Build a private Docker Registry on CentOS 6

Source: Internet
Author: User
Tags openssl x509 ssl certificate docker ps docker registry

Build a private Docker Registry on CentOS 6 v2
Gistry is a stateless, highly extensible server-side application for storing and distributing Docker Image.
Dependent installation
To use Docker Registry, of course, first install Docker. Let's say you've installed Docker. It is not installed to refer to the official documentation.
Docker-compose is a very useful tool for Docker to run and manage. You can use a simple command to start multiple docker simultaneously by defining the compose file
Container run different services. Docker-compose provides great convenience for development, testing, environmental preservation, and CI.
Docker-compose is a tool developed in Python, so you can install it directly with PIP.
1. $ pip Install Docker-compose
It is important to note that Docker-compose may have limitations on the requests module version, while a later version of the requests module may be installed on this machine, resulting in the run times
Wrong. You can use Pip-conflict-checker to check for version conflicts, uninstall inappropriate versions, and reinstall an appropriate version.
1. $ pip Install Pip-conflict-checker
2. $ pipconflictchecker
3. $ PIP Uninstall requests
4. $ pip Install requests==2.7.0
The docker-compose installed using PIP in the actual usage operation may also report a bug in the code at execution time.
It is recommended to download the stable release version directly from GitHub for installation.
1. $ curl-l' uname-s '-' uname-m ' >
2. $ chmod +x/usr/local/bin/docker-compose
3. $ ln-s/usr/local/bin/docker-compose/usr/bin/docker-compose
Because of the need to use Nginx to provide security authentication features, you need a place to place the user name and password pair.
Use the HTPASSWD tool provided by Httpd-tools to generate a user name password pair.
Install Httpd-tools.
1. $ yum Install Httpd-tools
RunRegistry Containerand useNginxBe an agent
Create a working directory, such as/data/progrmas/docker, and create a docker-compose.yml file in that directory, copy and paste the following docker-compose.yml content
to your docker-compose.yml file.
The content is roughly meant to run the Nginx container based on "nginx:1.9" image, exposing the container 443 port to host 443 port. and mount the nginx/directory under the current directory as a container
The/ETC/NGINX/CONFIG.D directory.
Nginx link to registry container. Create registry container based on Registry:2 image, expose container 5000 port to host 5000 port, use environment variable to indicate using/data as root
The data/folder in the current directory to the container's/data directory.
1. $ mkdir/data/progrmas/docker-p
2. $ cd/data/programs/docker
3. $ mkdir Data && mkdir nginx
1. $ cat/data/programs/docker/docker-compose.yml
2. Nginx:
3. Image: "nginx:1.9"
4. Ports:
6. Links:
8. Volumes:
Create the registry.conf file in the Nginx directory to configure Nginx. Configure Nginx's relationship with registry, forwarding ports, and other Nginx configuration options. Copy, paste the following content
To your registry.conf file:
1. $ cat/data/programs/docker/nginx/registry.conf
2. Upstream Docker-registry {
3. Server registry:5000;
6. Server {
7. Listen 443;
8. Server_Name;
Ten. # SSL
One. # SSL on;
# ssl_certificate_key/etc/nginx/conf.d/domain.key;
Disable. # Limits to avoid HTTP 413 for large image uploads
Client_max_body_size 0;
# required to avoid HTTP 411:see Issue #1486 (
Chunked_transfer_encoding on;
location/v2/. {
. # do not allow connections from Docker 1.5 and earlier
pre-1.6.0. # docker properly set the user agent on Ping, catch "Go *" user agents
if ($http _user_agent ~ "^ (docker\/1\. ( 3|4|5 (?! \. [0-9]-dev)] | Go). *$ ") {
404. Return;
# to-Add Basic Authentication to v2 use Auth_basic setting plus Add_header
# auth_basic "Registry.localhost";
# Auth_basic_user_file/etc/nginx/conf.d/registry.password;
# add_header ' docker-distribution-api-version ' registry/2.0 ' always;
Proxy_pass Http://docker-registry;
Proxy_set_header Host $http _host; # Required for Docker client ' s sake
Proxy_set_header X-real-ip $remote _addr; # Pass on real client ' s IP
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Panax Proxy_set_header X-forwarded-proto $scheme;
900. Proxy_read_timeout;
After the profile creation is complete, go back to the working directory to execute docker-compose up run registry and Nginx container.
