docker 私有仓库
由于公有仓库有时连接会出现超时,下载速度慢等情况
故搭建私有仓库镜像
server端可以login官方的Doker Hub,可以pull,push和私有仓库
但client只能操作自己搭建的仓库
server 192.168.127.142
client 192.168.127.128
关闭selinux
- setenforce 0
防火墙443端口放行
- firewall - cmd --add - port = 443 / tcp
通过yum安装依赖支持包
- yum - y install pcre - devel zlib - devel openssl openssl - devel
pcre在编译nginx时需要
zlib库提供开发人员的压缩算法
- vim / etc / hosts
- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- 192.168.127.142 gjy.com 添加本地ip和域名
修改主机名
- hostnamectl set - hostname gjy.com
- bash
系统为centos7.0所以命令不一样
接下来生成根密钥
由于首次配置直接进入目录生成配置文件
- cd /etc/pki/CA/
- openssl genrsa -out private/cakey.pem2048
生成根证书
- openssl req - new - x509 - key private / cakey.pem - out cacert.pem
可以选择不填写,但填写后要保持一致
为nginx web服务器生成ssl密钥
- mkdir /etc/pki/CA/ssl
- cd /etc/pki/CA/ssl
- openssl genrsa - out nginx.key 2048
为nginx生成证书签署请求
- openssl req - new - key nginx.key - out nginx.csr
这里需要保持一致
私有CA根据请求签发证书
- touch /etc/pki/CA/index.txt
- touch /etc/pki/CA/serial
- echo 00 > /etc/pki/CA/serial
- openssl ca - in nginx.csr - out nginx.crt
安装Nginx
- groupadd www -g 58
- useradd -u 58 -g www www
- wget http://nginx.org/download/nginx-1.11.2.tar.gz
直接下载nginx源码包,进行编译安装
- ./configure--user=www --group=www --prefix=/opt/nginx --with-pcre--with-http_stub_status_module--with-http_ssl_module--with-http_addition_module--with-http_realip_module--with-http_flv_module
- make && make install
成功后编辑配置文件
- user www;
- worker_processes 4;
- events {
- worker_connections 4096;
- }
- http {
- include mime.types;
- default_type application / octet - stream;
- sendfile on;
- keepalive_timeout 65;
- upstream registry {
- server 192.168.127.142 : 5000;
- }
- server {
- listen 443 ssl;
- server_name gjy.com;
- ssl_certificate / etc / pki / CA / ssl / nginx.crt;
- ssl_certificate_key / etc / pki / CA / ssl / nginx.key;
- ssl_session_cache shared: SSL: 1m;
- ssl_session_timeout 5m;
- ssl_ciphers HIGH: !aNULL: !MD5;
- ssl_prefer_server_ciphers on;
- location / {
- proxy_pass http: //registry;
- client_max_body_size 3000m;
- proxy_set_header Host $host; proxy_set_header X - Forward - For $remote_addr;
- }
- }
- }
启动nginx
- /opt/nginx / sbin / nginx
配置Docker
停止Docker,编辑/etc/sysconfig/docker加入
- DOCKER_OPTS = "--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
复制根证书
- mkdir -p /etc/docker/certs.d/docker.benet.com
- cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.benet.com/ca-certificates.crt
启动Docker
- systemctl start docker
直接导入registry运行
创建目录作为私有仓库位置
- mkdir - p / opt / data / registry
运行容器
- docker run - d - p 5000 : 5000 - v / opt / data / registry: /tmp/registry - e GUNICORN_OPTS = ["--preload"] docker.io / registry
通过curl验证
- curl -i -k https://gjy.com
client配置
本地hosts文件需要添加服务器的解析
把 docker registry 服务器端的根证书追加到 certificates.crt 文件
- scp [email protected] : /etc/pki / CA / cacert.pem . /
- cacat . / cacert.pem >> / etc / pki / tls / certs / ca - certificates.crt
测试能否访问
- curl -i -k https://gjy.com
查看仓库是否有镜像
curl 192.168.127.142:5000/v1/search
所有build,pull,push只能在私有仓库的server操作,降低风险
server,client都可以上传下载
可以更加快速方便的上传下载镜像,不受网络影响
来源: http://www.bubuko.com/infodetail-2346906.html