本例子使用兩臺(tái)centos7服務(wù)器作為測(cè)試
node1:192.168.56.102
registry沒有認(rèn)證方式的啟動(dòng)
使用域名搭建https的私有倉(cāng)庫
1毫炉、node1作為私服服務(wù)器,配置主機(jī)hosts映射
192.168.56.102 abiao.com
既然使用https,那么我們需要生成證書,本文講解的是使用openssl自簽名證 書,當(dāng)然也可以使用諸如 Let’s Encrypt 等工具生成證書,首先在node1機(jī) 器上生成生成密鑰文件::
[root@iz51hzu4zdjgpnz ~]# mkdir -p /srv/data/registry/certs
[root@iz51hzu4zdjgpnz ~]# cd /srv/data/registry/certs
[root@iz51hzu4zdjgpnz certs]# openssl req -newkey rsa:4096 -nodes
-sha256 -keyout ./abiao.key -x509 -days 365 -out ./abiao.crt
輸入信息
Country Name (2 letter code) [XX]:86 State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Changping
Organization Name (eg, company) [Default Company Ltd]:foo
Organizational Unit Name (eg, section) []:bar
Common Name (eg, your name or your server's hostname) []:abiao.com
Email Address []:xxxxx@xxx.com
這樣自簽名證書就制作完成了茧痒。
由于是自簽名證書,默認(rèn)是不受Docker信任的,故而需要將證書添加到Docker 的根證書中,Docker在CentOS 7中,證書存放路徑是 :
node1 端:
[root@iz51hzu4zdjgpnz certs]# mkdir -p /etc/docker/certs.d/abiao.com:5000
[root@iz51hzu4zdjgpnz certs]# cp abiao.crt /etc/docker/certs.d/abiao.com:5000/
制作registry2 的docke-compose.yml文件
[root@iz51hzu4zdjgpnz certs]# mkdir -p /srv/docker-compose/registry
[root@iz51hzu4zdjgpnz certs]# cd /srv/docker-compose/registry/
[root@iz51hzu4zdjgpnz certs]# vim docker-compose.yml
docker-compose.yml的詳情如下:
version: '2.0'
services:
server-registry:
restart: unless-stopped
image: docker.io/registry:2.6.2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/abiao.crt
REGISTRY_HTTP_TLS_KEY: /certs/abiao.key
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
- /srv/data/registry/certs:/certs
啟動(dòng)registry2容器
[root@iz51hzu4zdjgpnz registry]# docker-compose up -d
測(cè)試一下
[root@iz51hzu4zdjgpnz registry]# docker pull hello-world
[root@iz51hzu4zdjgpnz registry]# docker tag docker.io/hello-world abiao.com:5000/hello-world
[root@iz51hzu4zdjgpnz registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 4 weeks ago 199 MB
docker.io/docker latest cf0bbd4500c6 6 weeks ago 135 MB
docker.io/registry 2.6.2 d1fd7d86a825 3 months ago 33.3 MB
abiao.com:5000/hello-world latest f2a91732366c 5 months ago 1.85 kB
docker.io/hello-world latest f2a91732366c 5 months ago 1.85 kB
將剛tag的鏡像上傳至私有倉(cāng)庫
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Pushed
latest: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524
在node0上進(jìn)行測(cè)試
<pre>docker pull lhdocker.com/kitematic/hello-world-nginx</pre>
到這里我們的docker私有倉(cāng)庫就搭建完成了谨朝。
這是沒有認(rèn)證方式的啟動(dòng)方式楼咳。
registry帶有認(rèn)證方式
在很多場(chǎng)景下,我們需要用戶登錄后才能訪問私有倉(cāng)庫,那么我們可以如下操作: 建立在上文生成證書,同時(shí)重啟過Docker服務(wù)的前提下,我們講解一下如何配置:
[root@iz51hzu4zdjgpnz docker-compose]# cd ~
[root@iz51hzu4zdjgpnz ~]# cd /srv/data/registry/
[root@iz51hzu4zdjgpnz registry]# mkdir auth
[root@iz51hzu4zdjgpnz registry]# docker run --entrypoint htpasswd registry:2.2 -Bbn miss 123123 > auth/htpasswd
修改之前的docker-compose.yml文件
version: '2.0'
services:
server-registry:
restart: unless-stopped
image: docker.io/registry:2.6.2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/abiao.crt
REGISTRY_HTTP_TLS_KEY: /certs/abiao.key
REGISTRY_AUTH: htppasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
- /srv/data/registry/certs:/certs
- /srv/data/registry/auth:/auth
停掉已經(jīng)運(yùn)行的registry容器娃弓,并刪除容器辟汰,運(yùn)行docker-compose命令
[root@iz51hzu4zdjgpnz registry]# docker-compose up -d
這個(gè)時(shí)候再次測(cè)試向私有倉(cāng)庫上傳鏡像
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
不出意外會(huì)出現(xiàn)如下提示
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Preparing
no basic auth credentials
在執(zhí)行push操作之前需要登錄一下,輸入上面的用戶和密碼就可以了
[root@iz51hzu4zdjgpnz certs]# docker login abiao.com:5000