1. $ docker-compose Up
2. Starting Docker_registry_1
3. Starting Docker_nginx_1
4. Attaching to Docker_registry_1, docker_nginx_1
5. Registry_1 | Time= "2016-01-08t11:22:41z" Level=info msg= "starting upload purge in 7m0s" go.version=go1.5.2 version=v2.2.1
6. Registry_1 | Time= "2016-01-08t11:22:41z" level=warning msg= "No HTTP secret provided-generated random Secret. This
May cause problems with uploads if multiple registries is behind a load-balancer. To provide a shared secret, fill
In Http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable. "go.version=go1.5.2 version=v2.2.1
7. Registry_1 | Time= "2016-01-08t11:22:41z" Level=info msg= "Redis Not Configured" go.version=go1.5.2 version=v2.2.1
8. Registry_1 | Time= "2016-01-08t11:22:41z" Level=info msg= "using InMemory blob descriptor cache" go.version=go1.5.2 version=v2.2.1
9. Registry_1 | Time= "2016-01-08t11:22:41z" Level=info msg= "listening on" go.version=go1.5.2 version=v2.2.1
Registry_1 | Time= "2016-01-08t11:22:49z" Level=info msg= "response completed" go.version=go1.5.2 "localhost:5000" Http.request.method=GET
Http.request.remoteaddr= "" http.request.uri= "/v2/" http.request.useragent= "curl/7.19.7 (x86_64-
REDHAT-LINUX-GNU) libcurl/7.19.7 nss/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 "
Http.response.contenttype= "Application/json; Charset=utf-8 "http.response.duration=3.108632ms
http.response.status=200 http.response.written=2 version=v2.2.1
After executing docker-compose up. Note If there is a message that the container is starting to fail, if the container starts a failed message, the network needs to be checked to see if it can pull from Dockerhub
Image (requires proxy, or use a domestic image, use a domestic image to change the image entry in the Docker-compose.yml file). It is also possible to paste the configuration file incorrectly, requiring
Fine check.
After startup, you can also use the Docker PS command to see if two containers are working correctly.
1. $ docker PS
3.28ac3aba9a22 nginx:1.9 "Nginx-g ' daemon of seconds ago up notoginseng seconds 80/tcp,>443/tcp docker_nginx_1
4.0cddc713022f registry:2 "/bin/registry/etc/38 seconds ago up notoginseng seconds>5000/tcp docker_registry_1
After you have determined that the Docker container is functioning correctly, use the Curl command to verify that the feature is functioning correctly. Make localhost:5000 and localhost:443 access registry should return {}.
1. Curl http://localhost:5000/v2/
2. Curl http://localhost:443/v2/
Use Ctrl-c to exit Docker-compose and continue with the following steps.
3.Add user name and password
Under the/data/programs/docker/nginx directory, execute the following command to create a user name and password pair, and not use the "-C" option if you are creating multiple user names and password pairs.
1. $ htpasswd-c Registry.password Docker
Then modify the registry.conf file to uncomment the following three lines.
1. Auth_basic "Registry.localhost";
2. Auth_basic_user_file/etc/nginx/conf.d/registry.password;
3. Add_header ' docker-distribution-api-version ' registry/2.0 ' always;
Execute the Docker-compose up run registry again, the result is "{}" accessed using the localhost:5000 port, but using localhost:443 access
Will get a hint of "401 authorisation Required". The user name and password authentication are included to obtain the same results as direct access to the registry 5000 port.
1. $ Curl http://localhost:5000/v2/
2. {}
4. $ Curl http://localhost:443/v2/
5. 6. 7. <body bgcolor= "White" >
8. <center>9. Ten. </body>
One. $ Curl Http://docker:[email protected]:443/v2/
13. {}
If you have a certificate certified by the certification authority, use the certificate directly in the Nginx directory. If not, use OpenSSL to create your own certificate.
1) to/data/programs/docker/nginxDirectory
(1) Create a new root key
1. $ OpenSSL genrsa-out Devdockerca.key 2048
(2) Generate root certificate (all the way to enter)
1. $ OpenSSL req-x509-new-nodes-key devdockerca.key-days 10000-out devdockerca.crt
(3) Create a key for the server. (This key will be referenced by the Ssl_certificate_key domain in the nginx config file Registry.con.)
1. $openssl Genrsa-out Domain.key 2048
(4) Make a certificate signing request. Note When you execute the command below, the command prompts for some information, "Common name" must be entered into your domain name (the official said IP is OK, but
There is also the assertion that IP cannot be encrypted), other items can be entered whatever you want. Do not enter any challenge password, directly enter.
1. $ OpenSSL req-new-key domain.key-out DEV-DOCKER-REGISTRY.COM.CSR
2. You is about-to is asked to-enter information that'll be incorporated
3. into your certificate request.
4. What's about-to-enter is called a distinguished Name or a DN.
5. There is quite a few fields but can leave some blank
6. For some fields there would be a default value,
7. If you enter '. ', the field would be a left blank.
9. Country Name (2 letter code) [XX]:
State or province name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default company LTD]:
Organizational Unit Name (eg, section) []:
Common name (eg, your name or your server ' s hostname) []
e-Mail Address []:
Please enter the following ' extra ' attributes
To be sent with your certificate request
A Challenge Password []:
A optional company name []:
(5) Signing the certification request
1. $ OpenSSL x509-req-in Devdockerca.crt-cakey devdockerca.key-cacreateserial-out
Domain.crt-days 10000
2) configurationNginxUsing certificates
Modify the registry.conf configuration file to uncomment the following three lines:
1. SSL on;
2. Ssl_certificate/etc/nginx/conf.d/domain.crt;
3. Ssl_certificate_key/etc/nginx/conf.d/domain.key;
3) RunRegistry
Perform docker-compose up-d run registry in the background and use Curl to verify the results. You can still access registry directly using the localhost:5000 port, but
Use 443 port via Nginx proxy because SSL authentication has been added, so using HTTP will return "Bad Request"
1. $ Curl http://localhost:5000/v2/
2. {}
3. $ Curl http://localhost:443/v2/
4. 5. 6. <body bgcolor= "White" >
7. <center>8. <center>the Plain HTTP request is sent to HTTPS port</center>
9. Ten. </body>
One. The HTTPS protocol should be used:
