Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to install Docker private Registry under CentOS6.X, which has a certain reference value, and interested friends can refer to it. I hope you can learn a lot after reading this article.

Description:

Docker.yy.com this is the domain name of the docker registry server, that is, the host address of your company's docker private server, assuming that ip is 192.168.2.114; because https's SSL certificate cannot use an IP address, I just name it.

The registry server, as the upstream server, handles the final upload and download of docker images, using official images.

Nginx 1.4.x is a reverse proxy server using nginx

[X] Docker Server side configuration installation depends on yum-y install gcc make file & &\ yum-y install tar pcre-devel pcre-staticopenssl openssl-devel httpd-tools configuration SSL (1) Edit / etc/hosts to add the ip address of docker.yy.com, for example: 192.168.2.114 docker.yy.com (2) generate root key

Put it first.

/ etc/pki/CA/cacert.pem

/ etc/pki/CA/index.txt

/ etc/pki/CA/index.txt.attr

/ etc/pki/CA/index.txt.old

/ etc/pki/CA/serial

/ etc/pki/CA/serial.old

Delete it!

Cd / etc/pki/CA/openssl genrsa-out private/cakey.pem 2048 (3) generate root certificate openssl req-new-x509-key private/cakey.pem-out cacert.pem

Output:

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: beijingLocality Name (eg, city) [Default City]: beijingOrganization Name (eg, company) [Default Company Ltd]: youyuanOrganizational Unit Name (eg) Section) []: Common Name (eg, your name or your server's hostname) []: docker.yy.comEmail Address []:

Will prompt for some input, because it is private, so you can enter freely, it is best to remember to be consistent with the following, especially "Common Name". The above self-signed certificate cacert.pem should be generated under / etc/pki/CA.

(4) generate ssl key mkdir-p / etc/nginx/sslcd / etc/nginx/sslopenssl genrsa-out nginx.key 2048 for our nginx web server

Our CA center is the same as the server that will apply for the certificate, otherwise it should be generated on another server that needs to use the certificate.

(5) generate certificate signature request openssl req-new-key nginx.key-out nginx.csr for nginx

Output:

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: beijingLocality Name (eg, city) [Default City]: beijingOrganization Name (eg, company) [Default Company Ltd]: youyuanOrganizational Unit Name (eg) Section) []: Common Name (eg, your name or your server's hostname) []: docker.yy.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

You will also be prompted to enter something. Commone Name must be the domain name or host name of the server to which you want to grant the certificate, and challenge password must not be filled in.

(6) Private CA issues certificates touch / etc/pki/CA/index.txttouch / etc/pki/CA/serialecho 00 > / etc/pki/CA/serialopenssl ca-in nginx.csr-out nginx.crt upon request

Output:

Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 9 09:59:20 2014 GMT Not After: Dec 9 09:59:20 2015 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = youyuan CommonName = docker.yy.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66 X509v3 Authority Key Identifier: keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41Certificate is to be certified until Dec 9 09:59:20 2015 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated

Will also be prompted for some input, select y on it!

