Disclaimer:
This article is a blogger original article, shall not be reproduced without the bloggers allowed. No public concern technical exchange (ID: jishuhui_2015) can be linked to the author.
Billion, Preface
Build, Ship and Run any App, Anywhere
Docker more about the concept of this article will not go into details, as the virtualization market, a rising star, Docker has been more and more enterprises of all ages, more and more developers decided to pour into the arms of Docker's.
"Container" where Docker philosophy of design, it allows a single physical machine (or virtual machine) isolated from each other simultaneously run multiple applications easier by, of course, all this is thanks to the underlying Linux-related technology, of course, including OS X, Windows both operating systems.
Docker's tutorials have been enough, but due to the rapid development in recent years Docker, faster version of the iteration, there are incompatibilities between multiple versions, if you find a blog post on the Internet, you may not be able to solve their own problems .
Of course, the content Docker environmental installation, basic commands and the like, is no problem, read through the official website can be successfully mastered the basic content of the document. However, when I try to build an SSL-based Docker Registry (official website of the recommended practice) has encountered a lot of trouble for this part, most of the blog document contents are skip the SSL link, using the access HTTP form.
Hereby share, after finished reading through this article, to build Docker Registry is no longer a problem.
> docker --version
Docker version 18.03.1-ce, build 9ee9f40These are my Docker environment, it is recommended to install Docker1.6 + or later.
In addition, readers also need:
1, a computer with CentOS_7_64bit host operating system (or virtual machine);
2, apply for a domain name. Otherwise, you can change the HOST file, but does not guarantee success. The author Ali cloud applied for a personal domain name, including a 5-year, ¥ 105;
3, if applied for a domain name, free way to get a CA certificate, because of the need to achieve HTTPS access, SSL certificate is a must, too, have free certificate request on Ali cloud. Otherwise, you can use OpenSSL to generate their own, which is a lot of practice Bowen mentioned, does not guarantee success;
4, then loaded on a nginx agent, optional.
5, Docker familiar with the basic concepts and common commands, but do not understand the higher-order knowledge Dockerfile, Compose, Swarm, Kubernetes and so on.
First, the mirror Speaking from Docker
Abstract concepts elaborated much to say, I give two examples, so that we feel:
1, we have to download the ISO file system from home, in addition to the base operating system, and possibly a number of built-in pre-installed software;
2, when using maven jar manage package dependencies, in order to avoid each time pulling dependencies from a central repository, use a nexus to do proxy warehouse.
May be considered, it is a combination of a series of software Docker image (file), as long as they are on the appropriate host, can be done out of the box.
This article requires about Docker mirroring, there are five commonly used commands:
a, pull Mirror , Mirror warehouse followed by the name, if you want to specify a version, you can bring tag.
> docker pull <repo>[:tag]B, list all mirrors , the mirror can be obtained the basic information.
> docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
redis latest bfcb1f6df2db 3 weeks ago 107MB
registry 2 d1fd7d86a825 4 months ago 33.3MB
hyper/docker-registry-web latest 0db5683824d8 19 months ago 599MBc, remove the mirror . It can be deleted as a mirror ID, name or image repository.
> docker rmi <IMAGE ID>/<repo>d, mirror marking . This operation can be performed with Git marking analogy, equivalent release a mirrored version available.
> docker tag <repo> <new_repo>[:tag]e, mirror push . The same can learn Git push the field of operations, the packaged image pushed to the remote repository (ie Docker Registry).
> docker push <new_repo>[:tag]More than five commands only in brief, is not the focus of this article. More mirroring command, you can access it on their own.
Before the next operation, the reader first registry mirrored pull down.
> docker pull registry:2
2: Pulling from library/registry
81033e7c1d6a: Pull complete
b235084c2315: Pull complete
c692f3a6894b: Pull complete
ba2177f3a70e: Pull complete
a8d793620947: Pull complete
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2This process takes several minutes, depending on network conditions, the reader is patient.
Note: The author pull the time, specified TAG, is the use v2 version of the registry, for the v1 version of the registry, the reader need not care, and basically eliminated.
Second, preview
For readers eager to see what effect the run Docker Registry, you can read this section.
Run the following command:
> docker run -d \
-p 5000:5000 \
-v /usr/local/registry:/var/lib/registry \
--restart=always \
--name registry \
registry:2This is a typical run commands, no accident, then, Registry port started in 5000.
For verification, a reader can pull busybox mirror (because of the small volume), performed experiments.
> docker pull busyboxAfter pulling the latest busybox mirror, give their marking, ready for release to the Registry.
> docker tag busybox localhost:5000/bosybox:v1.0Finally pushed to the Registry.