1. $ Curl https://localhost:443/v2/
2. Curl: (certificate) Peer cannot is authenticated with known CA certificates
3. More details here:
5. Curl performs SSL certificate verification by default, using a "bundle"
6. of Certificate Authority (CA) public keys (ca certs). If the default
7. bundle file isn ' t adequate, you can specify an alternate file
8. Using the--cacert option.
9. If This HTTPS server uses a certificate signed by a CA represented in
The bundle, the certificate verification probably failed due to a
Problem with the certificate (it might is expired, or the name might
A. Not match the domain name in the URL).
If you ' d like to turn off Curl's verification of the certificate, use
The-k (or--insecure) option.
Because it is a certificate that is used without any certification authority certification, and you have not applied your own generated certificate locally. Therefore, you will be prompted to use an unauthenticated certificate, you can make
The "-k" option is not validated.
1. $ curl-k https://localhost:443/v2/
2. 3. 4. <body bgcolor= "White" >
5. <center>6. 7. </body>
8. Client usesRegistry
1.Add a Certificate
Centos 6/7 Add a certificate in the following steps:
1) Install the Ca-certificates package
1. $ yum Install Ca-certificates
2) enable dynamic CA configuration feature
1. $ update-ca-trust force-enable
3) Copy key to/etc/pki/ca-trust/source/anchors/
1. $ CP devdockerca.crt/etc/pki/ca-trust/source/anchors/
4) Make the new copy of the certificate effective
1. $ update-ca-trust Extract
After you copy the certificate, you need to restart Docker to ensure that the new certificate is available to Docker.
1. $ Service Docker restart
2. Docker Pull/push ImageTest
Make an image to push to registry
1. #查看本地已有镜像
2. $ Docker Images
4. Registry 2 cd57aad0bd45 3 days ago 224.5 MB
5. Nginx 1.9 813e3731b203 3 weeks ago 133.9 MB
6. #为本地镜像打标签
7. $ docker Tag Registry:2
8. $ docker Tag nginx:1.9
9. $ Docker Images
Registry 2 Cd57aad0bd45 3 days ago 224.5 MB 2 cd57aad0bd45 3 days ago 224.5 MB
Nginx 1.9 813e3731b203 3 weeks ago 133.9 MB 1.9 813e3731b203 3 weeks ago 133.9 MB
Push test
1. #不登陆直接push镜像到registry, you will be prompted to fail
2. [[email protected] ~]# Docker push
3. The push refers to a repository [] (Len:1)
4. Cd57aad0bd45:image Push failed
5. Cd57aad0bd45:buffering to Disk
6. Please login prior to push:
7. Username:
8. Error response from Daemon:no successful auth challenge for [Basic auth
Attempt to Https:// "Registry.localhost" failed with status:401 unauthorized]
9. #登陆后, try Again
$docker Login
Warning:login Credentials Saved In/root/.docker/config.json
. Login Succeeded
#可以push Mirroring to Registry
$ docker Push
The push refers to a repository [] (Len:1)
Cd57aad0bd45:image already exists
B3c39a7768ea:image successfully pushed
4725a48b84d4:image successfully pushed
7b4078296418:image successfully pushed
7bd663e30ad0:image successfully pushed
28864e830e4d:image successfully pushed
7bd2d56d8449:image successfully pushed
Af88597ec24b:image successfully pushed
B2ae0a712b39:image successfully pushed
02e5bca4149b:image successfully pushed
895b070402bd:image successfully pushed
Search image
1. Curl Https://docker:[email Protected]/v2/_catalog
2. {"Repositories": ["Registry"]}
3. Curl Https://docker:[email Protected]/v2/nginx/tags/list
4. {"Name": "Registry", "tags": ["2"]}
Pull Test
1. $ Docker Logout
2. Remove login Credentials for
3. #不登陆registry直接pull镜像也会失败
4. $ Docker Pull
5. Pulling Repository
6. Error:image Registry:2 not found
7. #登陆后再测试
8. $ Docker Login
9. Username:docker
Warning:login Credentials Saved In/root/.docker/config.json
Login succeeded
. $ Docker Pull
1.9:pulling from
6d1ae97ee388:already exists
8b9a99209d5c:already exists
3244b9987276:already exists
50e5c9c52d5d:already exists
146400830f31:already exists
B412cc1cde63:already exists
7fe375038652:already exists
C43f11a030f9:already exists
152297b50994:already exists
01e808fa2993:already exists
813e3731b203:already exists
status:downloaded newer image for
Reference link: digitalocean:how to Set up a Private Docker Registry on Ubuntu 14.04

Build a private Docker Registry on CentOS 6

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.