Docker Registry V2 (distribution) & Proxy (Nginx) Construction experience

When the Docker Registry V2 comes out, it's really good to be simple and practical, but when you change port 5000 to something else, or use a domain name binding, it's a mistake. Here is a detailed record of the process of your own experience.

First, the installation of Docker Registry V2 (distribution).

Here I chose to use the official provided image to install, perhaps you will feel that it is easy, dismissive. However, for an OPS person, the attention is applied, the attention is registry in the mirror. Rather than focusing on the fancy building process. And we focus on, registry image can meet our needs.

# Docke Pull registry:2# Docker run-d-P 5000:5000--restart=always--name registry-v/data/:/var/lib/registry-v/etc/r Egistry/config.yml:/etc/docker/registry/config.yml Registry:2

Above two focus points:

(1), to ensure the security of the managed image file, if you use a local disk storage image, you must hang it on the host.

(2), registry configuration file management, if you want to have your own custom effect, please do not use the registry default configuration, please overwrite it.

Here are the configuration files I used:

# cat/etc/registry/config.yml Version:0.1log:level:debug Formatter:text fields:service:registry        Environment:stagingstorage:delete:enabled:true cache:layerinfo:inmemory filesystem: RootDirectory:/var/lib/registryhttp:addr:: Secret:admin

The configuration file is in YAML format. It specifies the storage location of the mirror, the type of cache, the listening port, and so on.

One secret:admin this to be extra attention. This is used in the next security certification.

Based on these things, what can registry do?

It can do these:

Example:

# Docker pull Ubuntu && Docker tag Ubuntu Localhost:5000/ubuntu

Then ....

# Docker Push Localhost:5000/ubuntu

Of course, you may not be satisfied with these, and you want to have a loud name for your registry. If called: registry.test.com

Temporarily do a local DNS binding, and then repeat the above steps to see how it works.

# Docker pull Ubuntu && Docker tag Ubuntu Registry.test.com:5000/ubuntu

Then ....

# Docker Push Registry.test.com:5000/ubuntu

You will find that it is not ideal to even a friendly error hint that is not seen on the terminal. But when you use the Docker logs command

To check the log in registry, you will find the error message about the authentication.

At this point, it is possible to follow the official documentation:

Https://github.com/docker/distribution/blob/master/docs/insecure.md

To do some configuration .......

Re-push again

# Docker Push Registry.test.com:5000/ubuntu

If you really follow the official document configuration, you will find that you have succeeded.

Later, you are more greedy and intend to remove the 5000 port. Replace the default 80 port, registry service, after all, is the HTTP service. We don't need to be so orthopedic. Change the listening port of the registry Config.yml to 80

HTTP:ADDR:: Secret:admin

After rebooting, it's not that much of a thing. Careful classmates will find, or certification issues.

How to solve the problem, how to break it?

Try it with an agent. After all, when Docker registry v1, you can set up a proxy in front of it. Oh

And the previous step also left the issue of this certificate, all this agent is afraid to be configured to HTTPS. Then configure the agent.

Ii. Configuring a proxy server for Docker Registry

(1), Mr. Cheng Certificate Bar (imitate Docker official changed the path. hehe).

Mkdir-p/etc/nginx/ssl && OpenSSL req-newkey rsa:4096-nodes-sha256-keyout ssl/domain.key-x509-days 365 -out SSL/DOMAIN.CRT

Here to pay attention to the name of the CN, must be your registry domain name, otherwise your things will be big.

Example:

Country name (2 letter code) [Au]:chinastring was too long, it needs to being less than 2 bytes longcountry Name (2 letter Co DE) [Au]:chstate or province name (full name) [some-state]:beijinglocality name (eg, city) []:beijing Organization Na Me (eg, company) [Internet widgits Pty ltd]:beijingorganizational Unit Name (eg, section) []:beijing Common Name (e.g. SE RVer FQDN or YOUR name) []:registry.test.comemail Address []:[email protected]

(2), install Nginx and adjust the configuration.