> docker push localhost:5000/bosybox:v1.0In this case, the Registry will have busybox: v1.0 mirror, and then you can not go to Docker Hub pulls the top, through self-built Registry can be.
> docker pull localhost:5000/bosybox:v1.0If you want to see what a remote repository mirroring, you can run the following command:
> curl http://localhost:5000/v2/_catalogSee reflected see the whole picture, the above command, we can draw an important conclusion:
Access to the Registry is done through a series of REST API.
So far, we have built a Docker Registry of "semi", he said to be "semi" because the Registry can only work properly in this machine, if you try to push up the mirror on another host, the result is a failure.
If you want to achieve externally-accessible, you must use the CA security certificate .
Third, based on SSL certificates renovation Registry
Before operation of this section, the reader confirm meets the conditions listed in the beginning of the article.
I applied for a domain name: iwendao.vip, and mapped out a second-level domain: registry.iwendao.vip, specifically designed as a visiting Docker Registry, and then based on this second-level domain application CA certificate.
Not surprisingly, then, free from Ali cloud application certificate is issued by Symantec, after the certificate download, compress the bag there are two documents: xxxxxx.pem, xxxxxx.key.
It changed its name to server.key, server.pem, uploaded to the host via ftp tool, assuming that is stored in the directory: / usr / local / certs.
> ll /usr/local/certs
- rw-r--r-- 1 root root 1678 May 28 13:42 server.key
- rw-r--r-- 1 root root 3662 May 28 13:42 server.pemBecause the issue is intermediate certificate, will find no crt file, you can use the following command to get:
> cat server.pem > server.crtDirectly to the pem crt file as a content file input file generated server.crt.
At this point, the domain name and the certificate is ready.
If you do want to use nginx proxy, need to change nginx.conf file, the following is the author of configuration elements:
user root root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 60;
gzip on;
server {
listen 443;
server_name i-wendao;
ssl on;
root html;
index index.html index.htm;
ssl_certificate /usr/local/certs/server.pem;
ssl_certificate_key /usr/local/certs/server.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location ~ {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass https://registry;
}
}
upstream registry {
server 127.0.0.1:5000;
}
}Nginx.conf in the configuration file, you need to pay attention to two places:
1, open the nginx ssl, downloaded files before pem and key only needs to be configured, which is an example of Ali cloud given by the official, pro-test effective;
2, because access to the Registry is done via REST API, but also access HTTPS protocol, the configuration location node, proxy_pass configuration is HTTPS: // Registry , if configured HTTP: // Registry , once Docker after the Registry enabled SSL, access is not true.
Host configuration has been completed, the next configuration of Docker containers.
For Docker Registry Server deployment, the official gave two ways:
First, the case for a few parameters can be specified directly in the docker run command;
Another configuration file by yaml can configure a plurality of parameters at once.
In this section, the author will use the first deployed, the deployment of the end attachment may be found in the text of the second embodiment.
> docker run -d \
-p 5000:5000 \
-v /usr/local/registry:/var/lib/registry \
-v /usr/local/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
--restart=always \
--name registry \
registry:2If you do not install nginx readers can run this command:
> docker run -d \
-p 443:443 \
-v /usr/local/registry:/var/lib/registry \
-v /usr/local/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
--restart=always \
--name registry \
registry:2You can see, Docker Registry Server to enable SSL when used in a crt, key two certificate file.
Next, we experiment a bit.
> docker tag busybox registry.iwendao.vip/bosybox:v1.0Finally pushed to the Registry.
> docker push registry.iwendao.vip/bosybox:v1.0View remote repository which mirrors.
> curl https://registry.iwendao.vip/v2/_catalogIn another host, repeating the above steps, can still succeed, the description has been set up successfully.
Four, Authentication blessing
By building on the Registry Server, we can clearly feel, Docker for security controls have enough attention, which in the context of the whole network HTTPS is just timely approach.
This section is an advanced knowledge aimed at the Docker's security more thoroughly - plus login verification mechanism.
Obviously, since it is the PW, it means that not everyone can submit mirrored only by virtue of the login user and password for the job.
Of course, that there is a login verification mechanism HTTPS protocol, otherwise, the user name and password will be transmitted in the clear.
Docker authentication mechanism also has a lot to achieve, you can use a proxy (such as nginx) to intercept verified immediately before the Registry, there are some high-end Token server to guide the user authorized to log on, difficult to achieve.
In this paper, the most simple htpasswd in achieving login verification mechanism. More about htpasswd introduction is not the scope of this article, the reader's own inspection.
If this command tool is not installed on the host, you can run the following command:
> yum install httpd-toolsBecause Apache2 htpasswd is a subsidiary tool command, if Apache2, this command is supposed to be installed can be used.
If readers do not want to install, and can be used directly registry mirror, its built-in httpd.