Username: miss
Password:
Login Succeeded
再次執(zhí)行push操作
[root@iz51hzu4zdjgpnz certs]# docker push abiao.com:5000/hello-world
The push refers to a repository [abiao.com:5000/hello-world]
f999ae22f308: Pushed
latest: digest: sha256:8072a54ebb3bc136150e2f2860f00a7bf45f13eeb917cca2430fcd0054c8e51b size: 524
如果要停止registry服務(wù)列敲,執(zhí)行下面的命令就行了
[root@iz51hzu4zdjgpnz certs]# docker stop registry && docker rm -v registry
httpd-tools工具
docker-registry-htpasswd文件中存儲(chǔ)用戶名和密碼的格式為每一個(gè)用戶名阱佛、密碼對(duì):
user1:password1
user2:password2
password字段存儲(chǔ)的并不是明文帖汞,是使用crypt函數(shù)加密過的字符串,要生成加密后的字符串凑术,可以是htpasswd工具翩蘸。在Centos中年由httpd-tools提供。
安裝httpd-tools
yum install httpd-tools -y
我們?cè)囍趧?chuàng)建一個(gè)用戶淮逊,并添加加密
[root@iz51hzu4zdjgpnz registry]# htpasswd auth/htpasswd wang
New password:
Re-type new password:
Adding password for user wang
//這樣我們便添加了一個(gè)用戶‘wang’催首,并設(shè)置了密碼扶踊。
用添加的這個(gè)用戶登錄,發(fā)現(xiàn)登錄并不會(huì)成功郎任,研究發(fā)現(xiàn)容器內(nèi)的驗(yàn)證機(jī)制與宿主機(jī)不一致秧耗,可以用nginx代理轉(zhuǎn)發(fā)來解決這個(gè)問題
Nginx+registry代理轉(zhuǎn)發(fā)搭建私有倉(cāng)庫
具體步驟
1、編寫docker-compose文件
version: '2.0'
services:
registry:
restart: always
image: library/registry:2.3.1
volumes:
- /srv/data/registry/registry-data:/var/lib/registry
ports:
- 5000:5000
- 5001:5001 # required to access debug service
nginx:
restart: always
image: nginx:1.10.1
environment:
REGISTRY_HOST: "docker-registry"
REGISTRY_PORT: "5000"
SERVER_NAME: "localhost"
links:
- registry
volumes:
- /srv/data/nginx/conf/docker-registry.htpasswd:/etc/nginx/.htpasswd:ro
- /srv/data/nginx/conf/conf.d:/etc/nginx/conf.d
- /srv/data/registry/certs:/etc/nginx/ssl:ro
ports:
- 443:443
注意:先要在宿主機(jī)中新建.htpasswd文件舶治,然后掛載到容器中去分井,筆者的文件創(chuàng)建在/srv/data/nginx/conf/目錄下。
2霉猛、編寫registry.conf配置文件
upstream docker-registry {
server 192.168.56.101:5000;
}
server {
listen 443 ssl;
server_name docker-registry;
add_header Docker-Distribution-Api-Version registry/2.0 always;
ssl on;
ssl_certificate /etc/nginx/ssl/abiao.crt;
ssl_certificate_key /etc/nginx/ssl/abiao.key;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Docker-Distribution-Api-Version registry/2.0;
location / {
auth_basic "please input username/password";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://docker-registry;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
在宿主機(jī)/srv/data/nginx/conf/目錄下尺锚,新建conf.目錄,將registry.conf放入conf.d目錄下惜浅,再將宿主機(jī)的該目錄掛載到容器中瘫辩,如上的docker-compose.yml文件所示。
3坛悉、驗(yàn)證
用curl命令驗(yàn)證伐厌,查詢成功,容器中的鏡像是之前上傳的(倉(cāng)庫的掛載文件夾依舊是原來的)
[root@iz51hzu4zdjgpnz certs]$ curl --cacert abiao.crt --user
miss:123 https://abiao.com:443/v2/_catalog
{"repositories":["hello-world"]}
用不存在的用戶等一下裸影,可以發(fā)現(xiàn)提示用戶不認(rèn)證不通過
[root@iz51hzu4zdjgpnz conf]# docker login abiao.com
Username: wulei
Password:
Error response from daemon: Get https://abiao.com/v1/users/: x509: certificate signed by unknown authority
新建一個(gè)用戶
[root@iz51hzu4zdjgpnz conf]# cd /srv/data/nginx/conf/
[root@iz51hzu4zdjgpnz conf]# htpasswd docker-registry.htpasswd chen
New password:
Re-type new password:
Adding password for user chen
//這樣我們便添加了一個(gè)用戶‘chen’弧械,并設(shè)置了密碼。
用創(chuàng)建的用戶來登錄
[root@iz51hzu4zdjgpnz abiao.com:5000]# docker login abiao.com
Username: chen
Password:
Login Succeeded
向私有倉(cāng)庫上傳鏡像
//先打tag
[root@iz51hzu4zdjgpnz ~]$ docker tag docker.io/hello-world abiao.com/abiao/happy-world
//abiao.com/abiao/happy-world表示空民,上傳到abiao.com的鏡像庫刃唐,鏡像庫空間標(biāo)識(shí)為abiao,鏡像名稱為happy-world
//上傳鏡像
[root@iz51hzu4zdjgpnz ~]$ docker push abiao.com/abiao/happy-world
瀏覽器端查看界轩,由于是自簽名證書画饥,故需要添加安全信任,注意訪問方式是https
用戶認(rèn)證浊猾,輸入用戶名和密碼
如下所示抖甘,請(qǐng)求/v2/_catalog可查看到私有倉(cāng)庫鏡像
至此,搭建完成葫慎,希望文章能給正在學(xué)習(xí)搭建docker私有倉(cāng)庫的同學(xué)提供幫助衔彻。
