標籤:registry https docker hub
1. 背景
docker中要使用鏡像,一般會從本地、docker Hup公用倉庫和其它第三方公用倉庫中下載鏡像,一般出於安全和外網(牆)資源下載速率的原因考慮企業級上不會輕易使用。那麼有沒有一種辦法可以儲存自己的鏡像又有安全認證的倉庫呢? ----> 企業級環境中搭建自己的安全認證私人倉庫。
由於Docker1.3.X版本之後docker registry所採用https,前章節docker http部屬最後docker push/pull會報錯提示,需要做特殊處理。
2. 私人倉庫有優勢:
一、節省網路頻寬,針對於每個鏡像不用每個人都去中央倉庫上面去下載,只需要從私人倉庫中下載即可;
二、提供鏡像資源利用,針對於公司內部使用的鏡像,推送到本地的私人倉庫中,以供公司內部相關人員使用。
3. 環境:
[[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [[email protected] ~]# uname -r3.10.0-327.36.3.el7.x86_64[[email protected] ~]# hostnamedocker.lisea.cn
4. 伺服器Ip地址
192.168.60.150
5. 搭建CA,實現加密傳輸
* 安裝openssl相關包
[[email protected] ~]# yum install pcre pcre-devel zlib-devel openssl openssl-devel -y
* 切換工作路徑至CA目錄
[[email protected] ~]# cd /etc/pki/CA
* 產生根密鑰
[ genrsa ] 為演算法
[ private/cakey.pem ] 為密鑰的產生的位置
[ 2048 ] 為密鑰長度
[[email protected] CA]# openssl genrsa -out private/cakey.pem 2048
* 產生根憑證,執行命令後依次要輸入:國家代碼(兩個英文字母)、省份、城市、組織、單位、郵箱。
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
6. 為nginx產生密鑰(在nginx伺服器)
* 建立ssl目錄
[[email protected] CA]# mkdir /etc/pki/CA/ssl
* 切換工作路徑至SSL目錄
[[email protected] CA]# cd /etc/pki/CA/ssl/
* 建立nginx密鑰
[ genrsa ] 為演算法
[ -out ] 指定輸出檔案名
[ 2048 ] 為密鑰長度
[[email protected] ssl]# openssl genrsa -out nginx.key 2048
* 為nginx產生認證簽署請求[A challenge password與An optional company name 直接斷行符號處理]
[[email protected] ssl]# openssl req -new -key nginx.key -out nginx.csr
* 私人CA根據請求來簽發認證(在CA伺服器即docker倉程式庫伺服器,需要將請求發送給CA)
[ 出現提示時,輸入兩次y ]
[[email protected] ssl]# touch /etc/pki/CA/index.txt[[email protected] ssl]# touch /etc/pki/CA/serial[[email protected] ssl]# echo "00" > /etc/pki/CA/serial[[email protected] ssl]# openssl ca -in nginx.csr -out nginx.crt
7. 安裝並配置nginx
* 安裝 nginx
[[email protected] ssl]# yum install nginx -y
* 修改nginx.conf配置
upstream registry { server 192.168.60.150:5000; } server { listen 443 ssl; server_name docker.lisea.cn #ssl conf ssl on; ssl_certificate /etc/pki/CA/ssl/nginx.crt; ssl_certificate_key /etc/pki/CA/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://registry; proxy_set_header Host $host; proxy_set_header X-Forward-FOr $remote_addr; } }
* 啟動或重啟nginx
[[email protected] nginx]# systemctl restart nginx
8. 安裝並配置docker
* 安裝docker
[[email protected] ~]# yum install docker -y
* 配置docker [ /etc/sysconfig/docker ] 新增內容至 DOCKER_OPTS
DOCKER_OPTS=" --insecure-registry docker.lisea.cn --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
* 配置hosts
[[email protected] ~]# tail -1 /etc/hosts192.168.60.150 docker.lisea.cn
* 啟動docker
[[email protected] ~]# systemctl start docker
* 拉取 registry鏡像,例如在daocloud.io/registry這個私人鏡像倉庫
[[email protected] ~]# docker pull daocloud.io/registry
* 建立本地鏡像儲存目錄
[[email protected] ~]# mkdir /data/local_docker_registry -p
* 運行容器,
設定容器名稱為local_docker_registry
掛在鏡像內docker鏡像倉庫/var/lib/registry 至本地/data/local_docker_registry目錄
連接埠映射出5000連接埠
--restart=always讓其跟隨docker啟動時啟動
[[email protected] ~]# docker run --name local_docker_registry --restart=always -d -v /data/local_docker_registry:/var/lib/registry -p 5000:5000 daocloud.io/registry
9. 測試倉庫是否可用
* curl 測試
[[email protected] ~]# curl -i -k https://docker.lisea.cnHTTP/1.1 200 OKServer: nginx/1.10.2Date: Mon, 12 Jun 2017 21:58:57 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache
10. 客戶機操作[ docker機 ]
* 拷貝ca認證並重新命名
[[email protected]~]# scp [email protected]:/etc/kpi/CA/cacert.pem /etc/pki/tls/certs/ca-certificates.crt
* 建立倉庫認證目錄
[[email protected] ~]# mkdir /etc/docker/certs.d/docker.lisea.cn
* 複製認證並重新命名至此倉庫認證目錄
[[email protected] ~]# cp /etc/pki/tls/certs/ca-certificates.crt /etc/docker/certs.d/docker.lisea.cn/ca.crt
* 配置hosts檔案
[[email protected]~]# tail -1 /etc/hosts192.168.60.150 docker.lisea.cn
* curl 測試
[[email protected] ~]# curl -i -k https://docker.lisea.cnHTTP/1.1 200 OKServer: nginx/1.10.2Date: Mon, 12 Jun 2017 22:06:17 GMTContent-Type: text/plain; charset=utf-8Content-Length: 0Connection: keep-aliveCache-Control: no-cache
* 註冊賬戶
[[email protected] ~]# docker login -u lisea -p 123456 -e ‘[email protected]‘ https://docker.lisea.cn
* 登陸賬戶
[[email protected] ~]# docker login https://docker.lisea.cnUsername (lisea): liseaPassword: Login Succeeded
11. 總結
以需求驅動技術,技術本身沒有優略之分,只有業務之分。
本文出自 “sea” 部落格,請務必保留此出處http://lisea.blog.51cto.com/5491873/1934731
Docker--------registry安全認證搭建 [ Https ]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