Assuming that the password file is stored in / usr / local / auth directory, run the following command
> htpasswd -Bbn admin 123456 > /usr/local/auth/passwdMirroring built httpd registry, as follows:
> docker run --entrypoint htpasswd registry:2 -Bbn admin 123456 > /usr/local/auth/passwdTwo ways to achieve the same purpose: to generate a user name and password in the / usr / local / auth / passwd file.
Command admin user name, 123456 is the password.
View passwd file contents:
> cat /usr/local/auth/passwd
admin:$2y$05$/2H8DTcY.1JROHm0MnnK8.UulmbSclib63qTe8FGyWnnE9XWBz3cyAlthough the same order, but in a different host, it is not the same as the results generated. Thus, the generated password file on the host A can not be used for authentication on the host B.
The next step is to start the registry container:
> docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /usr/local/auth:/auth \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/passwd \
-v /usr/local/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
registry:2After a successful start, if you try to directly view mirrors remote repository which will not prompt certification, as follows:
> curl https://registry.iwendao.vip/v2/_catalog
{
"errors": [{
"code": "UNAUTHORIZED",
"message": "authentication required",
"detail": [{
"Type": "registry",
"Class": "",
"Name": "catalog",
"Action": "*"
}]
}]
}Including pull, push operations are also limited by the. Therefore, before you do, you need to log in.
> docker login https://registry.iwendao.vipSince there login, of course, have been published in.
> docker logout https://registry.iwendao.vip五、WEB UI for Registry
When we build a good after Registry Server, it means to start managing our mirroring. This time will find that there is no visual image management tools to help users.
There are already a lot of open source WEB UI management tools:
1, Docker-Registry-frontend . Up to now (May 2018), and its main function is to mirror list view, tab to view, yet open image delete function, open source on GitHub, stars 1k +.
2, Docker-Registry-Web . Compared docker-registry-frontend project, which provides a mirror image delete function, but also the role of system access, function has been further improved, open source on GitHub, stars 300+.
3, Rancher . Positioning the platform similar Kubernetes, image management is not just so simple, for the entire Docker container management is competent.
4, Shipyard . Unfortunately, the author has no energy maintained, from the stars on GitHub, is easy to see its former glory.
Installation and deployment on the WEB UI will not repeat them, has its corresponding document. If no special requirements for image management, you can not WEB UI, or use one of the first two.
VI Summary
This article details the process Docker Registry PW built, summarizes the data from all types of learning blog, the official website to help readers successfully build Docker Registry PW.
Attachment:
1, yaml file to start the registry server
Assuming that the configuration file storage path is: /usr/local/registry/config.yml
Edit its contents, as follows:
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
maxthreads: 100
delete:
enabled: true
http:
addr: 0.0.0.0:5000
host: https://registry.iwendao.vip
secret: yoogurt-taxi-123!@#
headers:
X-Content-Type-Options: [nosniff]
tls:
certificate: /certs/214709594090104.crt
key: /certs/214709594090104.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3More configuration items, you can access Configuring A Registry .
Configuration items in the configuration file can be mapped to the environment variables earlier in -e parameter, the rule is:
1, the variable name consists of uppercase letters;
2, the fixed prefix plus REGISTRY;
3, the colon in YAML configuration items (:) became an underscore (_).
such as:
REGISTRY_HTTP_TLS_CERTIFICATE, corresponds http: tls: certificate configuration item;
REGISTRY_AUTH_HTPASSWD_PATH, it corresponds auth: htpasswd: path configuration item.
It is worth noting that the path to the configuration file for all involved in the container, which means that, starting in the mirror when the registry, you need to specify the -v argument to mount the directory.
After saving the configuration file, you can start the container:
> docker run -d -p 5000:5000 --restart=always --name registry \
-v /usr/local/certs:/certs
-v /usr/local/registry/config.yml:/etc/docker/registry/config.yml \
registry:22, introduction of books on Docker
- "This first Docker book (revised edition)," a well-deserved Docker enlightenment books. Zero-based beginners can look at the first five chapters focus on the basics, grasp the relevant principles of Docker its use, can be used as reference books. After reading this book, follow the recommended content simultaneously practice, entry, can build interest in Docker in order to continue learning it.
- "Docker container and container cloud (2nd Edition)", have advanced knowledge content. The first part of the basis of knowledge, you can quickly go over. This book is the concept of cloud container made repeated explanation of all aspects, very exciting, it can absorb. Then there is the container arrangement, deploy content, and can be combined with practice, training feeling.
- "Kubernetes The Definitive Guide (2nd Edition)", a well-deserved Kubernetes entry books. After reading the "Docker container and container cloud (2nd edition)," the Kubernetes section, read the book again, it would be easier.
