ubuntu 14.04(trusty)下搭建本地docker regestry

更多内容可移驾至我的独立Blog: http://www.justfbt.com/


Step One - 先决条件

# apt-get update
# apt-get -y install build-essential python-dev libevent-dev python-pip liblzma-dev

Step Two — 安装&配置Docker Registry

# pip install docker-registry

默认情况下docker相关数据保存在/tmp目录下,下面创建新的目录来保存我们的数据:

# mkdir /var/docker-registry

Docker-registry需要一个配置文件

# cd /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/
# cp config_sample.yml config.yml

现在来配置config.yml文件,找到以sqlalchemy_index_database:开始的行:

## at line 22
sqlalchemy_index_database:
    _env:SQLALCHEMY_INDEX_DATABASE:sqlite:tmp/docker-registry.db

把db路径改为:/var/docker-registry,如下:

sqlalchemy_index_database:
    _env:SQLALCHEMY_INDEX_DATABASE:sqlite:var/docker-registry/docker-registry.db

接着修改“local:” ,如下:

## at line 72
local: &local
    storage: local
    storage_path: _env:STORAGE_PATH:/tmp/registry

改为:

local: &local
    storage: local
    storage_path: _env:STORAGE_PATH:/var/docker-registry/registry

模板配置文件中其他值保持默认即可,不需要修改。如果你需要其他复杂的功能,如为你的docker data配置使用内部存储。更多内容可以参考docker-registry文档

测试:

# gunicorn --access-logfile - --debug -k gevent -b 0.0.0.0:5000 -w 1 docker_registry.wsgi:application

正常情况下你应该能看到如下输出:

2014-07-27 07:12:24 [29344] [INFO] Starting gunicorn 18.0
2014-07-27 07:12:24 [29344] [INFO] Listening at: http://0.0.0.0:5000 (29344)
2014-07-27 07:12:24 [29344] [INFO] Using worker: gevent
2014-07-27 07:12:24 [29349] [INFO] Booting worker with pid: 29349
2014-07-27 07:12:24,807 DEBUG: Will return docker-registry.drivers.file.Storage

Step Three - 将Docker Registry作为一个服务启动

创建存放log文件的目录:

# mkdir -p /var/log/docker-registry

创建开机启动脚本

# vim /etc/init/docker-registry.conf
description "Docker Registry"

start on runlevel [2345]
stop on runlevel [016]

respawn
respawn limit 10 5

script
exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w 8 docker_registry.wsgi:application
end script
# ln -s /etc/init/docker-registry.conf /etc/init.d/docker-registry

测试:

# service docker-registry status
docker-registry stop/waiting

# service docker-registry start
docker-registry start/running, process 16287

Step Four — 配置nginx,使Docker Registry更安全

第一步 配置验证,禁止任何人都能登录我们的server

安装nginxapache2-utils(用来创建验证用的文件)包

# apt-get -y install nginx apache2-utils

现在来创建Docker的验证用户:

# htpasswd -c /etc/nginx/docker-registry.htpasswd USERNAME

根据提示输入登录docker registry时的密码
如果需要添加多个用户,只需重复上面命令(但是要去掉-c选项)

# htpasswd /etc/nginx/docker-registry.htpasswd USERNAME_2

接下来配置nginx转发doker-registry的请求

# vim /etc/nginx/sites-available/docker-registry
# For versions of Nginx > 1.3.9 that include chunked transfer encoding support
# Replace with appropriate values where necessary

upstream docker-registry {
 server localhost:5000;
}

server {
 listen 8080;
 server_name xxxx;

 # ssl on;
 # ssl_certificate /etc/ssl/certs/docker-registry;
 # ssl_certificate_key /etc/ssl/private/docker-registry;

 proxy_set_header Host       $http_host;   # required for Docker client sake
 proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP

 client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

 # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 chunked_transfer_encoding on;

 location / {
     # let Nginx know about our auth file
     auth_basic              "Restricted";
     auth_basic_user_file    docker-registry.htpasswd;

     proxy_pass http://docker-registry;
 }
 location /_ping {
     auth_basic off;
     proxy_pass http://docker-registry;
 }
 location /v1/_ping {
     auth_basic off;
     proxy_pass http://docker-registry;
 }

}
# ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry
# service nginx reload

测试: 确认docker-registry:

# curl localhost:5000
"\"docker-registry server\""

确认nginx:

# curl localhost:8080
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>
</body>
</html>

确认nginx验证:

# curl USERNAME:PASSWORD@localhost:8080
"\"docker-registry server\""

Step Five — 配置SSL

打开nginx配置文件并编辑:

# vim /etc/nginx/sites-available/docker-registry #做如下修改:
      ssl on;
      ssl_certificate /etc/ssl/certs/docker-registry;
      ssl_certificate_key /etc/ssl/private/docker-registry;

保存退出

现在nginx已经支持ssl了并且根据配置可以知道ssl key分别为/etc/ssl/certs/docker-registry/etc/ssl/private/docker-registry

