docker registry_v2
docker registry_v2的搭建和排错文档,nginx+registry源码搭建,有别于网上类docker的搭建方法,方便registry日后调优
搭建过程
- CA证书的制作(openssl)
- nginx的搭建及配置
- registry源码编译及配置
- 验证及排错
CA证书的制作
1.首先我们去 /etc/ssl/openssl.cnf下修改下参数,必须在生成证书之前修改,否则无意义
[ CA_default ]
dir = /etc/ssl/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#这个很重要,否则在后面会报registry endpoint...x509: cannot validate certificate for ... because it doesn't contain any IP SANs
subjectAltName=IP:192.168.172.150
2.制作证书
证书的配置文件都在 Ubuntu的路径在/etc/ssl下
cd /etc/ssl
mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
touch /etc/ssl/demoCA/index.txt
echo 01 > /etc/ssl/demoCA/serial
cd /etc/ssl/demoCA
openssl req -newkey rsa:4096 -nodes -sha256 -keyout cakey.pem -x509 -days 365 -out cacert.pem
mv cacert.pem certs/ && mv cakey.pem private/
注意这里的domain设置成自己的域名即可,比如我的是*.192.168.172.150.xip.io
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:self
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.192.168.172.150.xip.io
Email Address []:jackyuan@126.com
OK,至此,根证书等制作完成
nginx的搭建及配置
方式一:
yum install nginx
方式二:
1.选择版本安装,最好是高版本,否则add header功能没法使用
cd ~
wget http://nginx.org/download/nginx-1.9.4.tar.gz
tar zxvf nginx-1.9.4.tar.gz
cd ./nginx-1.4.6 && \
./configure --user=www --group=www --prefix=/opt/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module --with-openssl=/root/openssl-1.0.2h --with-zlib=/root/zlib-1.2.8 --with-pcre=/root/pcre-8.39
make && make install
2.生成nginx的ssl证书,并加入进openssl本身的证书数据库
mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl openssl genrsa -out nginx.key 4096 openssl req -new -key nginx.key -out nginx.csr #上面这一步的配置要和跟设置的一样,尤其是domain那块 openssl ca -in nginx.csr -out nginx.crt
在这里如果不在之前配置好CA的配置,则会出现demoCA无法打开等错误,所以要注意。
3.生成htpassword,用户名和密码都为admin
htpasswd -cb /opt/nginx/conf/.htpasswd admin admin
4.修改nginx配置
user www www;
worker_processes auto;
error_log /var/log/nginx_error.log error;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx_access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream registry {
<