Install, configure, run nginx (1) add groups and users: groupadd www-g 58useradd-u 58-g www www (2) download nginx source file: cd / tmpwget http://nginx.org/download/nginx-1.4.6.tar.gzcp. / nginx-1.4.6.tar.gz / tmp/ (3) compile Install nginx:tar zxvf. / nginx-1.4.6.tar.gzcd. / nginx-1.4.6 & &\. / configure-- user=www-- group=www-- prefix=/opt/nginx\-- with-pcre\-- with-http_stub_status_module\-- with-http_ssl_module\-- with-http_addition_module\-- with-http_realip_module\-- with-http_flv_module & &\ make &\ make installcd / tmprm-rf / tmp/nginx-1.4.6/rm / tmp/nginx-1.4.6.tar.gz (4) generate htpasswdhtpasswd-cb / opt/nginx/conf/.htpasswd ${USER} ${PASSWORD} (5) Edit / opt/nginx/conf/nginx.conf file # daemon off # user and group user www www;# specifies the number of worker processes (generally equal to the total number of CPU cores) worker_processes auto;# specifies the path to store the error log, and the error log recording level option is: [debug | info | notic | warn | crit | error_log / var/log/nginx_error.log error;# specifies the path where the pid is stored # pid logs/nginx.pid;# specifies the number of file descriptors worker_rlimit_nofile 51200 Events {# uses the network Iamp O model. Linux recommends that epoll;FreeBSD recommend the maximum number of connections allowed by kqueue use epoll; # worker_connections 51200; multi_accept on;} http {include mime.types Log_format main'$remote_addr-$remote_user [$time_local] "$request"'$status $body_bytes_sent "$http_referer"'"$http_user_agent"$upstream_addr"; bucket size of the access_log / var/log/nginx_access.log main; # server name hash table, which depends on CPU cache server_names_hash_bucket_size 128 # Header header buffer size requested by the client: client_header_buffer_size 32k; large_client_header_buffers 432k; # enable the sendfile () function sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; upstream registry {server 127.0.0.1 large_client_header_buffers 5000;} server {listen 443; server_name 192.168.2.114; ssl on Ssl_certificate / etc/nginx/ssl/nginx.crt; ssl_certificate_key / etc/nginx/ssl/nginx.key; client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue # 1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location / {auth_basic "registry" Auth_basic_user_file / opt/nginx/conf/.htpasswd; root html; index index.html index.htm; proxy_pass http://registry; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Authorization ""; client_body_buffer_size 128k Proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 8k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; # if the system is busy, you can apply for a larger official proxy_buffers recommendation * 2 proxy_temp_file_write_size 64k # size of temporary proxy cache file} location / _ ping {auth_basic off; proxy_pass http://registry;} location / v1/_ping {auth_basic off; proxy_pass http://registry;}} (6) verify configuration / opt/nginx/sbin/nginx-t

Output:

Nginx: the configuration file / opt/nginx/conf/nginx.conf syntax is ok

Nginx: configuration file / opt/nginx/conf/nginx.conf test is successful

(7) start nginx:/opt/nginx/sbin/nginx (8) verify whether nginx is started: ps-ef | grep-I 'nginx'

The following output shows that everything in nginx is fine!

Root 27133 1 0 18:58? 00:00:00 nginx: master process / opt/nginx/sbin/nginxwww 27134 27133 0 18:58? 00:00:00 nginx: worker processwww 27135 27133 0 18:58? 00:00:00 nginx: worker processwww 27136 27133 0 18:58? 00:00:00 nginx: worker processwww 27137 27133 0 18:58? 00:00:00 nginx: worker Processwww 27138 27133 0 18:58? 00:00:00 nginx: worker processwww 27139 27133 0 18:58? 00:00:00 nginx: worker processwww 27140 27133 0 18:58? 00:00:00 nginx: worker processwww 27141 27133 0 18:58? 00:00:00 nginx: worker processwww 27142 27133 0 18:58? 00:00:00 nginx: worker processwww 27143 27133 0 18:58? 00:00:00 nginx: worker processwww 27144 27133 0 18:58? 00:00:00 nginx: worker processwww 27145 27133 0 18:58? 00:00:00 nginx: worker processwww 27146 27133 0 18:58? 00:00:00 nginx: worker processwww 27147 27133 0 18:58? 00:00:00 nginx: worker processwww 27148 27133 0 18:58? 00:00:00 nginx : worker processwww 27149 27133 0 18:58? 00:00:00 nginx: worker processwww 27150 27133 0 18:58? 00:00:00 nginx: worker processwww 27151 27133 0 18:58? 00:00:00 nginx: worker processwww 27152 27133 0 18:58? 00:00:00 nginx: worker processwww 27153 27133 0 18:58? 00:00:00 nginx: worker processwww 27154 27133 0 18: 58? 00:00:00 nginx: worker processwww 27155 27133 0 18:58-00:00:00 nginx: worker processwww 27156 27133 0 18:58? 00:00:00 nginx: worker processwww 27157 27133 0 18:58-00:00:00 nginx: worker processroot 27160 42863 0 18:58 pts/0 00:00:00 grep-I nginx configuration Run Docker (1) to stop dockerservice docker stop (2) Edit / etc/sysconfig/docker file Add the following line DOCKER_OPTS= "--insecure-registry docker.yy.com-- tlsverify-- tlscacert / etc/pki/CA/cacert.pem" (3) copy the root certificate to the / etc/docker/certs.d/docker.yy.com/ directory mkdir-p / etc/docker/certs.d/docker.yy.com/cp / etc/pki/CA/cacert.pem / etc/docker/certs.d/docker.yy.com/ca-certificates.crt (4) start the dockerservice docker start download and configure Run registryimage (1) to get Imagedocker pull registry (2) run Imagemkdir-p / opt/registrydocker run-d-e STORAGE_PATH=/registry-v / opt/registry:/registry-p 127.0.1

The command explains a little bit:-p 127.0.0.1 nginx 5000 registry as an upstream server, this port 5000 does not have to be mapped, because all external access is provided through the front-end nginx, and nginx can access registry from the private network.