接下来生成自签名证书:

首先创建一个目录来存放新的证书文件

# mkdir ~/certs
# cd ~/certs

生成一个新的root key

# openssl genrsa -out devdockerCA.key 2048

生成一个root certificate

openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

然后为你的server生成一个key(这个key稍后会copy到/etc/ssl/private/docker-registry给nginx使用)

openssl genrsa -out dev-docker-registry.com.key 2048

现在我们来生成一个证书请求文件:

当你执行这个命令时,OpenSSL会提示你回答一些问题,(译者注:后面两不知怎么翻译,大意应该是:其他的可以随便写,但是"Common Name"的输入值必须要是你准备使用的域名

Write whatever you’d like for the first few, but when OpenSSL prompts you to enter the “Common Name” make sure to type in the domain of your server.

openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr

例如,如果你的Docker registry将会绑定到www.ilovedocker.com域名上运行,那么输入如下:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.ilovedocker.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

最后不要输入密码,接着来签名 证书请求

openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out dev-docker-registry.com.crt -days 10000

现在我们已经生成了验证所需的所有文件,将这些文件copy到当前的证书存放的位置

先copy certificatekey到nginx引用的路径下:

# cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry
# cp dev-docker-registry.com.key /etc/ssl/private/docker-registry

Since the certificates we just generated aren’t verified by any known certificate authority (e.g., VeriSign), we need to tell any clients that are going to be using this Docker registry that this is a legitimate certificate. Let’s do this locally so that we can use Docker from the Docker registry server itself:

# mkdir /usr/local/share/ca-certificates/docker-dev-cert
# cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
# update-ca-certificates

You’ll have to repeat this step for every machine that connects to this Docker registry ! Otherwise you will get SSL errors and be unable to connect. These steps are shown in the client test section as well.

测试 SSL

重启nginx以加载新的配置

# service nginx restart
# curl https://USERNAME:PASSWORD@YOUR-DOMAIN:8080

如果正常,你应该能看到如下返回:

"\"docker-registry server\""

如果没有,返回上一步重新check SSLnginx的配置以确保所有的配置都正确

现在我们就有了一个运行在由nginx提供验证和SSL加密的Docker registry服务

Step Six — 从其他的机器上访问Docker Registry

要访问Docker registry,首先要添加SSL certificate到客户端上。

在registry server上,cat certificate文件:

cat ~/certs/devdockerCA.crt

输出大概像这样:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJANiXy7fHSPrmMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTQwOTIxMDYwODE2WhcNNDIwMjA2MDYwODE2WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuK4kNFaY3k/0RdKRK1XLj9+IrpR7WW5lrNaFB0OIiItHV9FjyuSWK2mj
ObR1IWJNrVSqWvfZ/CLGay6Lp9DJvBbpT68dhuS5xbVw3bs3ghB24TntDYhHMAc8
GWor/ZQTzjccHUd1SJxt5mGXalNHUharkLd8mv4fAb7Mh/7AFP32W4X+scPE2bVH
OJ1qH8ACo7pSVl1Ohcri6sMp01GoELyykpXu5azhuCnfXLRyuOvQb7llV5WyKhq+
SjcE3c2C+hCCC5g6IzRcMEg336Ktn5su+kK6c0hoD0PR/W0PtwgH4XlNdpVFqMST
vthEG+Hv6xVGGH+nTszN7F9ugVMxewIDAQABo1AwTjAdBgNVHQ4EFgQULek+WVyK
dJk3JIHoI4iVi0FPtdwwHwYDVR0jBBgwFoAULek+WVyKdJk3JIHoI4iVi0FPtdww
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkignESZcgr4dBmVZqDwh
YsrKeWSkj+5p9eW5hCHJ5Eg2X8oGTgItuLaLfyFWPS3MYWWMzggxgKMOQM+9o3+k
oH5sUmraNzI3TmAtkqd/8isXzBUV661BbSV0obAgF/ul5v3Tl5uBbCXObC+NUikM
O0C3fDmmeK799AM/hP5CTDehNaFXABGoVRMSlGYe8hZqap/Jm6AaKThV4g6n4F7M
u5wYtI9YDMsxeVW6OP9ZfvpGZW/n/88MSFjMlBjFfFsorfRd6P5WADhdfA6CBECG
LP83r7/MhqO06EOpsv4n2CJ3yoyqIr1L1+6C7Erl2em/jfOb/24y63dj/ATytt2H
6g==
-----END CERTIFICATE-----

复制上面的输出到client上。

client端,创建certificate目录:

sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert

然后执行:

nano /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt

粘贴上面复制的内容并保存

再次确认:

cat /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt

接着更新certificates:

sudo update-ca-certificates

输出大概如下 (留意 “1 added“)

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

如果你还没有在client端安装docker,do so now.

On most versions of Ubuntu you can quickly install a recent version of Docker by following the next few commands. If your client is on a different distro or you have issues then seeDocker’s installation documentation for other ways to install Docker.

