Build a private Docker Registry on the CentOS7

Digitalocean Another very detailed tutorial on how to build a private Docker registry on Ubuntu 14.04. The method on CentOs 7 is roughly the same as on Ubuntu, and here is a reference to the article, which is a building process on CentOS7. The first time I set foot on a lot of pits, but no record. This group is going to record a successful approach to the second-tier summary. Registry Concept

Registry is a stateless, highly extensible server-side application for storing and distributing Docker Image. Why to use registry, mainly for the following reasons:

1) strictly control the image storage location;

2) Full control of the image distribution path;

3) Integrate image storage and distribution more tightly in the internal development process. Dependent installation 1. Installing Docker

To use Docker Registry, of course, first install Docker. Let's say you've installed Docker. It is not installed to refer to the official documentation. 2. Installing Docker-compose

Docker-compose is a very useful tool for Docker to run and manage. You can run different services simultaneously from multiple Docker container by defining the compose file and using a simple command. Docker-compose provides great convenience for development, testing, environmental preservation, and CI. In view of all the building methods in this article, the following Digitalocean use Nginx and registry two containers, so also use Docker-compose to run the Docker container.

Docker-compose is a tool developed in Python, so you can install it directly with PIP.

sudo pip install Docker-compose

It is important to note that Docker-compose may have limitations on the Requests module version, and a later version of the requests module may be installed on this machine, resulting in a run-times error. You can use Pip-conflict-checker to check for version conflicts, uninstall inappropriate versions, and reinstall an appropriate version.

sudo pip install pip-conflict-checker
sudo pipconflictchecker
sudo pip uninstall requests
sudo pip install requests==2.7.0

The docker-compose installed with PIP in the actual usage operation may also report a bug in the execution, or download a stable release version directly from GitHub. Root permission is required.

Curl-l https://github.com/docker/compose/releases/download/1.5.2/docker-compose-' uname-s '-' uname-m ' >/usr/ Local/bin/docker-compose
chmod +x/usr/local/bin/docker-compose

3. Installing httpd

Because of the need to use Nginx to provide security authentication features, need a place to place the user name and password pair, using the HTPASSWD tool to generate user name password pair. In the Debian system, the HTPASSWD tool is available in Apache, but is provided by Httpd-tools in CentOS. If you are unsure, you can use Yum provides to view it. Install Httpd-tools.

sudo yum install Httpd-tools

Run registry container and use Nginx as an agent. 1. Run the Nginx and registry containers.

Create a working directory and create a docker-compose.yml file in that directory, copying and pasting the following into the file. The content is roughly meant to run the Nginx container based on "nginx:1.9" image, exposing the container 443 port to host 443 port. and mount the nginx/directory under the current directory as the container's/ETC/NGINX/CONFIG.D directory. Nginx link to registry container. Creates a registry container based on Registry:2 image, exposes container 5000 ports to host 5000 ports, uses environment variables to indicate the root directory using/data, and mounts the data/folder under the current directory to the/data directory of the container. All also need to create nginx and data folders in the current directory:

mkdir Data && mkdir nginx

DOCKER-COMPOSE.YML content:

Nginx:
  Image: "nginx:1.9"
  ports:
    -443:443
  Links:-
    registry:registry
  volumes:
    -. NGINX/:/ETC/NGINX/CONF.D
registry:
  image:registry:2
  ports:
    -127.0.0.1:5000:5000
  Environment:
    registry_storage_filesystem_rootdirectory:/data
  volumes:

    -./data:/data

2. Configure NginxCreate the registry.conf file in the Nginx directory to configure Nginx. Configure Nginx's relationship with registry, forwarding ports, and other Nginx configuration options. Copy and paste the following into the file:

Upstream Docker-registry {server registry:5000;}
  server {Listen 443;

  server_name myregistrydomain.com;
  # SSL # SSL on;
  # SSL_CERTIFICATE/ETC/NGINX/CONF.D/DOMAIN.CRT;

  # ssl_certificate_key/etc/nginx/conf.d/domain.key;

  # Disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411:see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding o

  N  location/v2/{# does not allow connections from Docker 1.5 and earlier # Docker pre-1.6.0 does not properly set the The user agent on Ping, catch "Go *" user agents if ($http _user_agent ~ "^ (docker\/1\. ( 3|4|5 (?! \. [0-9]-dev)] |
    Go). *$ ") {return 404;
    } # To add Basic Authentication to v2 use Auth_basic setting plus Add_header # auth_basic "Registry.localhost";
    # Auth_basic_user_file/etc/nginx/conf.d/registry.password;

    # add_header ' docker-distribution-api-version ' registry/2.0 ' always; Proxy_paSS Http://docker-registry;   Proxy_set_header Host $http _host; # Required for Docker client ' s sake proxy_set_header x-real-ip $remote _addr;
    # Pass on real client ' s IP proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
    Proxy_set_header X-forwarded-proto $scheme;
  Proxy_read_timeout 900; }

}

Once the profile is created, go back to the working directory to execute docker-compose up run registry and Nginx container, and use the Curl command to verify the results.

