一桶至、說(shuō)明
用nexus搭建docker私有鏡像倉(cāng)庫(kù)晾匠,我們可以去官網(wǎng)下載nexus安裝包安裝,然后做安裝配置准颓。
【nexus】用nexus3.5搭建docker私有倉(cāng)庫(kù)
http://www.reibang.com/p/7a7db54a538f
從nexus3.x開始哈蝇,我們的另一個(gè)選擇是拉nexus的鏡像,用容器運(yùn)行nexus服務(wù)攘已。
二炮赦、實(shí)驗(yàn)環(huán)境
操作系統(tǒng): CentOS7.5 Minimal
nexusServer? ?192.168.1.106
dockerClient? ? 192.168.1.104
三、 安裝docker
在nexusServer 和dockerClient? 服務(wù)器
關(guān)閉selinux
# setenforce 0
# sed? -i? 's/^SELINUX=.*/SELINUX=permissive/g'? /etc/selinux/config
安裝docker
?# yum -y install? yum-utils device-mapper-persistent-data lvm2
#?yum-config-manager? ?--add-repo? ? https://download.docker.com/linux/centos/docker-ce.repo
#?yum list docker-ce? --showduplicates| sort? -r?
#??yum -y install docker-ce-18.06.0.ce??
# systemctl? start docker?
# systemctl? status docker?
# systemctl? enable? docker?
# docker version?
四样勃、拉取鏡像吠勘,運(yùn)行nexus服務(wù)
在nexusServer 服務(wù)器
# docker pull sonatype/nexus3:3.16.0
# docker images
#? mkdir /opt/nexus-data?
# chown -R? 200? /opt/nexus-data
注:容器中nexus的默認(rèn)運(yùn)行用戶是nexus,uid和gid為200
# docker run -it --rm sonatype/nexus3:3.5.2 cat /etc/passwd
為什么需要提前創(chuàng)建目錄并更改屬主屬組呢?
因?yàn)槿萜髦衝exus進(jìn)程是普通用戶nexus啟動(dòng)的峡眶,不是root剧防,普通用戶無(wú)法再宿主機(jī)上創(chuàng)建目錄,如果目錄屬主不是nexus用戶(或者映射在宿主的用戶id)幌陕,那么這個(gè)進(jìn)程就沒(méi)有寫入權(quán)限诵姜。
用命令行形式運(yùn)行nexus容器
#? docker run -d? \
--restart=always \
--name nexus \
--ulimit?nofile=65536:65536 \
?-p 192.168.1.106:8081:8081 \
?-v /opt/nexus-data:/nexus-data \
sonatype/nexus3:3.16.0
# docker logs? ?-f? nexus
# docker? ps? -a?
# ss? -tan?
瀏覽器訪問(wèn): http:192.168.1.106:8081
五,創(chuàng)建一個(gè)docker倉(cāng)庫(kù)
瀏覽器訪問(wèn): http:192.168.1.106:8081
默認(rèn)登錄用戶密碼:admin/admin123
官方鏡像搭建的nexus搏熄,不支持https,倉(cāng)庫(kù)端口只能選擇http棚唆,否則服務(wù)異常
我們創(chuàng)建了一個(gè)名為 test的鏡像倉(cāng)庫(kù),倉(cāng)庫(kù)端口為 2019心例,協(xié)議為http宵凌,不是https!
重啟nexus服務(wù)止后,開放2019端口
# docker stop nexus?
# docker rm nexus??
#? docker run -d? \
--restart=always \
--name nexus \
--ulimit?nofile=65536:65536 \
?-p 192.168.1.106:8081:8081 \
?-p 192.168.1.106:2019:2019 \
?-v /opt/nexus-data:/nexus-data \
sonatype/nexus3:3.16.0
# docker ps -a
# ss? -tan?
服務(wù)端啟動(dòng)方式改進(jìn)瞎惫,將nexus注冊(cè)成系統(tǒng)服務(wù)
編寫unit文件
# vim /etc/systemd/system/nexus.service
####################################################
[Unit]
Description=Nexus
Documentation=https://www.sonatype.com
After=network-online.target??docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm -f nexus
ExecStart=/usr/bin/docker run \
--name nexus \
--ulimit?nofile=65536:65536 \
-p 192.168.1.106:8081:8081 \
-p 192.168.1.106:2019:2019 \
-v /opt/nexus-data:/nexus-data \
sonatype/nexus3:3.16.0
ExecStop=/usr/bin/docker stop nexus
LimitNOFILE=65535
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
#####################################################
停止和刪除命令行啟動(dòng)的nexus服務(wù)
# docker stop nexus
# docker rm nexus
用systemd啟動(dòng)服務(wù)
# systemctl daemon-reload
#? systemctl start? nexus?
#? systemctl enable nexus?
#? systemctl status nexus?
