搭建私服-docker registry

Docke官方提供了Docker Hub網站來作為一個公開的集中倉庫。然而，本地訪問Docker Hub速度往往很慢，並且很多時候我們需要一個本地的私有倉庫只供網內使用。
Docker倉庫實際上提供兩方面的功能，一個是鏡像管理，一個是認證。前者主要由docker-registry項目來實現，通過http服務來上傳下載；后者可以通過docker-index（閉源）項目或者利用現成認證方案（如nginx）實現http請求管理。

系統環境：CentOS 7.2
主機IP：192.168.116.148

1、安裝docker-registry

docker run -d -p 5000:5000 --restart=always --name registry -v /opt/registry:/var/lib/registry registry:2

2、上傳鏡像

查看系統已有的鏡像：

# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              latest              8140d0c64310        7 days ago          193MB
registry            2                   9d0c4eabab4d        8 days ago          33.2MB

使用docker tag將centos鏡像打個標記

# docker tag centos 192.168.116.148:5000/centos

使用docker push 上傳標記的鏡像

# docker push 192.168.116.148:5000/centos

沒有成功，這是因為從docker1.3.2版本開始，使用registry時，必須使用TLS保證其安全。

在/etc/docker/目錄下，創建daemon.json文件。在文件中寫入：

{ "insecure-registries":["192.168.116.148:5000"] }

然后重啟docker：

# systemctl restart docker

重新上傳：

接下來開始配置https

3、配置SSL證書及nginx反向代理docker registry

搭建私有CA，初始化CA環境，在/etc/pki/CA/下建立證書索引數據庫文件index.txt和序列號文件serial，並為證書序列號文件提供初始值。

# touch /etc/pki/CA/{index.txt,serial}
# echo 01 > /etc/pki/CA/serial

生成密鑰並保存到/etc/pki/CA/private/cakey.pem

# (umask 077;openssl genrsa -out  /etc/pki/CA/private/cakey.pem 2048)

生成根證書

# openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

需要填寫的信息：

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:wts
Organizational Unit Name (eg, section) []:sysops
Common Name (eg, your name or your server's hostname) []:hub.wts.com
Email Address []:admin@wts.com

使系統信任根證書

# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

安裝nginx

安裝過程略，安裝路徑為/app/nginx，需要安裝openssl模塊。

 

簽發證書

創建ssl目錄用來存放密鑰文件和證書申請文件

# mkdir /app/nginx/conf/ssl

創建密鑰文件和證書申請文件

# (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048)
# openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr

填寫的申請信息前四項要和私有CA的信息一致

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:wts
Organizational Unit Name (eg, section) []:sysops
Common Name (eg, your name or your server's hostname) []:hub.wts.com
Email Address []:admin@wts.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  #直接回車
An optional company name []:  #直接回車

簽署，證書

# openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 19 19:03:55 2017 GMT
            Not After : May 17 19:03:55 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = wts
            organizationalUnitName    = sysops
            commonName                = hub.wts.com
            emailAddress              = admin@wts.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                69:F0:D7:BF:B2:CE:6D:53:AA:1A:CD:E8:73:47:A7:9F:30:EA:17:F7
            X509v3 Authority Key Identifier:
                keyid:AF:E5:48:44:A3:18:59:38:D5:17:07:1B:1D:6F:32:F4:EC:1E:E0:E2

Certificate is to be certified until May 17 19:03:55 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

配置nginx反向代理docker registry

添加認證

# yum -y install httpd-tools
# htpasswd -cb /app/nginx/conf/docker-registry.htpasswd admin admin

nginx相關配置：

upstream docker-registry {
        server 127.0.0.1:5000;
    }

    server {
        listen       443;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        ssl                   on;
        ssl_certificate       /app/nginx/conf/ssl/docker.crt;
        ssl_certificate_key   /app/nginx/conf/ssl/docker.key;
        client_max_body_size 0;
        chunked_transfer_encoding on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        location / {
           auth_basic   "Docker registry";
               auth_basic_user_file /app/nginx/conf/docker-registry.htpasswd;
               proxy_pass  http://docker-registry;
        }
        location /_ping{
               auth_basic off;
               proxy_pass  http://docker-registry;
               }
        location /v2/_ping{
               auth_basic off;
               proxy_pass  http://docker-registry;
        }
}

重啟nginx

# /app/nginx/sbin/nginx -s reload

 

如果沒有DNS解析內網域名，修改hosts文件

# cat >>/etc/hosts <<EOF
192.168.116.148 hub.wts.com
EOF

重啟docker

# systemctl daemon-reload
# systemctl restart docker

登錄

上傳鏡像

# docker pull nginx
# docker tag nginx 192.168.116.148:5000/nginx
# docker push 192.168.116.148:5000/nginx

查看

# curl --user admin:admin  https://hub.wts.com/v2/_catalog
{"repositories":["centos","nginx"]}

局域網內其他機器認證（192.168.116.147 系統版本：CentOS6.5）

修改hosts文件

# cat >>/etc/hosts <<EOF
192.168.116.148 hub.wts.com
EOF

把CA的密鑰發送到客戶機，並添加到ca-bundle.crt

# scp -p /etc/pki/tls/certs/ca-bundle.crt  root@192.168.116.147:/etc/pki/tls/certs/ca-bundle.crt
# scp -p /etc/pki/CA/cacert.pem root@192.168.116.147:/etc/pki/CA/cacert.pem
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

重啟docker

# /etc/init.d/docker restart

登錄

下載鏡像

至此，私服基本上可以使用了。