1. Background
< Span style= "Padding:0px;margin:0px;color:rgb (80,80,80);" > Docker
due to the docker1.3.x version of Docker registry adopted Https, The previous section Docker HTTP subordinate finally Docker Push/pull will be the error prompt, need to do special processing.
2. Private warehouses have advantages:
One, to save the network bandwidth, for each image without everyone to the central warehouse to download, only need to download from the private warehouse;
Second, to provide the use of mirror resources, for the internal use of the image, pushed to the local private warehouse, for the company's internal personnel to use.
3. Environment:
[Email protected] ~]# cat/etc/redhat-release CentOS Linux release 7.2.1511 (Core) [[email protected] ~]# uname-r3.10.0- 327.36.3.el7.x86_64[[email protected] ~]# hostnamedocker.lisea.cn
4. Server IP Address
192.168.60.150
5. Build a CA for encrypted transmissions
* install OpenSSL related packages
[email protected] ~]# Yum install pcre pcre-devel zlib-devel OpenSSL openssl-devel-y
* switch work path to CA directory
[Email protected] ~]# CD/ETC/PKI/CA
* Generate root Key
[Genrsa] is an algorithm
[PRIVATE/CAKEY.PEM] is the location of the generated key
[2048] for key length
[email protected] ca]# OpenSSL genrsa-out PRIVATE/CAKEY.PEM 2048
* generate the root certificate, followed by the command to enter: Country code (two letters), provinces, cities, organizations, units, mailboxes.
[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out Cacert.pem
6. Generate the key for Nginx (on Nginx server)
* Create SSL directory
[Email protected] ca]# Mkdir/etc/pki/ca/ssl
* switch work path to SSL directory
[Email protected] ca]# cd/etc/pki/ca/ssl/
* Create Nginx key
[Genrsa] is an algorithm
[-out] Specifies the output file name
[2048] for key length
[email protected] ssl]# OpenSSL genrsa-out nginx.key 2048
* sign Request for Nginx generate certificate [A Challenge password with an optional company name Direct return processing]
[email protected] ssl]# OpenSSL req-new-key nginx.key-out NGINX.CSR
* Private CA to issue certificates on request (the CA server is the Docker warehouse server and the request is sent to the CA)
[ When prompted, enter two times y ]
[[email protected] ssl]# touch/etc/pki/ca/index.txt[[email protected] ssl]# Touch/etc/pki/ca/serial[[email protected] ssl]# echo "XX" >/etc/pki/ca/serial[[email protected] ssl]# OpenSSL ca-in nginx.csr-out nginx.crt
7. Install and configure Nginx
* installation Nginx
[email protected] ssl]# Yum install nginx-y
* Modify NGINX.CONF configuration
upstream registry { server 192.168.60.150:5000; } server { listen 443 ssl; server_name docker.lisea.cn #ssl conf ssl on; ssl_certificate /etc/pki/CA/ssl/nginx.crt; ssl_certificate_key /etc/pki/ca/ssl/nginx.key; ssl_ session_cache shared:ssl:1m; ssl_session_timeout 5m; ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes: high:! null:!anull:! md5:! ADh:! rc4; ssl_protocols tlsv1 tlsv1.1 tlsv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://registry; proxy_set_header host $host; proxy_set_header x-forward-for $remote _addr; } }
* start or restart Nginx
[Email protected] nginx]# systemctl restart Nginx
8. Install and configure Docker
* Install Docker
[email protected] ~]# Yum install docker-y
* Configure Docker [/etc/sysconfig/docker] to add content to docker_opts
docker_opts= "--insecure-registry docker.lisea.cn--tlsverify--tlscacert/etc/pki/ca/cacert.pem"
* Configure hosts
[Email protected] ~]# tail-1/etc/hosts192.168.60.150 docker.lisea.cn
* start Docker
[[email protected] ~]# Systemctl start Docker
* Pull registry image, for example, in Daocloud.io/registry this private mirror warehouse
[email protected] ~]# Docker pull Daocloud.io/registry
* Create local mirror storage directory
[Email protected] ~]# mkdir/data/local_docker_registry-p
* Run the container ,
Set the container name to Local_docker_registry
Docker mirrored warehouse/var/lib/registry to local/data/local_docker_registry directory in Mirror
Port mapped out Port 5000
--restart=always Let it start when Docker starts
[email protected] ~]# Docker run--name local_docker_registry--restart=always-d-v/data/local_docker_registry:/var/ Lib/registry-p 5000:5000 Daocloud.io/registry
9. Test whether the warehouse is available
* Curl Test
[Email protected] ~]# curl-i-K https://docker.lisea.cnHTTP/1.1 Okserver:nginx/1.10.2date:mon, June 2017 21:58:5 7 Gmtcontent-type:text/plain; Charset=utf-8content-length:0connection:keep-alivecache-control:no-cache
10. Client operation [Docker machine]
* Copy CA certificate and rename
[Email protected]~]# SCP [email PROTECTED]:/ETC/KPI/CA/CACERT.PEM/ETC/PKI/TLS/CERTS/CA-CERTIFICATES.CRT
* Create warehouse certificate directory
[Email protected] ~]# mkdir/etc/docker/certs.d/docker.lisea.cn
* Copy the certificate and rename this to the warehouse certificate directory
[Email protected] ~]# CP/ETC/PKI/TLS/CERTS/CA-CERTIFICATES.CRT/ETC/DOCKER/CERTS.D/DOCKER.LISEA.CN/CA.CRT
* Configure the Hosts file
[Email protected]~]# tail-1/etc/hosts192.168.60.150 docker.lisea.cn
* Curl Test
[Email protected] ~]# curl-i-K https://docker.lisea.cnHTTP/1.1 Okserver:nginx/1.10.2date:mon, June 2017 22:06:1 7 Gmtcontent-type:text/plain; Charset=utf-8content-length:0connection:keep-alivecache-control:no-cache
* Registered Account
[email protected] ~]# Docker login-u lisea-p 123456-e ' [email protected] ' https://docker.lisea.cn
* Login Account
[email protected] ~]# Docker login Https://docker.lisea.cnUsername (Lisea): Liseapassword:login succeeded
11. Summary
To demand-driven technology, the technology itself does not have a better point, only the division of business.
This article is from the "Sea" blog, be sure to keep this source http://lisea.blog.51cto.com/5491873/1934731
Docker--------Registry Security certification build [Https]