萬盛學電腦網

 萬盛學電腦網 >> 網頁制作 >> DivCSS教程 >> 搭建Docker私有倉庫的技巧介紹

搭建Docker私有倉庫的技巧介紹

下面我們給大家介紹一下搭建Docker私有倉庫的技巧吧!希望大家可以在這裡學習!

2、安裝docker-registry

代碼如下:

docker run -d -e SETTINGS_FLAVOR=dev -e STORAGE_PATH=/tmp/registry -v /alidata/registry:/tmp/registry -p 5000:5000 registry

# 如果本地沒有下載過docker-registry,則首次會pull registry 運行時會映射路徑和端口,以後就可以從/data/registry下找到私有倉庫

3、客戶端上的操作

#從本地倉庫上獲取有哪些鏡像

代碼如下:

curl -X GET http://registry.wpython.com:5000/v1/search

curl http://registry.wpython.com:5000/v1/search

{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos6"}]}

# 拉取到本地

代碼如下:

docker pull library/centos6

# tag 一個鏡像

代碼如下:

docker tag 8552ea9a16f9 registry.wpython.com:5000/centos6_x86_64.mini

# 將新的docker images push 到本地倉庫

代碼如下:

docker push registry.wpython.com:5000/centos6_x86_64.mini

4、加入nginx認證

Docker 啟動監聽端口後,使用的是 http,可以遠程來管理 Docker 主機。

這樣的場景存在弊端,API 層面是沒有提供用戶驗證、Token 之類身份驗證功能,任何人都可以通過地址加端口來控制 Docker 主機,為了避免這樣的情況發生,Docker 官方也支持 https 方式,不過需要我們自己來生成證書。

新版本的docker 也強制必須使用https否則會報錯

# 安裝nginx過程略

創建一個登陸用戶(如果沒有htpasswd命令 請安裝httpd-tools這個包)

代碼如下:

htpasswd -c /alidata/server/nginx/docker-registry.htpasswd admin

New password:

Re-type new password:

Adding password for user admin

# 生成根密鑰

代碼如下:

cd /etc/pki/CA/

openssl genrsa -out private/cakey.pem 2048

# 生成根證書

代碼如下:

openssl req -new -x509 -key private/cakey.pem -out cacert.pem

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Brijing

Locality Name (eg, city) []:Chaoyang

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com

Email Address []:

# 為nginx服務器生成ssl密鑰

代碼如下:

cd /alidata/server/nginx/ssl

openssl genrsa -out nginx.key 2048

# 為nginx生成的證書簽署請求

代碼如下:

openssl req -new -key nginx.key -out nginx.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Chaoyang

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:registry.wpython.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# 私有CA根據請求來簽發證書

代碼如下:

openssl ca -in nginx.csr -out nginx.crt

# 如果報如下錯誤:

Using configuration from /usr/local/ssl/openssl.cnf

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'

140137408210600:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')

140137408210600:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

# 執行以下命令

代碼如下:

cd /etc/pki/CA/

mkdir newcerts

touch index.txt

touch serial

echo 01 > serial

cd -

openssl ca -in nginx.csr -out nginx.crt

Using configuration from /usr/local/ssl/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: May 12 04:15:08 2015 GMT

Not After : May 11 04:15:08 2016 GMT

Subject:

countryName = CN

stateOrProvinceName = Beijing

organizationName = Internet Widgits Pty Ltd

commonName = registry.wpython.com

emailAddress = [email protected]

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

B5:20:C7:47:26:D9:26:54:12:F7:36:7E:4E:3A:F0:D9:0E:2C:F7:BD

X509v3 Authority Key Identifier:

keyid:93:F7:86:72:1B:2B:24:CD:AF:24:EF:53:F4:E1:FA:EC:E7:70:1A:90

Certificate is to be certified until May 11 04:15:08 2016 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

# 發現根證書

代碼如下:

# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak} 備份以防出錯

# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

# 創建nginx配置文件

代碼如下:

# vi /alidata/server/nginx/conf/vhosts/www.wpython.com.conf

upstream docker-registry {

server localhost:5000;

}

server {

listen 8080;

server_name registry.wpython.com;

# enabled ssl

ssl on;

ssl_certificate /alidata/server/nginx/ssl/nginx.crt;

ssl_certificate_key /alidata/server/nginx/ssl/nginx.key;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

client_max_body_size 0;

chunked_transfer_encoding on;

location / {

auth_basic "Restricted";

auth_basic_user_file docker-registry.htpasswd;

proxy_pass http://docker-registry;

}

location /_ping {

auth_basic off;

proxy_pass http://docker-registry;

}

location /v1/_ping {

auth_basic off;

proxy_pass http://docker-registry;

}

}

# 完成測試

以上是由編輯老師為大家整理的搭建Docker私有倉庫的技巧,如果您覺得有用,請繼續關注精品。

相關推薦:

CSS中的層分離編程技巧介紹 

copyright © 萬盛學電腦網 all rights reserved