FW Configuration a private Docker warehouse

Thinking66 released March 1

• Build Branch 0 Branches
• Collection 0 Collection

When we develop locally, if the intranet can deploy a Docker server, it will be greatly convenient to share the image of the release, some private images can be placed directly on the intranet server, eliminating unnecessary network download.

This course needs to be equipped with two virtual machines, one as a private warehouse deployment and one as a working machine.

//Docker仓库部署-虚拟机docker-machine create -d virtualbox registry//Docker工作机docker-machine create -d virtualbox default

Setup1 Installing and Configuring registry

mkdir ~/docker-registry && cd $_mkdir data

Mate Docker-compose.yml

registry: image: registry ports:  - 127.0.0.1:5000:5000 environment:  REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data volumes:  - ./data:/data

Perform

docker-compose up

SETP2 Configuring Nginx Containers

mkdir ~/docker-registry/nginx

Mate Docker-compose.yml

nginx: image:  "Nginx" ports:-443:443 links:-registry:registry volumes:-./ Nginx/:/etc/nginx/conf.d:ro Registry: image:registry ports:- 5000:5000 environment: registry_storage_filesystem_rootdirectory:/data volumes:-./data:/data        

Mate ~/docker-registry/nginx/registry.conf

Upstream Docker-registry {Server registry:5000;} server {Listen443; Server_Name registry.51yixiao.com;# SSL# SSL on;# SSL_CERTIFICATE/ETC/NGINX/CONF.D/DOMAIN.CRT;# ssl_certificate_key/etc/nginx/conf.d/domain.key;# Disable any limits to avoid HTTP 413 for large image uploads client_max_body_size0;# required to avoid HTTP 411:see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on ; location/v2/{# do not allow connections from Docker 1.5 and earlier# docker pre-1.6.0 did not properly set the user agent on Ping, catch "Go *" user agentsif ($http _user_agent ~"^ (docker\/1\. (3|4|5?! \. [0-9]-dev)] | Go). *$ ") {Return404; }# to add Basic authentication # auth_basic "Registry.localhost"; # Auth_basic_user_file/etc/nginx/conf.d/registry.password; # add_header ' docker-distribution-api-version ' registry/2.0 ' always; proxy_pass/HTTP/ Docker-registry; Proxy_set_header Host  $http _host; # required for Docker client ' s sake proxy_set_header X-real-ip  $remote _addr; # pass on real client ' s IP proxy_set_header x-forwarded-for Span class= "hljs-variable" > $proxy _add_x_forwarded_for; Proxy_set_header x-forwarded-proto  $scheme; Proxy_read_timeout 900;}}        

Perform

docker-compose up//测试curl http://www.registry.com:443curl http://www.registry.com:5000

SETUP3 Setting HTTP Authentication

cd ~/docker-registry/nginxhtpasswd -c registry.password USERNAME//USERNAME替换自己想添加的用户名，比如:markthink,如果要继续添加其他用户 //htpasswd registry.password USERNAME

Mate ~/docker-registry/nginx/registry.conf

#To add basic authentication auth_basic "registry.localhost"; auth_basic_user_file /etc/nginx/conf.d/registry.password; add_header ‘Docker-Distribution-Api-Version‘ ‘registry‘ always;

Perform

cd ~/docker-registrydocker-compose up

Curl http://www.registry.com:443/

<Html><Head><title>401 Authorization Required</title></head> <body bgcolor=  "white" ><center> <h1>401 Authorization required</ h1></center> <hr>< Center>nginx/1.9.11</center> </body></HTML>   

Authenticated access with HTTP-user name and password configured above
Curl Http://markthink:[email protected]:443/

SETUP4 Setting Up SSL authentication

Using HTTP authentication is not secure because the connection does not have an encrypted transport, and the SSL configuration is enabled below

Mate ~/docker-registry/nginx/registry.conf

  # SSL  ssl on;  ssl_certificate /etc/nginx/conf.d/domain.crt;  ssl_certificate_key /etc/nginx/conf.d/domain.key;

Buy a certificate for our domain or request a free SSL certificate

SETUP5 Request a FREE certificate

https://buy.wosign.com/free/#myorderhttps://buy.wosign.com/FreeSSL.html

Update the Nginx configuration file with the requested certificate

SETUP6 Configuring domain Names

mate /etc/hosts//宿主机添加192.168.99.100 registry.51yixiao.com

SETUP7 Test

default//重新分配IPdocker-machine regenerate-certs defaultdocker-machine ssh defaultsudo -ivi /etc/hosts192.168.99.100 registry.51yixiao.comdocker login https://registry.51yixiao.com//输入前面配置的用户和密码 登陆成功

SETUP8 push image to server from work machine

  eval $ (docker-machine env default) Docker images//label local Mirror Docker pull Busyboxdocker tag BusyBox registry.51yixiao.com/busybox//Login Server Docker Login Https://registry.51yixiao.com//push mirrored Docker push to server Registry.51yixiao.com/busyboxcurl https://markthink:[email  protected]/v2///Web Direct Access Https://markthink:[email  protected]/v2///Exit server Docker logout Https:// Registry.51yixiao.com//View mirrored warehouse existing image Https://markthink:[ Email protected]/v2/_catalog            

SETUP9 downloading mirrors from the mirror server to the work machine

defaultdocker-machine regenerate-certs defaultdocker-machine ssh defaultsudo -ivi /etc/hosts//添加IP地址192.168.99.100 registry.51yixiao.com//登陆服务器docker login https://registry.51yixiao.com//下载镜像docker pull registry.51yixiao.com/busybox//镜像改名docker tag registry.51yixiao.com/busybox busybox

Make your own certificate

Since Dokcer currently does not allow self-signed SSL certificates, this step is more complicated than usual, we must establish our own system and authorize our own certificate signing.

1. Generate the root key

cd ~/docker-registry/nginx//生成新的根密钥openssl genrsa -out devdockerCA.key 2048

2. Generate root certificate-common name fill in the domain name of the certificate issuer such as: www.trjcn.com

openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

3. Generate an SSL key for Nginx

//生成nginx域名的SSL证书openssl genrsa -out domain.key 2048

Our CA center is the same as the server that is requesting the certificate, otherwise it should be generated on another server that needs to use the certificate

4. Signing requests for Nginx certificate generation

//生成ssl_certificate_key证书 openssl req -new -key domain.key -out dev-docker-registry.com.csr

It is important to note that common name must enter the server IP or domain name that we want to grant the certificate to

5. Private CA issue certificates on request

//签署证书申请openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000``此过程用到了前两步生成的根密钥和根证书至此SSL证书制作完成，但是我们生成的证书没有已经的证书颁发机构验证，因此需要在Docker Registry中注册。下面是基于centsos的部署过程

SCP./DEVDOCKERCA.CRT registry:/home/docker/
Docker-machine SSH Registry
Sudo-i
Mkdir/usr/local/share/ca-certificates/docker-dev-cert
mv/home/docker/devdockerca.crt/usr/local/share/ca-certificates/docker-dev-cert/
Update-ca-certificates

重启Docker daemon守护进程

Docker-machine Restart Registry
Service Docker restart

• Link

FW Configuration a private Docker warehouse