当前位置:首页 > Docker > Docker私有仓库的搭建

Docker私有仓库的搭建

官方的DockerHub是一个用于管理公共镜像的仓库,我们可以通过docker pull下载我们需要的镜像,也可以通过docker push命令把我们自己的镜像推送到DockerHub上面。但是为了安全和速度考虑,企业都会搭建自己的私有仓库来管理自己的镜像。

下面通过docker registry来构建企业自己的私有仓库,点击查看官方文档

1.由于DockerHub站点在国外,我们通过网易蜂巢下载Docker registry镜像。

[root@kvm-server01 ~]# docker pull hub.c.163.com/library/registry:latest

2.查看Docker registry镜像。

[root@kvm-server01 ~]# docker images |grep 163
hub.c.163.com/library/nginx      latest              db079554b4d2        5 weeks ago         181.8 MB
hub.c.163.com/library/registry   latest              d1e32b95d8e8        9 weeks ago         33.17 MB

3.启动一个容器。

[root@kvm-server01 ~]# docker run --name zmzdockerhub -d -p 5000:5000 "hub.c.163.com/library/registry"
#测试registry,出现{}说明是成功的
[root@kvm-server01 ~]# curl 192.168.100.100:5000/v2/  
{}

4.安装nginx。

[root@kvm-server01 ~]# rpm -ivh https://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
[root@kvm-server01 ~]# yum install nginx

5.配置HTTPS加密。

HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目的的HTTP通道,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,比如:交易支付方面,金融,证券等方面。

1)创建服务器私钥,这里要输入口令。

[root@kvm-server01 ~]#  cd /etc/ssl
[root@kvm-server01 ssl]# openssl genrsa -des3 -out server_private.key 2048 #这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:openssl genrsa -out server_private.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for server_private.key:
Verifying - Enter pass phrase for server_private.key:

2)创建证书签名请求。

[root@kvm-server01 ssl]# openssl req -new -key server_private.key -out server.csr  #这个命令将会生成一个证书请求,用到了前面生成的密钥文件server_private.key的密码
Generating RSA private key, 2048 bit long modulus
.......+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for server_private.key:
Verifying - Enter pass phrase for server_private.key:
[root@kvm-server01 ssl]# openssl req -new -key server_private.key -out server.csr
Enter pass phrase for server_private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:zmz
Organizational Unit Name (eg, section) []:zmz
Common Name (eg, your name or your server's hostname) []:reg.zmzblog.com
Email Address []:admin@zmzblog.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zmzpwd
An optional company name []:zmzblog

3)创建私钥(出去秘钥口令),输入第一步输入的密码。

[root@kvm-server01 ssl]# openssl rsa -in server_private.key -out server.key
Enter pass phrase for server_private.key:
writing RSA key

4)创建CA证书。

[root@kvm-server01 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=SH/L=SH/O=zmz/OU=zmz/CN=reg.zmzblog.com/emailAddress=admin@zmzblog.com
Getting Private key

6)Nginx HTTP用户名及其密码认证。

[root@kvm-server01 ~]# yum install httpd-tools
[root@kvm-server01 ~]# htpasswd -c /etc/nginx/conf.d/.docker-registry.htpasswd sfzhang
New password:
Re-type new password:
Adding password for user sfzhang

7)编辑nginx配置文件。

[root@kvm-server01 ~]# cat /etc/nginx/conf.d/docker-registry.conf
upstream docker-registry {
    server 127.0.0.1:5000;
}

server {
    listen 443;
    server_name reg.zmzblog.com;
    ssl on;
    ssl_certificate /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    client_max_body_size 0;
    chunked_transfer_encoding  on;
    location / {
        auth_basic  "Docker User Authentication";
        auth_basic_user_file /etc/nginx/conf.d/.docker-registry.htpasswd;
        proxy_pass http://docker-registry;
    }

    location /_ping {
        auth_basic off;
    proxy_pass http://docker-registry;
    }

    location /v1/_ping {
        auth_basic off;
        proxy_pass http://docker-registry;
    }

}

6.测试nginx用户名密码认证是否成功。

[root@kvm-server01 ~]# curl -s -i --user sfzhang:sfzhang reg.zmzblog.com |head -1
HTTP/1.1 200 OK
[root@kvm-server01 ~]# docker login -u sfzhang -p sfzhang reg.zmzblog.com
Login Succeeded

7.Docker registry测试。

[root@kvm-server01 ~]# docker tag zmz/zmznginx:v3 reg.zmzblog.com:5000/zmz/zmznginx:latest
[root@kvm-server01 ~]# docker push reg.zmzblog.com:5000/zmz/zmznginx:latest
The push refers to a repository [reg.zmzblog.com:5000/zmz/zmznginx]
e437d58fb441: Pushed
6a10646a5bfe: Pushed
3eaac0a759fa: Pushed
8093fa8695b6: Pushed
9b198ff9ff5b: Pushed
latest: digest: sha256:caeb3bff9e67b8de1391c4002b903a20498289368cd9ca2b22fb14dcd6bfd423 size: 1367

8.在其它服务器上面可以通过下面的命令pull下来。

[root@kvm-server01 ~]# docker pull reg.zmzblog.com:5000/zmz/zmznginx
Using default tag: latest
Trying to pull repository reg.zmzblog.com:5000/zmz/zmznginx ...
latest: Pulling from reg.zmzblog.com:5000/zmz/zmznginx
Digest: sha256:caeb3bff9e67b8de1391c4002b903a20498289368cd9ca2b22fb14dcd6bfd423
  • «
  • »
  • 朴实的追梦者 作者:
    除非注明,本文原创:朴实的追梦者,欢迎转载!转载请以链接形式注明本文地址,谢谢。
    原文链接:http://www.zmzblog.com/docker/docker-registry-install.html

    发表评论

    电子邮件地址不会被公开。 必填项已用*标注


    2 thoughts on “Docker私有仓库的搭建

    1. jesse

      openssl genrsa -des3 -out server_private.key 2048 #这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:openssl genrsa -des3 -out server_private.key 2048

      都没发现这2个命令有什么区别?

       Reply
      1. 朴实的追梦者
        朴实的追梦者 (Post author) 

        后面的命令应该没有-des3这个参数,文章已经修正了,谢谢提示。

         Reply