Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to build a private server on the docker intranet. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

How to build a private server in the private network of docker, as follows:

Main ideas:

1. Docker Registry description

There have been many articles on how to create and use local repositories. Because docker technology is in the stage of development and improvement, some articles are either outdated or misconfigured, resulting in the creation of repositories. This article records the complete building process of the individual, with a docker version of 1.1.2.

Officials have provided the Docker Hub website as an open centralized warehouse. However, local access to Docker Hub is often slow, and most of the time we need a local private repository for on-net use only.

Docker repository actually provides two functions, one is image management, the other is authentication. The former is mainly implemented by the docker-registry project and uploads and downloads through the http service, while the latter can manage http requests through the docker-index (closed source) project or by using off-the-shelf authentication schemes such as nginx.

Since docker-registry is also a software application, the easiest way is to use the official image registry that has been deployed. The official documentation also suggests that you run the sudo docker run-p 5000 registry command directly. This does start a registry server, but all uploaded images are actually managed by the docker container and placed in / var/lib/docker/... . Under some directory. And once the container is deleted, the image will also be deleted. Therefore, we need to find a way to tell docker where the container image should be stored. The default location of the image after startup in the registry image is / tmp/registry, so you can map this location directly, for example, to the local / opt/data/registry directory.

two。 Build docker private server on CentOS

2.1 install docker-registry

There are several ways to run the following command directly:

The copy code is as follows:

# docker run-d-e SETTINGS_FLAVOR=dev-e STORAGE_PATH=/tmp/registry-v / opt/data/registry:/tmp/registry-p 5000 registry

If the docker-registry has not been pulled locally, the pull registry will be run for the first time, and the path and port will be mapped at runtime. Later, you can find out which images exist in the private warehouse and which port of the host can be accessed from / opt/data/registry.

You can also clone the project https://github.com/docker/docker-registry.git locally and use Dockerfile to build the image:

# git clone https://github.com/docker/docker-registry.git# cd docker-registry & & mkdir-p / opt/data/registry# docker build-t "local-sean".

After the build is complete, you can run the docker-registry

Let's configure our own config.yml file first. The first way is to specify variables directly in run.

# cp config/config_sample.yml / opt/data/registry/config.yml# vi / opt/data/registry/config.yml## local storage SETTINGS_FLAVOR=dev can be set here Local STORAGE_PATH:/tmp/registry waits for # docker run-d-v / opt/data/registry:/tmp/registry-p 5000 DOCKER_REGISTRY_CONFIG=/tmp/registry/config.yml registry or docker run-d-e SETTINGS_FLAVOR=dev-e STORAGE_PATH=/tmp/registry-v / db/docker-images:/tmp/registry-p 5000 registry

2.2 client usage

To obtain or submit an image to a private server, it is now very simple to add the address and port of the private server in front of the repository, such as 172.29.88.222:5000/centos6. Note that instead of using IP, you can choose to use hostname, such as registry.domain.com:5000, but not just without it. The host name of registry,docker will think that registry is the user name, and it is recommended to use hostname with domain name plus port to express it.

So you can pull and push images through this private server on another host that wants to use docker:

Search for available images from private servers

The copy code is as follows:

# curl-X GET http://sean.domain.com:5000/v1/search

{"num_results": 2, "query": "", "results": [{"description": "," name ":" library/centos6 "}, {" description ":"," name ":" library/nginx "}]}

Search nginx by criteria

# curl-X GET http://sean.domain.com:5000/v1/search?q=centos6

Pull image to the local

Docker pull library/centos6## local peer image starts to form container##, give container another name # docker tag 68edf809afe7 registry.domain.com:5000/centos6-test##, and finally push the new docker images to the private server docker push registry.domain.com:5000/centos6-test

The user name, password and mailbox will be prompted when push is sent to the private server for the first time, and you can create it. You can also add an authentication mechanism to the docker private server.

3. Join the nginx certification

(please read this section before you actually do it, and then determine whether to add nginx at the front end.)

3.1 install and configure nginx

As you can see from the above process, unless restricted by the firewall, any host can create an account and want to privately serve the push image. It is more secure to add a login authentication mechanism on the outer layer.

It is best to install version 1.4.x, otherwise some of the following configurations may not be compatible

# yum install nginx

Create two logged in users

# htpasswd-c / etc/nginx/docker-registry.htpasswd seanNew password: Re-type new password: Adding password for user sean# htpasswd / etc/nginx/docker-registry.htpasswd itsection

In order for nginx to use this password file and forward the request from port 8080 to Docker Registry, add the nginx configuration file

Vi / etc/nginx/sites-enabled/docker-registry:

# For versions of Nginx > 1.3.9 that include chunked transfer encoding support# Replace with appropriate values where necessaryupstream docker-registry {server localhost:5000;} server {listen 8080; server_name sean.domain.com;-- your registry server_name # ssl on; # ssl_certificate / etc/ssl/certs/docker-registry; # ssl_certificate_key / etc/ssl/private/docker-registry; proxy_set_header Host $http_host; # required for Docker client sake proxy_set_header X-Real-IP $remote_addr # pass on real client IP client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue # 1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; location / {# let Nginx know about our auth file auth_basic "Restricted"; auth_basic_user_file docker-registry.htpasswd; proxy_pass http://docker-registry;} location / _ ping {auth_basic off Proxy_pass http://docker-registry;} location / v1/_ping {auth_basic off; proxy_pass http://docker-registry;}}

Let nginx use this virtual-host

# ln-s / etc/nginx/sites-enabled/docker-registry / etc/nginx/conf.d/docker-registry.conf

Restart nginx to activate the configuration of the virtual host

# service nginx restart

3.2 use docker-registry after joining the authentication

At this point, access to port 5000 of the host should be disabled through the firewall (or only listen for IP-p 127.0.0.1 virtual 5000 of the loopback interface during docker run port mapping).