(3) verify registry:

Enter: https://docker.yy.com or: curl-I-k https://abc:123@docker.yy.com in the browser

This is the end of the server configuration!

[X] Docker client configuration (1) Edit / etc/hosts to add the ip address of docker.yy.com, for example: 192.168.2.114 docker.yy.com (2) append the root certificate of docker registry server to the ca-certificates.crt file

First copy the file / etc/pki/CA/cacert.pem to the local machine from the docker registry server, and then execute the command:

Cat. / cacert.pem > > / etc/pki/tls/certs/ca-certificates.crt (3) verify the registry under docker.yy.com:

Enter: https://docker.yy.com or: curl-I-k https://abc:123@docker.yy.com in the browser

(4) use private registry steps:

Log in to: docker login-u abc-p 123-e "test@gmail.com" https://docker.yy.com

Give container another name: docker tag centos:centos6 docker.yy.com/centos:centos6

Publish: docker push docker.yy.com/centos:centos6

[X] on the Server side, the steps to operate a private warehouse: 1. Get down from the official pull, image!

Docker push centos:centos6

two。 View the id of image

Execute docker images

Output:

Root@pts/0 # docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEcentos centos6 25c5298b1a36 8 days ago 215.8 MB3. Give image a tag of a private warehouse

Docker tag 25c5298b1a36 docker.yy.com/centos:centos6

4. Push to private warehouse

Docker push docker.yy.com/centos:centos6

5. View image

Docker images

Output:

Root@pts/0 # docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEcentos centos6 25c5298b1a36 8 days ago 215.8 MBdocker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MB [X] Client side Steps to operate a private warehouse: 1. Come down from the private warehouse pull to imagine the docker pull docker.yy.com/centos:centos62. View image

Docker images

Output:

Web management interface for root@pts/0 # docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEdocker.yy.com/centos centos6 25c5298b1a36 8 days ago 215.8 MBDocker Shipyard [0] Edit / etc/sysconfig/docker file

Add-H tcp://0.0.0.0:4243-H unix:///var/run/docker.sock to DOCKER_OPTS, for example:

DOCKER_OPTS= "- H tcp://0.0.0.0:4243-H unix:///var/run/docker.sock-- insecure-registry docker.yy.com-- tlsverify-- tlscacert / etc/pki/CA/cacert.pem-- registry-mirror= http://d194d5cb.m.daocloud.io"[1] Start an data volume instance of RethinkDB:docker run-it-d-name shipyard-rethinkdb-data-- entrypoint / bin/bash shipyard/rethinkdb-l [2] Start RethinkDB with using the Data volume container:docker run-it-P-d-- name shipyard-rethinkdb--volumes-from shipyard-rethinkdb-data shipyard/rethinkdb

If your server is directly accessible on Internet

Please note your RethinkDB installation may publicly listen to

Ports 49153 (local instance), 49154 (cluster) and 49155 (web interface) and so accessible to all.

[3] Start the Shipyard controller:docker run-it-p 8080 name shipyard--link shipyard-rethinkdb:rethinkdb shipyard/shipyard

Shipyard will create a default user account with the usernameadmin and the passwordshipyard.

You should then be able to open a browser to http://:8080and see the Shipyard login.

Appendix: (1) disadvantages:

Server can login to the official Docker Hub, can pull,push official and private repositories!

The client side can only operate the private warehouse set up!

Private warehouse cannot search!

(2) advantages:

All build,pull,push operations can only be operated on the server side of the private warehouse to reduce enterprise risk!

(3) when the client docker login goes to the official https://index.docker.io/v1/ website and an x509: certificate signed by unknown authority error occurs

Rename the root certificate! Mv / etc/pki/tls/certs/ca-certificates.crt / etc/pki/tls/certs/ca-certificates.crt.bak

Restart the docker service! Service docker restart!

Thank you for reading this article carefully. I hope the article "how to install Docker Private Registry under CentOS6.X" shared by the editor will be helpful to you. At the same time, I also hope you will support us and follow the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.