Add the repository key:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9;

Create a file to list the Docker repository:

sudo nano /etc/apt/sources.list.d/docker.list

Add the following line to the file:

deb https://get.docker.io/ubuntu docker main

Update your package lists:

sudo apt-get update

Install Docker:

sudo apt-get install -y --force-yes lxc-docker

To make working with Docker a little easier, let’s add our current user to the Docker group and re-open a new shell:

sudo gpasswd -a ${USER} docker
sudo su -l $USER #(enter your password at the prompt if needed)

Restart Docker to make sure it reloads the system’s CA certificates.

sudo service docker restart

You should now be able to log in to your Docker registry from the client machine:

docker login https://YOUR-HOSTNAME:8080

Note that you’re using https:// and port 8080 here. Enter the username and password you set up earlier (enter whatever you’d like for email if prompted). You should see a Login Succeeded message.

At this point your Docker registry is up and running! Let’s make a test image to push to the registry.

Step Seven — 发布到你的Docker Registry

On the client server, create a small empty image to push to our new registry.

docker run -t -i ubuntu /bin/bash

After it finishes downloading you’ll be inside a Docker prompt. Let’s make a quick change to the filesystem:

touch /SUCCESS

Exit out of the Docker container:

exit

Commit the change:

docker commit $(docker ps -lq) test-image

If you run docker images now, you’ll see that you have a new test-image in the image list:

# docker images

REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
test-image          latest              1f3ce8008165        9 seconds ago       192.7 MB
ubuntu              trusty              ba5877dc9bec        11 days ago         192.7 MB

This image only exists locally right now, so let’s push it to the new registry we’ve created.

First, log in to the registry with Docker. Note that you want to use https:// and port 8080:

docker login https://<YOUR-DOMAIN>:8080
相应的我运行的结果:

# docker login https://docker-registry.example.com:8080
Username (dkuser): dkuser
WARNING: login credentials saved in /root/.dockercfg.
Login Succeeded

Enter the username and password you set up earlier:

Username: USERNAME Password: PASSWORD Email:
Account created. Please see the documentation of the registry http://localhost:5000/v1/ for instructions how to activate it.

Docker has an unusual mechanism for specifying which registry to push to. You have to tag an image with the private registry’s location in order to push to it. Let’s tag our image to our private registry:

docker tag test-image YOUR-DOMAIN:8080/test-image
相应的我运行的结果:

# docker tag test-image docker-registry.example.com:8080/test-image

Note that you are using the local name of the image first, then the tag you want to add to it. The tag is not using https://, just the domain, port, and image name.

Now we can push that image to our registry. This time we’re using the tag name only:

docker push <YOUR-DOMAIN>:8080/test-image
相应的我运行的结果:

# docker push docker-registry.example.com:8080/test-image
The push refers to a repository [docker-registry.example.com:8080/test-image] (len: 1)
Sending image list
Pushing repository docker-registry.example.com:8080/test-image (1 tags)
428b411c28f0: Image successfully pushed
435050075b3f: Image successfully pushed
9fd3c8c9af32: Image successfully pushed
6d4946999d4f: Image successfully pushed
220f9fa943e0: Image successfully pushed
Pushing tag for rev [220f9fa943e0] on {https://docker-registry.example.com:8080/v1/repositories/test-image/tags/latest}

This will take a moment to upload to the registry server. You should see output that includesImage successfully pushed.

Step Eight - Pull from Your Docker Registry

To make sure everything worked let’s go back to our original server (where you installed the Docker registry) and pull the image we just pushed from the client. You could also test this from a third server.

If Docker is not installed on your test pull server, go back and follow the installation instructions (and if it’s a third server, the SSL instructions) from Step Six.

Log in with the username and password you set up previously.

docker login https://<YOUR-DOMAIN>:8080

And now pull the image. You want just the "tag" image name, which includes the domain name, port, and image name (but not https://):

docker pull <YOUR-DOMAIN>:8080/test-image
相应的我运行的结果:

#docker pull docker-registry.example.com:8080/test-image
Pulling repository docker-registry.example.com:8080/test-image
220f9fa943e0: Download complete
428b411c28f0: Download complete
435050075b3f: Download complete
9fd3c8c9af32: Download complete
6d4946999d4f: Download complete
Status: Downloaded newer image for docker-registry.example.com:8080/test-image:latest

Docker will do some downloading and return you to the prompt. If you run the image on the new machine you’ll see that the SUCCESS file we created earlier is there:

docker run -t -i <YOUR-DOMAIN>:8080/test-image /bin/bash
相应的我运行的结果:

# docker run -t -i docker-registry.example.com:8080/test-image /bin/bash

List your files:

ls

You should see the SUCCESS file we created earlier:

SUCCESS  bin  boot  dev  etc  home  lib  lib64  media   mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

Congratulations! You’ve just used your own private Docker registry to push and pull your first Docker container! Happy Docker-ing!

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值