在公司中,会根据公司特有业务去制作镜像,这些镜像往往不希望暴露出去,在这种情况下,我们有必要搭建一个本地私有镜像仓库。
搭建仓库有两种方法
1、基于容器安装Registry镜像
2、本地安装
此文是基于容器安装仓库
环境准备:
| IP |
角色 |
系统 |
| 192.168.0.100 |
registry 镜像仓库 |
centos7.1 |
| 192.168.0.101 |
nginx-proxy 代理 |
centos7.1 |
1、下载并运行registry
1.1 配置环境
#由于国内去docker官网下载镜像速度很慢,可以使用阿里云加速,重启生效
#不知道怎么设置阿里云加速的可以在我之前博客查阅
[[email protected] test]#cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://xxx.mirror.aliyuncs.com"]
}
[[email protected] test]#systemctl restart docker
1.2 下载镜像
[[email protected] test]#docker pull registry
1.3 运行镜像
#registry默认配置文件为/etc/docker/registry/config.yml
#registry默认存储位置为/var/lib/registry
#可以通过-v参数将其映射出来,自定义编辑配置文件,我这里没有进行任何修改,所以不做映射
[[email protected] test]#docker run -d -p 192.168.0.100:5000:5000 -v /data/registry/:/var/lib/registry --name=registry docker.io/registry:latest
2、配置nginx代理,使用ssl验证
2.1 使用之前做的nginx镜像(1.15版本)
#不知道怎么做的,可以自己手动按章nginx,或者看我之前写的博客
#安装httpd-tools
#使用nginx安全验证的功能,需要一个地方放置用户名和密码对。
#使用由httpd-tools提供的htpasswd工具生成用户名密码对
[[email protected] test]#docker pull registry.cn-hangzhou.aliyuncs.com/test/centos7-nginx
[[email protected] test]#docker run -d -p 80:80 --name=nginx-proxy registry.cn-hangzhou.aliyuncs.com/test/centos7-nginx /usr/sbin/init
[[email protected] test]#docker exec -ti nginx-proxy /bin/bash
#若想在容器内部使用systemctl来启动关闭服务,需要在run容器是加/usr/sbin/init,否则会报错:Failed to get D-Bus connection: Operation not permitted
2.2 编辑nginx配置文件
[root@3c43f960088b /]# cd /usr/local/nginx/conf/
[root@3c43f960088b conf]# vi nginx.conf
========================================================================================
#配置文件如下
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
#upstream 定义registry服务地址以及端口
upstream my_docker_registry {
server 192.168.0.100:5000;
}
#代理服务器监听80/443端口
server {
listen 80;
listen 443 ssl;
server_name 192.168.0.101;
#开启ssl及定义ssl证书位置
#ssl on
ssl_certificate /registry/192.168.0.101.crt;
ssl_certificate_key /registry/192.168.0.101.key;
#请求转发的必要请求头信息
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
chunked_transfer_encoding on;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
#添加用户验证
location / {
proxy_pass http://my_docker_registry;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
# proxy_redirect off;
# proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
auth_basic "please input username/password ";
auth_basic_user_file /registry/passwd/docker-registry.htpasswd;
}
location /_ping {
auth_basic off;
proxy_pass http://my_docker_registry;
}
location /v2/_ping {
auth_basic off;
proxy_pass http://my_docker_registry;
}
}
}
========================================================================================
2.3 检查语法,启动nginx
[root@3c43f960088b conf]# ../sbin/nginx -t
nginx: [emerg] BIO_new_file("/registry/192.168.0.101.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/registry/192.168.0.101.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#可以看到报错,原因是应为没有ssl证书文件
3、创建证书文件、用户密码存储文件
3.1 创建证书文件
[root@3c43f960088b conf]#mkdir -p /registry/passwd/
[root@3c43f960088b conf]#cd /registry
[root@3c43f960088b conf]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.101.key -x509 -days 365 -out 192.168.0.101.crt
=====================================================================
Generating a 4096 bit RSA private key
........................................................................++
..............................................++
writing new private key to '192.168.0.101.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:192.168.0.101
Email Address []:[email protected] #以上标记内容可以根据自己所需添加
=====================================================================
[root@3c43f960088b registry]# ls
192.168.0.101.crt 192.168.0.101.key passwd
3.2 创建用户test,并添加密码
[root@3c43f960088b registry]#htpasswd -c /registry/passwd/docker-registry.htpasswd test
3.3 验证并启动nginx服务
[root@3c43f960088b conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@3c43f960088b conf]# /usr/local/nginx/sbin/nginx
4、验证
4.1 在/etc/sysconfig/docker文件中最后一行添加参数,避免报错
[[email protected] test]#echo "INSECURE_REGISTRY='--insecure-registry 192.168.0.101'" >> /etc/sysconfig/docker
[[email protected] test]#systemctl restart docker
4.2
[[email protected] test]#docker login 192.168.0.101
Username (test): dasda
Password:
Error response from daemon: login attempt to http://192.168.0.101/v2/ failed with status: 401 Unauthorized
[[email protected] test]#docker login 192.168.0.101
Username (test): test
Password:
Login Succeeded
成功!!!