) Run Image
mkdir-p/opt/registrydockerrun-d-eSTORAGE_PATH=/registry-v/opt/registry:/registry-p127.0.0.1:5000:5000--nameregistryregistry

The command is explained as follows:
-p 127.0.0.1:5000:5000As the upstream server, the port 5000 does not need to be mapped out, because all external access is provided through the front-end nginx, and nginx can access the registry on the private network.

(3) Verify the registry:

Input in a browser:https://docker.yy.com
Or:curl -i -k https://abc:123@docker.yy.com

The server configuration is now complete!

5. Docker client Configuration

(1) Edit/etc/hostsdocker.yy.comFor example:
192.168.2.114docker.yy.com

(2) append the root certificate of the docker registry server to the ca-certificates.crt File

First put the file from the docker registry server/etc/pki/CA/cacert.pemCopy to the local machine and run the following command:

cat./cacert.pem>>/etc/pki/tls/certs/ca-certificates.crt

(3) Verificationdocker.yy.comRegistry:

Input in a browser:https://docker.yy.com
Or:curl -i -k https://abc:123@docker.yy.com

(4) Steps for using private registry:
  • Logon:docker login -u abc -p 123 -e "test@gmail.com" https://docker.yy.com

  • Give the container another name:docker tag centos:centos6 docker.yy.com/centos:centos6

  • Release:docker push docker.yy.com/centos:centos6

6. Steps for operating a private repository on the Server:

1. Download the image from the official pull!

docker push centos:centos6

2. view the image id

Rundocker images
Output:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZEcentoscentos625c5298b1a368daysago215.8MB

3. assign a private repository tag to the image

docker tag 25c5298b1a36 docker.yy.com/centos:centos6

4. push to private Repository

docker push docker.yy.com/centos:centos6

5. view the image

docker images
Output:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZEcentoscentos625c5298b1a368daysago215.8MBdocker.yy.com/centoscentos625c5298b1a368daysago215.8MB

7. Steps for operating a private warehouse on the Client side:

1. pull down from private warehouse image!
dockerpulldocker.yy.com/centos:centos6

2. view the image

docker images
Output:

root@pts/0#dockerimagesREPOSITORYTAGIMAGEIDCREATEDVIRTUALSIZEdocker.yy.com/centoscentos625c5298b1a368daysago215.8MB

Appendix:

(1) Disadvantages:

The server can log in to the official Docker Hub, pull, push official and private warehouses!
The client can only operate on the private repository!
Private repository cannot search!

(2) Advantages:

All build, pull, and push operations can only be performed on the server side of the private repository, reducing enterprise risks!

(3) When the client sidedocker loginTo the officialhttps://index.docker.io/v1/Website appearsx509: certificate signed by unknown authorityError

Rename the root certificate!mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak
Restart the docker service!service docker restart!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.