A detailed tutorial on building Docker private warehouse

1.Docker Registry Description

This article records the personal complete construction Docker registry operation Process, although the official provided the Docker hub as an open centralized storehouse, but the celestial network is conceivable, the first time pull a mirror not to fail is the time is very long, To solve this problem, you need to create a private warehouse to pull local push. The Docker version I use is: 1.5.0

2. Installation Docker-registry

The code is as follows:

Docker run-d-e settings_flavor=dev-e storage_path=/tmp/registry-v/alidata/registry:/tmp/registry-p 5000:5000 regist Ry

# If the docker-registry is not downloaded locally, the path and port will be mapped pull the registry runtime for the first time, and the private warehouse can be found under/data/registry

3, the operation on the client

#从本地仓库上获取有哪些镜像

The code is as follows:

Curl-x Get Http://registry.wpython.com:5000/v1/search

Curl Http://registry.wpython.com:5000/v1/search

{"Num_results": 1, "Query": "", "results": [{"description": "", "Name": "LIBRARY/CENTOS6"}]}

# Pull to the local

The code is as follows:

Docker Pull Library/centos6

# tag a mirror

The code is as follows:

Docker tag 8552ea9a16f9 Registry.wpython.com:5000/centos6_x86_64.mini

# Push the new Docker images to the local warehouse

The code is as follows:

Docker Push Registry.wpython.com:5000/centos6_x86_64.mini

4. Join Nginx Certification

Docker starts the listening port, uses HTTP, and can remotely manage the Docker host.

Such a scenario has drawbacks, the API level is not provide user authentication, Token, such as authentication, anyone can use the address plus port to control Docker host, in order to avoid such a situation, Docker official support HTTPS, but we need to generate certificates ourselves.

The new version of Docker also enforces that HTTPS must be used or an error occurs

# Install the Nginx process slightly

Create a login user (install Httpd-tools This package if there is no htpasswd command)

The code is as follows:

Htpasswd-c/ALIDATA/SERVER/NGINX/DOCKER-REGISTRY.HTPASSWD Admin

New Password:

Re-type New Password:

Adding password for user admin

# Generate Root Key

The code is as follows:

cd/etc/pki/ca/

OpenSSL genrsa-out Private/cakey.pem 2048

# Generate Root Certificate

The code is as follows:

OpenSSL Req-new-x509-key private/cakey.pem-out Cacert.pem

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [some-state]:brijing

Locality Name (eg, city) []:chaoyang

Organization Name (eg, company) [Internet widgits Pty LTD]:

Organizational unit Name (eg, section) []:

Common name (e.g. server FQDN or YOUR name) []:registry.wpython.com

Email Address []:

# Generate SSL key for Nginx server

The code is as follows:

Cd/alidata/server/nginx/ssl

OpenSSL genrsa-out Nginx.key 2048

# Signing requests for certificates generated by Nginx

The code is as follows:

OpenSSL Req-new-key nginx.key-out NGINX.CSR

are about to is asked to enter information that would be incorporated

into your certificate request.

What you are about to enter the What is called a distinguished Name or a DN.

There are quite a few fields but you can leave some

For some fields there would be a default value,

If you enter '. ', the field would be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or province Name (full name) [some-state]:beijing

Locality Name (eg, city) []:chaoyang

Organization Name (eg, company) [Internet widgits Pty LTD]:

Organizational unit Name (eg, section) []:

Common name (e.g. server FQDN or YOUR name) []:registry.wpython.com

Email Address []:

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

# private CAs issue certificates on request

The code is as follows:

OpenSSL ca-in nginx.csr-out nginx.crt

# If you report the following error:

Using Configuration From/usr/local/ssl/openssl.cnf

/etc/pki/ca/index.txt:no such file or directory

Unable to open '/etc/pki/ca/index.txt '

140137408210600:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca/ Index.txt ', ' R ')

140137408210600:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:400:

# Execute the following command

The code is as follows:

cd/etc/pki/ca/

mkdir Newcerts

Touch Index.txt

Touch serial

echo > Serial

CD-

OpenSSL ca-in nginx.csr-out nginx.crt

Using Configuration From/usr/local/ssl/openssl.cnf

Check that the request matches the signature

Signature OK

Certificate Details:

Serial Number:1 (0x1)

Validity

Not Before:may 04:15:08 2015 GMT

Not after:may one 04:15:08 2016 GMT

Subject:

CountryName = CN

Stateorprovincename = Beijing

OrganizationName = Internet widgits Pty Ltd

CommonName = registry.wpython.com

EmailAddress = 739827282@qq.com

X509v3 Extensions:

X509v3 Basic Constraints:

Ca:false

Netscape Comment:

OpenSSL generated Certificate

X509v3 Subject Key Identifier:

B5:20:c7:47:26:d9:26:54:12:f7:36:7e:4e:3a:f0:d9:0e:2c:f7:bd

X509v3 Authority Key Identifier:

Keyid:93:f7:86:72:1b:2b:24:cd:af:24:ef:53:f4:e1:fa:ec:e7:70:1a:90

Certificate is to certified until could 04:15:08 2016 GMT (365 days)

Sign the certificate? [Y/n]:y

1 out of 1 certificate requests certified, commit? [Y/n]y

Write out database with 1 new entries

Data Base Updated

# Root certificate found

The code is as follows:

# Cp/etc/pki/tls/certs/ca-bundle.crt{,.bak} backup in case of error

# CAT/ETC/PKI/CA/CACERT.PEM >>/ETC/PKI/TLS/CERTS/CA-BUNDLE.CRT

# Create Nginx configuration file

The code is as follows:

# vi/alidata/server/nginx/conf/vhosts/www.wpython.com.conf

Upstream Docker-registry {

Server localhost:5000;

}

server {

Listen 8080;

server_name registry.wpython.com;

# Enabled SSL

SSL on;

SSL_CERTIFICATE/ALIDATA/SERVER/NGINX/SSL/NGINX.CRT;

Ssl_certificate_key/alidata/server/nginx/ssl/nginx.key;

Proxy_set_header Host $http _host;

Proxy_set_header X-real-ip $remote _addr;

Client_max_body_size 0;

Chunked_transfer_encoding on;

Location/{

Auth_basic "Restricted";

Auth_basic_user_file docker-registry.htpasswd;

Proxy_pass Http://docker-registry;

}

Location/_ping {

Auth_basic off;

Proxy_pass Http://docker-registry;

}

location/v1/_ping {

Auth_basic off;

Proxy_pass Http://docker-registry;

}

}

# Complete the test

The code is as follows:

# Docker Login https://registry.wpython.com:8080

Username:admin

Password:

Email:739827282@qq.com

Login succeeded