Docker-compose up

After executing docker-compose up, the terminal output information is as follows. Note If there is a message that the container is starting to fail, if the container starts a failed message, needs to check the network, whether it can pull the image from Dockerhub (proxy required, or use a domestic mirror, the image entry in the Docker-compose.yml file needs to be changed using a domestic mirror). It is also possible to paste the configuration file incorrectly, which needs to be checked carefully.

After startup, you can also use the Docker PS command to see if two containers are working correctly.

After you have determined that the Docker container is working, only use the Curl command to verify that the feature is functioning correctly. You can access localhost:5000 direct access to registry, or you should return {} using the localhost:443 port.

Curl http://localhost:5000/v2/
Curl http://localhost:443/v2/

Use Ctrl-c to exit the container execution and continue with the subsequent steps.

3. Add user name and password under the Nginx directory execute the following command to create a pair of user names and passwords, if you want to create multiple usernames and passwords, then do not use the "-C" option.

Htpasswd-c Registry.password USERNAME

Then modify the registry.conf file to uncomment the following three lines.

Auth_basic "Registry.localhost";
Auth_basic_user_file/etc/nginx/conf.d/registry.password;
Add_header ' docker-distribution-api-version ' registry/2.0 ' always;

The Docker-compose up run registry is executed again, and the result is "{}" with localhost:5000 port access, but using localhost:5043 access will get "401 authorisation Required "prompt. The user name and password authentication are included to obtain the same results as direct access to the registry 5000 port.

Curl http://username:password@localhost:5043/v2/

4. Add SSL authenticationIf you have a certificate certified by the certification authority, use the certificate directly in the Nginx directory. This article details how to use OpenSSL to create your own certificate for authentication. 1) Create a certificate in the service(1) Create a new root key

OpenSSL genrsa-out Devdockerca.key 2048

(2) Generate root certificate (all the way to enter)

OpenSSL req-x509-new-nodes-key devdockerca.key-days 10000-out devdockerca.crt

(3) Create a key for the server. (This key will be referenced by the Ssl_certificate_key domain in the nginx config file Registry.con.)

OpenSSL genrsa-out domain.key 2048<span style= "White-space:pre" >	</span>

(4) Make a certificate signing request. Note that when you execute the command below, the command prompts for some information, "Common name" must be entered into your domain name (the official said IP is OK, but there is also the assertion that IP cannot be encrypted), the other items can be entered whatever. Do not enter any challenge password, directly enter.

OpenSSL Req-new-key domain.key-out DEV-DOCKER-REGISTRY.COM.CSR

(5) Signing the certification request

OpenSSL x509-req-in dev-docker-registry.com.csr-ca devdockerca.crt-cakey devdockerca.key-cacreateserial-out domain. Crt-days 10000<span style= "Font-family:monospace, monospace; Background-color:rgb (255, 255, 255); " > </span>

2) Configure Nginx use certificateModify the registry.conf configuration file to uncomment the following three lines:

SSL on;
SSL_CERTIFICATE/ETC/NGINX/CONF.D/DOMAIN.CRT;
Ssl_certificate_key/etc/nginx/conf.d/domain.key;</span>

3) Running RegistryPerform Docker-compose up run registry and use Curl to verify the results. At this point, the use of the localhost:5000 port can still access the registry directly, but if the use of 443 port through the Nginx proxy access, because the SSL authentication has been added, so using HTTP will return "Bad Request", Instead, you should use the HTTPS protocol:

Curl Https://test:test@localhost:443/v2/</span>

Because you are using a certificate that is not certified by any authentication structure, and you have not applied your own generated certificate locally. Therefore, you are prompted to use an unauthenticated certificate, and you can use the "-k" option without validation.

Client uses registry 1. Add a certificateCentos 6/7 adds certificates the same way, but unlike Ubuntu, the steps are as follows: 1) Install the Ca-certificates package

sudo yum install ca-certificates</span>

2) enable dynamic CA configuration feature

sudo update-ca-trust force-enable</span>

3) Copy key to/etc/pki/ca-trust/source/anchors/

sudo cp devdockerca.crt/etc/pki/ca-trust/source/anchors/</span>

4) Make the new copy of the certificate effective

sudo update-ca-trust extract</span>

After you copy the certificate, you need to restart Docker to ensure that the new certificate is available to Docker.
2. Log in to Docker registry and Pull/push imageUse the domain name directly to perform Docker login to login, because HTTPS uses port 443 by default, so you do not need to display the specified port. Enter the user name, password, email directly enter. Login successful will prompt login success.

Docker Login Xingwangc.docker.rg

Use Pull/push image. As shown in the following figure, my domain name is Xingwangc.docker.rg's registry host, with images from another registry (xingwangc.docker.com). The Test-hello is then tagged as Localhost:5000/hello and push to the local registry. Because the local host does not add key to the authentication directory, the use of the domain name to pull another tag image failed.
In another client, the certificate is added to the authentication directory, after the successful landing, pull Test-hello image, and the image re-tag successfully push back to registry.

Reference Links:

Digitalocean:how to Set up a Private Docker Registry on Ubuntu 14.04