docker registry_v2 部署过程中遇到的坑

最新推荐文章于 2024-08-18 10:57:40 发布

xuyourong

最新推荐文章于 2024-08-18 10:57:40 发布

阅读量1.2w

点赞数

本文链接：https://blog.csdn.net/xiaolummhae/article/details/51833354

版权

本文详细记录了Docker Registry_v2的搭建过程，包括CA证书制作、Nginx配置要点，特别是Nginx proxy_pass的路径问题，以及解决400 Bad Request错误的排错步骤。文中通过实例展示了如何避免常见的配置陷阱，确保私有Registry的正常运行。

摘要由CSDN通过智能技术生成

docker registry_v2

docker registry_v2的搭建和排错文档，nginx+registry源码搭建，有别于网上类docker的搭建方法，方便registry日后调优

搭建过程

CA证书的制作(openssl)
nginx的搭建及配置
registry源码编译及配置
验证及排错

CA证书的制作

1.首先我们去 /etc/ssl/openssl.cnf下修改下参数，必须在生成证书之前修改，否则无意义

[ CA_default ]

  dir			 = /etc/ssl/demoCA	   # Where everything is kept

  certs		   = $dir/certs			# Where the issued certs are kept

  crl_dir		 = $dir/crl			  # Where the issued crl are kept

  database		= $dir/index.txt		# database index file.

  #unique_subject = no					# Set to 'no' to allow creation of

                      # several ctificates with same subject.

  new_certs_dir   = $dir/newcerts		 # default place for new certs.



  certificate	 = $dir/certs/cacert.pem		 # The CA certificate

  serial		  = $dir/serial		   # The current serial number

  crlnumber	   = $dir/crlnumber		# the current crl number

                      # must be commented out to leave a V1 CRL

  crl			 = $dir/crl.pem		  # The current CRL

  private_key	 = $dir/private/cakey.pem# The private key

  RANDFILE		= $dir/private/.rand	# private random number file



  [ v3_req ]



  # Extensions to add to a certificate request



  basicConstraints = CA:FALSE



  keyUsage = nonRepudiation, digitalSignature, keyEncipherment



  #这个很重要，否则在后面会报registry endpoint...x509: cannot validate certificate for ... because it doesn't contain any IP SANs

  subjectAltName=IP:192.168.172.150

2.制作证书
 证书的配置文件都在 Ubuntu的路径在/etc/ssl下
cd /etc/ssl

    mkdir demoCA demoCA/certs demoCA/crl demoCA/newcerts demoCA/private

    touch /etc/ssl/demoCA/index.txt

    echo 01 > /etc/ssl/demoCA/serial

    cd /etc/ssl/demoCA

    openssl req -newkey rsa:4096 -nodes -sha256 -keyout cakey.pem -x509 -days 365 -out cacert.pem

    mv cacert.pem certs/ && mv cakey.pem private/
注意这里的domain设置成自己的域名即可，比如我的是*.192.168.172.150.xip.io
You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [XX]:CN

    State or Province Name (full name) []:beijing

    Locality Name (eg, city) [Default City]:beijing

    Organization Name (eg, company) [Default Company Ltd]:self

    Organizational Unit Name (eg, section) []:

    Common Name (eg, your name or your server's hostname) []:*.192.168.172.150.xip.io

    Email Address []:jackyuan@126.com

OK,至此，根证书等制作完成

nginx的搭建及配置

方式一:

yum install nginx

方式二:

1.选择版本安装,最好是高版本，否则add header功能没法使用

cd ~

    wget http://nginx.org/download/nginx-1.9.4.tar.gz

    tar zxvf nginx-1.9.4.tar.gz

    cd ./nginx-1.4.6 && \

./configure --user=www --group=www --prefix=/opt/nginx --with-pcre --with-http_stub_status_module --with-http_ssl_module --with-http_addition_module --with-http_realip_module --with-http_flv_module --with-openssl=/root/openssl-1.0.2h --with-zlib=/root/zlib-1.2.8 --with-pcre=/root/pcre-8.39

    make &&  make install

2.生成nginx的ssl证书,并加入进openssl本身的证书数据库

mkdir -p /etc/nginx/ssl

  cd /etc/nginx/ssl

  openssl genrsa -out nginx.key 4096



  openssl req -new -key nginx.key -out nginx.csr

  #上面这一步的配置要和跟设置的一样，尤其是domain那块

  openssl ca -in nginx.csr -out nginx.crt

在这里如果不在之前配置好CA的配置，则会出现demoCA无法打开等错误，所以要注意。

3.生成htpassword,用户名和密码都为admin

htpasswd -cb /opt/nginx/conf/.htpasswd admin admin

4.修改nginx配置

user  www www;

  worker_processes  auto;



  error_log   /var/log/nginx_error.log error;

  #error_log  logs/error.log  notice;

  #error_log  logs/error.log  info;



  #pid		logs/nginx.pid;





  worker_rlimit_nofile 51200;



  events {

    use epoll;

    worker_connections  51200;

    multi_accept on;

  }



  http {

    include	   mime.types;

    default_type  application/octet-stream;



    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

              '$status $body_bytes_sent "$http_referer" '

              '"$http_user_agent" "$http_x_forwarded_for"';



    access_log  /var/log/nginx_access.log  main;



    server_names_hash_bucket_size 128;

    client_header_buffer_size 32k;

    large_client_header_buffers 4 32k;



    sendfile		on;

    tcp_nopush	 on;

    tcp_nodelay	on;



    #keepalive_timeout  0;

    keepalive_timeout  65;



    #gzip  on;



    upstream registry {

    <