When installing Nginx, note that the Add_header command may be prompted to not recognize. You'd better use 1.7.5 this version or above (This command uses always this thing, only in 1.7.5 and above is OK).

In addition, the Nginx configuration file details, most of this article finally posted.

(3), set the login user name and password of registry

# htpasswd-cb/opt/nginx/conf/.htpasswd Admin Admin

Think of, at the beginning of our registry also set up an admin thing. Both of them must exist. Otherwise, there will be problems.

(4), remove the original directly to the registry set certification. For example, the following settings:

Docker run-d-P 5000:5000--restart=always--name registry-v ' pwd '/certs:/certs-e registry_http_tls_certificate=/ce RTS/DOMAIN.CRT-E Registry_http_tls_key=/certs/domain.key Registry:2

Please remove the certification related things. Back to the beginning of this article to start the form of registry. All the certifications. We will be in the nginx to deal with ....

(5), finally, the list of nginx configuration files, all clear:

user  www www;worker_processes  auto;error_log   /var/log/nginx/ Error.log error;pid        logs/nginx.pid;worker_rlimit_nofile  51200;events {    use epoll;    worker_connections   51200;    multi_accept on;} http {    include       mime.types;     default_type  application/octet-stream;    log_format   main   ' $http _host  $remote _user [$time _local]  $request   '                         ' $ status  $body _bytes_sent  "$http _referer"                           ' " $http _user_agent "  $remote _addr  $request _time  $upstream _response_time ';     Access_log  /var/log/nginx/access.log  main;    server_names_hash_ Bucket_size 128;    client_header_buffer_size 32k;    large_ client_header_buffers 4 32k;    sendfile        on;    tcp_nopush     on;    tcp_ nodelay    on;     #keepalive_timeout   0;     keepalive_timeout  65;     #gzip   on;     upstream registry {        server 127.0.0.1:5000;     }        server {         listen       443;        server_name   registry.chanjet.com;        ssl           on;        ssl_certificate /etc/ nginx/ssl/domain.crt;        ssl_certificate_key /etc/nginx/ssl/ domain.key;        client_max_body_size 0;         chunked_transfer_encoding on;         location /v2/ {  auth_basic  "Registry realm";           auth_basic_user_file /opt/nginx/conf/.htpasswd;           add_header  ' docker-distribution-api-version '   ' registry/2.0 '  always;          proxy_pass                           http:// registry;          proxy_set_header  host                $http _host;   #  required for docker client ' s sake           proxy_set_header  X-Real-IP          $remote _addr; # pass on real client ' s ip           proxy_set_header  X-Forwarded-For    $proxy _add_x_forwarded_for;           proxy_set_header  x-forwarded-proto   $scheme;           proxy_read_timeout                   900;        }     }}

Third, the final verification:

The configuration is useful and needs to be verified by appropriate means.

(1), Connectivity verification:

# curl-i-k-v Https://admin:[email protected]/v2/

(2), authentication (preferably login to another server).

# Docker Login Registry.chanjet.com # will prompt you to enter your username, password, mailbox, and so on. Once the validation is passed, you can push things up. If you do not have this step, you will find a hint of validation failure # Docker pull BusyBox && Docker tag BusyBox registry.chanjet.com/test/busybox# Docker Push Registry.chanjet.com/test/busybox

(3), view the uploaded image information:

# curl-i-k-v Https://admin:[email Protected]/v2/_catalog

Reference Documentation:

Https://github.com/docker/distribution/blob/master/docs/configuration.md

Https://github.com/docker/distribution/blob/master/docs/insecure.md

http://www.dockone.io/article/684

This article is from the "Paradox" blog, so be sure to keep this source http://unixman.blog.51cto.com/10163040/1707423

Docker Registry V2 (distribution) & Proxy (Nginx) Construction experience