Docker--------Registry Security certification build [Https]

1. Background

    < Span style= "Padding:0px;margin:0px;color:rgb (80,80,80);" >  Docker

     due to the docker1.3.x version of Docker registry adopted Https, The previous section Docker HTTP subordinate finally Docker Push/pull will be the error prompt, need to do special processing.

2. Private warehouses have advantages:

One, to save the network bandwidth, for each image without everyone to the central warehouse to download, only need to download from the private warehouse;

Second, to provide the use of mirror resources, for the internal use of the image, pushed to the local private warehouse, for the company's internal personnel to use.

3. Environment:

[Email protected] ~]# cat/etc/redhat-release CentOS Linux release 7.2.1511 (Core) [[email protected] ~]# uname-r3.10.0- 327.36.3.el7.x86_64[[email protected] ~]# hostnamedocker.lisea.cn

4. Server IP Address

192.168.60.150

5. Build a CA for encrypted transmissions

* install OpenSSL related packages

[email protected] ~]# Yum install pcre pcre-devel zlib-devel OpenSSL openssl-devel-y

* switch work path to CA directory

[Email protected] ~]# CD/ETC/PKI/CA

* Generate root Key

[Genrsa] is an algorithm

[PRIVATE/CAKEY.PEM] is the location of the generated key

[2048] for key length

[email protected] ca]# OpenSSL genrsa-out PRIVATE/CAKEY.PEM 2048

* generate the root certificate, followed by the command to enter: Country code (two letters), provinces, cities, organizations, units, mailboxes.

[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out Cacert.pem

6. Generate the key for Nginx (on Nginx server)

* Create SSL directory

[Email protected] ca]# Mkdir/etc/pki/ca/ssl

* switch work path to SSL directory

[Email protected] ca]# cd/etc/pki/ca/ssl/

* Create Nginx key

[Genrsa] is an algorithm

[-out] Specifies the output file name

[2048] for key length

[email protected] ssl]# OpenSSL genrsa-out nginx.key 2048

* sign Request for Nginx generate certificate [A Challenge password with an optional company name Direct return processing]

[email protected] ssl]# OpenSSL req-new-key nginx.key-out NGINX.CSR

* Private CA to issue certificates on request (the CA server is the Docker warehouse server and the request is sent to the CA)

[ When prompted, enter two times y ]

[[email protected] ssl]# touch/etc/pki/ca/index.txt[[email protected] ssl]# Touch/etc/pki/ca/serial[[email protected] ssl]# echo "XX" >/etc/pki/ca/serial[[email protected] ssl]# OpenSSL ca-in nginx.csr-out nginx.crt

7. Install and configure Nginx

* installation Nginx

[email protected] ssl]# Yum install nginx-y

* Modify NGINX.CONF configuration

    upstream registry {        server  192.168.60.150:5000;    }    server {         listen       443 ssl;         server_name  docker.lisea.cn          #ssl  conf        ssl on;         ssl_certificate /etc/pki/CA/ssl/nginx.crt;         ssl_certificate_key /etc/pki/ca/ssl/nginx.key;        ssl_ session_cache shared:ssl:1m;        ssl_session_timeout 5m;         ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes: high:! null:!anull:! md5:! ADh:! rc4;        ssl_protocols tlsv1 tlsv1.1 tlsv1.2;         ssl_prefer_server_ciphers on;         location / {             proxy_pass http://registry;             proxy_set_header host  $host;             proxy_set_header x-forward-for  $remote _addr;        }     }

* start or restart Nginx

[Email protected] nginx]# systemctl restart Nginx

8. Install and configure Docker

* Install Docker

[email protected] ~]# Yum install docker-y

* Configure Docker [/etc/sysconfig/docker] to add content to docker_opts

docker_opts= "--insecure-registry docker.lisea.cn--tlsverify--tlscacert/etc/pki/ca/cacert.pem"

* Configure hosts

[Email protected] ~]# tail-1/etc/hosts192.168.60.150 docker.lisea.cn

* start Docker

[[email protected] ~]# Systemctl start Docker

* Pull registry image, for example, in Daocloud.io/registry this private mirror warehouse

[email protected] ~]# Docker pull Daocloud.io/registry

* Create local mirror storage directory

[Email protected] ~]# mkdir/data/local_docker_registry-p

* Run the container ,

Set the container name to Local_docker_registry

Docker mirrored warehouse/var/lib/registry to local/data/local_docker_registry directory in Mirror

Port mapped out Port 5000

--restart=always Let it start when Docker starts

[email protected] ~]# Docker run--name local_docker_registry--restart=always-d-v/data/local_docker_registry:/var/ Lib/registry-p 5000:5000 Daocloud.io/registry

9. Test whether the warehouse is available

* Curl Test

[Email protected] ~]# curl-i-K https://docker.lisea.cnHTTP/1.1 Okserver:nginx/1.10.2date:mon, June 2017 21:58:5 7 Gmtcontent-type:text/plain; Charset=utf-8content-length:0connection:keep-alivecache-control:no-cache

10. Client operation [Docker machine]

* Copy CA certificate and rename

[Email protected]~]# SCP [email PROTECTED]:/ETC/KPI/CA/CACERT.PEM/ETC/PKI/TLS/CERTS/CA-CERTIFICATES.CRT

* Create warehouse certificate directory

[Email protected] ~]# mkdir/etc/docker/certs.d/docker.lisea.cn

* Copy the certificate and rename this to the warehouse certificate directory

[Email protected] ~]# CP/ETC/PKI/TLS/CERTS/CA-CERTIFICATES.CRT/ETC/DOCKER/CERTS.D/DOCKER.LISEA.CN/CA.CRT

* Configure the Hosts file

[Email protected]~]# tail-1/etc/hosts192.168.60.150 docker.lisea.cn

* Curl Test

[Email protected] ~]# curl-i-K https://docker.lisea.cnHTTP/1.1 Okserver:nginx/1.10.2date:mon, June 2017 22:06:1 7 Gmtcontent-type:text/plain; Charset=utf-8content-length:0connection:keep-alivecache-control:no-cache

* Registered Account

[email protected] ~]# Docker login-u lisea-p 123456-e ' [email protected] ' https://docker.lisea.cn

* Login Account

[email protected] ~]# Docker login Https://docker.lisea.cnUsername (Lisea): Liseapassword:login succeeded

11. Summary

To demand-driven technology, the technology itself does not have a better point, only the division of business.

This article is from the "Sea" blog, be sure to keep this source http://lisea.blog.51cto.com/5491873/1934731

Docker--------Registry Security certification build [Https]