六、客戶端測(cè)試
測(cè)試服務(wù)端端口連通性
# echo > /dev/tcp/192.168.1.106/8081
# echo > /dev/tcp/192.168.1.106/2019
# curl -I http://192.168.1.106:8081
# curl -I? http://192.168.1.106:2019
在nexusClient客戶端登錄倉(cāng)倉(cāng)庫(kù)
#? docker? login? http://192.68.1.106:2019? -u admin? -p "admin123"
# cat /root/.docker/config.json
nexsu倉(cāng)庫(kù)開的是http,dockr 要走h(yuǎn)ttps译株,怎么解決瓜喇?
添加倉(cāng)庫(kù)信任
# vim?/usr/lib/systemd/system/docker.service?
#######################################################
ExecStart=/usr/bin/dockerd? ?--insecure-registry 192.168.1.106:2019
########################################################
systemctl daemon-reload
# systemctl restart docker??
#? docker? login? 192.168.1.106:2019? -u admin? -p "admin123"
#? docker? login? http://192.168.1.106:2019? -u admin? -p "admin123"
測(cè)試推送一個(gè)鏡像
# docker pull busybox:latest
# docker tag busybox:latest 192.168.1.106:2019/busybox:v1
# docker push 192.168.1.106:2019/busybox:v1
七、改nexus倉(cāng)庫(kù)的http為https
前面我們用docker容器搭建nexus服務(wù)歉糜,創(chuàng)建了一個(gè)名為 test的鏡像倉(cāng)庫(kù)乘寒,倉(cāng)庫(kù)端口為 2019,協(xié)議為http匪补,不是https伞辛。
nexsu倉(cāng)庫(kù)開的是http,dockr 要走h(yuǎn)ttps烂翰,我們是通過(guò)在客戶端添加倉(cāng)庫(kù)信任解決的。
那么蚤氏,有沒(méi)有更符合最佳實(shí)踐的方式呢甘耿?有!用nexus-https鏡像竿滨,nexus官方鏡像的改進(jìn)版佳恬。
Sonatype Nexus Repository Manager 3 with HTTPS support, based on CentOS
bradbeck/nexus-https
https://hub.docker.com/r/bradbeck/nexus-https
https://github.com/bradbeck/nexus-https
在nexusServer 服務(wù)器
#? docker? stop nexus?
# docker rm? nexus??
# rm? -rf? /opt/nexus-data/*
# docker pull bradbeck/nexus-https
# docker images
用nexus-https鏡像起一個(gè)容器,獲取配置https所需的配置文件
# docker run -it? --name? nexus-https? ?--rm bradbeck/nexus-https:latest bash
對(duì)nexusServer服務(wù)器姐呐,另開一個(gè)Xshell窗口
# docker? ps -a?
可以看到殿怜,起了一容器ID為?2f3bbae29dd3 的容器,當(dāng)然,你起的容器ID肯定不同曙砂,靈活應(yīng)變头谜。
從容器中拷貝文件
# docker cp 2f3bbae29dd3:/opt/sonatype/nexus/etc/jetty/jetty-https.xml ./
或者你可以使用一行式:
#? docker exec -it? ?nexus-https? cat??/opt/sonatype/nexus/etc/jetty/jetty-https.xml? >??jetty-https.xml
創(chuàng)建容器服務(wù)相關(guān)目錄
# mkdir /opt/nexus-data
# mkdir /opt/nexus-ssl
# mkdir /opt/nexus-jetty
#? chown? ?-R? 200? ?/opt/nexus-data??/opt/nexus-ssl? ???/opt/nexus-jetty
# cp? ?jetty-https.xml? ???/opt/nexus-jetty
生成keystore證書文件
安裝keytool證書工具
#? yum? -y install? java
生成證書
# keytool ?\
-genkeypair \
-keystore? /opt/nexus-ssl/keystore.jks \
-alias nexus \
-keypass nexus@123 \
-storepass nexus@123 \
-keyalg RSA \
-keysize 2048 \
-validity 5000 \
-dname "CN=*.test.com,OU=TEST,O=TEST,L=Shenzhen,ST=Guangdong,C=CN" \
-ext "SAN=IP:192.168.1.106"? \
-ext "BC=ca:true"
# ll /opt/nexus-ssl/
# keytool -list -v -storepass "nexus@123" -keystore /opt/nexus-ssl/keystore.jks
修改配置文件中證書默認(rèn)密碼
# sed? ?-i? ?'s/password/nexus@123/g'? ?/opt/nexus-jetty/jetty-https.xml
用nexus-https鏡像啟動(dòng)nexus容器
# docker run -d \
--restart=always \
--name nexus \
--ulimit?nofile=65536:65536 \
-p 192.168.1.106:8081:8081 \
-p 192.168.1.106:8443:8443 \
-v /opt/nexus-data:/nexus-data \
-v /opt/nexus-ssl:/opt/sonatype/nexus/etc/ssl/ \
-v /opt/nexus-jetty/jetty-https.xml:/opt/sonatype/nexus/etc/jetty/jetty-https.xml \
bradbeck/nexus-https:latest
# docker? ps -a?
# ss -tan??
瀏覽器訪問(wèn)
https:192.168.1.106:8443
http://192.168.1.106:8081
如果不用http,那么啟動(dòng)容器的時(shí)候鸠澈,不映射http的8081端口到宿主機(jī)柱告。
默認(rèn)登錄用戶密碼:admin/admin123
我們創(chuàng)建了一個(gè)名為 test的鏡像倉(cāng)庫(kù),倉(cāng)庫(kù)端口為 2019笑陈,協(xié)議為https际度,不是http!
