Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Docker Private Warehouse Construction

2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Http://xiaorenwutest.blog.51cto.com

Deploy private repositories in docker

If you want to use an image in docker, you must download the image locally or from the docker Hup public repository, but if the required image does not exist locally; in addition, the image in the public repository may have the image we need, but it will not be used for security reasons. So is there a way to store your own image warehouse? Is to build your own private warehouse.

Note: to build your own private warehouse, you need a CA server in the production environment. In addition, we need a nginx for reverse proxy. When you connect with a CA server, it is encrypted through the https protocol, so you need to install an openssl package.

Experimental environment:

Two Linux hosts, one server ip192.168.65.128 and the other client IP192.168.65.129

Description:

Docker.benet.com this is the host name of the docker registry server, and ip is 192.168.65.128; because the host name is used in https's SSL certificate, set the host name.

As the final upload and download of docker images, the dockerregistry server uses the official image registry.

Nginx 1.6.x is a reverse proxy server using nginx

Note: close selinux

1) Private warehouse https supports:

A) install dependent packages:

1: first install the docker environment and set docker to start

Add system services and start docker services

(1) Edit / etc/hosts and add the ip address of docker.benet.com, for example:

Hostname, ip address:

(2) generate root key

Put it first.

/ etc/pki/CA/cacert.pem

/ etc/pki/CA/index.txt

/ etc/pki/CA/index.txt.attr

/ etc/pki/CA/index.txt.old

/ etc/pki/CA/serial

/ etc/pki/CA/serial.old

Delete it!

If not, you don't have to delete it, and you don't have to delete it when you initially install CA.

(3) generate root certificate

Execute as shown below:

Will prompt for some input, because it is private, so you can enter freely, it is best to remember to be consistent with the following, especially "Common Name". It must be consistent with what hostname shows.

The self-signed certificate cacert.pem should be generated under / etc/pki/CA.

(4) generate ssl key for nginx web server

# mkdir / etc/pki/CA/ssl

# cd / etc/pki/CA/ssl

Next, generate the secret key for nginx

Note: because the CA center is the same as the nginx server for which the certificate is to be applied, generate the ssl key for the nginx server on the local machine, otherwise it should be generated on another server that needs the certificate.

View the key of the nginx server

(5) generate a certificate signing request for nginx

Execution

You will also be prompted to enter something. Commone Name must be the domain name or host name of the server to which you want to grant the certificate, and challenge password must not be filled in.

(6) Private CA issues certificates according to request

Execution

Openssl ca-in nginx.csr-out nginx.crt

Output: certificate information of nginx

Will also be prompted for some input, select y on it!

View nginx's certificate

View the generated certificate

Install, configure, run nginx

(1) add groups and users

Compile, install nginx:

-- user=USER sets the user environment in which the program runs (www)

-- group=GROUP sets the group environment in which the program runs (www)

-- prefix=PATH sets the installation directory

-- with-pcre enables the pcre library, and Nginx's Rewrite module and HTTP core module use PCRE regular expressions

-- with-http_stub_status_module is to enable the NginxStatus function of nginx and to monitor the current status of Nginx

-- with-http_ssl_module opens the SSL module to support web pages using HTTPS protocol

-- with-http_realip_module enables Real IP support, which is used to read Real Ip addresses from the header data requested by customers.

-- with-http_addition_module opens the Addtion module, which allows you to append or prefix data to the corresponding body

-- with-http_flv_module module ngx_http_flv_module provides server-side pseudo streaming support for Flash Video (FLV) files

Edit nginx profile

Syntax detection: whether or not ok

Start nginx to see if https protocol is used for port 443.

2) configure, run Docker

(1) stop docker

(2) Edit the / etc/sysconfig/docker file and add the following line

DOCKER_OPTS= "- insecure-registry docker.benet.com-tlsverify-tlscacert / etc/pki/CA/cacert.pem"

(3) copy the root certificate to the / etc/docker/certs.d/docker.yy.com/ directory

Mkdir-p / etc/docker/certs.d/docker.benet.com

Cp / etc/pki/CA/cacert.pem / etc/docker/certs.d/docker.benet.com/ca-certificates.crt

(4) start docker

3) run the private warehouse container

Run the registry image to build a private repository, which is obtained by the official

For example, the directory / opt/data/registry is used as the location of the private warehouse

Run a private warehouse container

The image file can be stored locally in the specified path through the-v parameter. For example, the above example puts the uploaded image into the / opt/data/registry directory.

-p (lowercase) is used to map port 5000 of the container to port 5000 of the host.

4) verify registry:

Curl-I-k https://docker.benet.com

Docker client configuration

(1) Edit / etc/hosts and add the ip address of docker.benet.com

(2) append the root certificate of the docker registry server to the ca-certificates.crt file

First copy the file / etc/pki/CA/cacert.pem to the local machine from the docker registry server, and then execute the command:

Cat. / cacert.pem > > / etc/pki/tls/certs/ca-certificates.crt

(3) verify the registry under docker.benet.com:

Note: before this work, turn off the firewall or release ports 5000 and 443, otherwise the firewall is prohibited.

(4) use private registry steps:

You can log in to the interactive system and enter a user name and password through the docker login command, or you can use the

Login: docker login-u lxftest-p pwd123-e "lxf@benet.com" https://docker.benet.com implementation

Pull an image test from Docker HUB and label the basic image:

Docker tag centos:centos6 docker.benet.com/centos:centos6

Publish: upload image to local private warehouse upload command docker push plus complete image

Docker push docker.benet.com/centos:centos6

Download the p_w_picpath from the private repository pull and view the p_w_picpath download command docker pull plus the full image name

Private warehouse on the server side: check whether there is a corresponding image in the private warehouse

Advantages and disadvantages of private warehouses:

Disadvantages:

Server can login to the official Docker Hub, can pull,push official and private repositories!

The client side can only operate the private warehouse set up!

Private warehouse cannot search!

Advantages:

All build,pull,push operations can only be operated on the server side of the private warehouse to reduce enterprise risk!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 243

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report