重啟nexus服務(wù)涵妥,開放2019端口
# docker stop nexus?
# docker rm nexus??
# docker run -d \
--restart=always \
--name nexus \
--ulimit?nofile=65536:65536 \
-p 192.168.1.106:8443:8443 \
-p 192.168.1.106:2019:2019 \
-v /opt/nexus-data:/nexus-data \
-v /opt/nexus-ssl:/opt/sonatype/nexus/etc/ssl/ \
-v /opt/nexus-jetty/jetty-https.xml:/opt/sonatype/nexus/etc/jetty/jetty-https.xml \
bradbeck/nexus-https:latest
# docker stop nexus?
# docker rm nexus??
服務(wù)端啟動(dòng)方式改進(jìn)乖菱,將nexus注冊(cè)成系統(tǒng)服務(wù)
編寫unit文件
# vim /etc/systemd/system/nexus.service
####################################################
[Unit]
Description=Nexus
Documentation=https://www.sonatype.com
After=network-online.target? docker.service
Requires=docker.service
[Service]
ExecStartPre=-/usr/bin/docker rm -f nexus
ExecStart=/usr/bin/docker run \
--name nexus \
--ulimit?nofile=65536:65536 \
-p 192.168.1.106:8443:8443 \
-p 192.168.1.106:2019:2019 \
-v /opt/nexus-data:/nexus-data \
-v /opt/nexus-ssl:/opt/sonatype/nexus/etc/ssl/ \
-v /opt/nexus-jetty/jetty-https.xml:/opt/sonatype/nexus/etc/jetty/jetty-https.xml \
bradbeck/nexus-https:latest
ExecStop=/usr/bin/docker stop nexus
LimitNOFILE=65535
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
#####################################################
停止和刪除命令行啟動(dòng)的nexus服務(wù)
# docker stop nexus
# docker rm nexus
用systemd啟動(dòng)服務(wù)
# systemctl daemon-reload
#? systemctl start? nexus?
#? systemctl enable nexus
# docker? logs? -f nexus?
#? systemctl status nexus?
八、客戶端測(cè)試
在dockerClient服務(wù)器
測(cè)試服務(wù)端端口連通性
# echo > /dev/tcp/192.168.1.106/8443
# echo > /dev/tcp/192.168.1.106/2019
# curl? -I? ? -k? https://192.168.1.106:8443
# curl? -I? ?-k? https://192.168.1.106:2019
在nexusClient客戶端登錄倉(cāng)庫(kù)
# docker login 192.168.1.106:2019 -u admin -p "admin123"
獲取nexus服務(wù)端證書
# yum? -y install? java
# keytool -printcert? -sslserver? 192.168.1.106:2019? -v
# keytool? -printcert? -sslserver? 192.168.1.106:2019? -rfc
#??keytool? -printcert? -sslserver? 192.168.1.106:2019? -rfc? >? ?/etc/pki/ca-trust/source/anchors/nexus.crt
# cat???/etc/pki/ca-trust/source/anchors/nexus.crt
刷新操作系統(tǒng)認(rèn)證蓬网,重啟docker
# update-ca-trust
# systemctl restart docker
# docker login 192.168.1.106:2019 -u admin -p "admin123"
# docker login https://192.168.1.106:2019 -u admin -p "admin123"
# cat /root/.docker/config.json
測(cè)試推送一個(gè)鏡像
# docker pull busybox:latest
# docker tag busybox:latest 192.168.1.106:2019/busybox:v1
# docker push 192.168.1.106:2019/busybox:v1
九窒所、參考
sonatype/docker-nexus3
https://hub.docker.com/r/sonatype/docker-nexus3
https://github.com/sonatype/docker-nexus3
nexus3.x docker鏡像倉(cāng)庫(kù)及倉(cāng)庫(kù)代理配置
https://segmentfault.com/a/1190000015629878
sonatype nexus docker volume error
https://stackoverflow.com/questions/36405434/sonatype-nexus-docker-volume-error
Docker — 從入門到實(shí)踐
https://yeasy.gitbooks.io/docker_practice
Understanding how uid and gid work in Docker containers
https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf
bradbeck/nexus-https
https://hub.docker.com/r/bradbeck/nexus-https
https://github.com/bradbeck/nexus-https
Using Self-Signed Certificates with Nexus Repository Manager and Docker Daemon
https://support.sonatype.com/hc/en-us/articles/217542177-Using-Self-Signed-Certificates-with-Nexus-Repository-Manager-and-Docker-Daemon
Transport Layer Security (TLS) Self-Signed Certificates
https://support.sonatype.com/hc/en-us/articles/213465768-SSL-Certificate-Guide
Nexus Repository Manager 3 using SSL Unreachable by browsers or Docker
https://stackoverflow.com/questions/53183851/nexus-repository-manager-3-using-ssl-unreachable-by-browsers-or-docker