# curl localhost:5000 "docker-registry server (dev) (v0.8.1)"

If you access directly, you will get unauthorized information:

# curl localhost:8080401 Authorization Required401 Authorization Requirednginx/1.4.7

Docker-registry with user authentication:

# curl http://sean:sean@sean.domain.com:8080/v1/search{"num_results": 2, "query": "", "results": [{"description": "," name ":" library/centos6 "}, {" description ":" name ":" library/nginx "}]} # docker login registry.domain.com:8080Username: seanPassword: Email: zhouxiao@domain.comLogin Succeeded# docker pull registry.domain.com:8080/library/centos6

If nothing happens, the above docker pull will fail:

# docker pull registry.domain.com:8080/library/centos6Pulling repository registry.domain.com:8080/library/centos62014/11/11 21:00:25 Could not reach any registry endpoint# docker push registry.domain.com:8080/ubuntu:seanThe push refers to a repository [registry.domain.com:8080/ubuntu] (len: 1) Sending image listPushing repository registry.domain.com:8080/ubuntu (1 tags) 08:11:32 on 2014-11-12 HTTP code 401 Docker will not send auth headers over HTTP.nginx log at 07:03:49 on 2014-11-12 [error] 14898x0: * 193no user/password was provided for basic authenticatGET / v1/repositories/library/centos6/tags HTTP/1.1 ", host:" registry.domain.com:8080 "

This problem does not appear in the first reference document after this article, but it is mentioned in the comments.

Some people say that it is the problem of backend storage. This is a local storage image and should not be used. After consulting a large amount of data and repeatedly operating and verifying, it is the problem with the docker-registry version. Starting from v0.10.0, the user login information under ~ / .dockercfg will not be allowed to be transmitted through HTTP plaintext when docker login is Succeeded, but pull or push. (you can check the source registry.go of v0.10.0 if you like. There is no HTTP code 401, Docker will not send auth headers over HTTP in branch v0.9.1 or before.)

At present, there are three ways:

Retreat, that's why we first explained why we saw this on the front line of operation.

Replace it with v0.9.1 and below. Now that it's v1.3.1, I guess you won't do that.

Modify the source code session.go, remove the corresponding judgment line, and then git down and reinstall. I guess you wouldn't do that.

Install the SSL certificate and use the HTTPS transport. This is a wise choice, and the new version of docker recommends that we do the same. Read on.

3. Install ssl certificates for nginx

First open the three-line comment on ssl in the nginx configuration file

# vi / etc/nginx/conf.d/docker-registry.conf...server {listen 8000; server_name registry.domain.com; ssl on; ssl_certificate / etc/nginx/ssl/nginx.crt; ssl_certificate_key / etc/nginx/ssl/nginx.key;...

After saving, nginx reads the ssl certificate and private key from / etc/nginx/ssl/nginx.crt and / etc/nginx/ssl/nginx.key, respectively. If you are willing to pay for a ssl certificate, it will be very easy to copy the certificate and private key as above. For information about SSL and signing ssl certificates, please refer to other articles.

Here we sign a ssl certificate and use the current system as a (private) certificate authority (CA).

Create a directory where certificates are stored

# mkdir / etc/nginx/ssl confirm some configuration files for CA # vi / etc/pki/tls/openssl.cnf... [CA_default] dir = / etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several Ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem # The private keyRANDFILE = $dir/private/.rand # private random number file...default_days = 3650 # how Long to certify for... [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CNcountryName_min = 2countryName_max = 2stateOrProvinceName = State or ProvinceName (full name) stateOrProvinceName_default = GD... [req_distinguished_name] part is mainly some default values when issuing the certificate. It can not move.

(1) generate root key

# cd / etc/pki/CA/# openssl genrsa-out private/cakey.pem 2048

For security reasons, modify the permissions of the cakey.pem private key file to 600 or 400, or use sub-shell generation (umask 077; openssl genrsa-out private/cakey.pem 2048), which will not be repeated below.

(2) generate root certificate

# openssl req-new-x509-key private/cakey.pem-out cacert.pem

Will prompt for some input, because it is private, so you can enter freely, it is best to remember to be consistent with later. The above self-signed certificate cacert.pem should be generated under / etc/pki/CA.

(3) generate ssl keys for our nginx web server

# cd / etc/nginx/ssl# openssl genrsa-out nginx.key 2048

Our CA center is the same as the server that will apply for the certificate, otherwise it should be generated on another server that needs to use the certificate.

(4) generate a certificate signing request for nginx

# openssl req-new-key nginx.key-out nginx.csr...Country Name (2 letter code) [AU]: CNState or Province Name (full name) [Some-State]: GDLocality Name (eg, city) []: SZOrganization Name (eg, company) [Internet Widgits Pty Ltd]: COMPANYOrganizational Unit Name (eg) Section) []: IT_SECTIONCommon Name (e.g. Server FQDN or YOUR name) []: your.domain.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:...

You will also be prompted to enter something, anything else, except that Commone Name must be the server domain name or host name to which you want to grant the certificate, and challenge password will not be filled in.

(5) Private CA issues certificates according to request

# openssl ca-in nginx.csr-out nginx.crt

In fact, the above signing process uses-cert cacert.pem-keyfile cakey.pem by default. These two files are the root key and root certificate under / etc/pki/CA generated in the first two steps.

At this point, we have all the files needed to establish a secure ssl connection, and the server's crt and key are in the configured directory, but the root certificate cacert.pem location is uncertain where it is placed under the CentOS6.

It has been verified that the following positions are not available: (Adding trusted root certificates to the server)

/ etc/pki/ca-trust/source/anchors 、 / etc/pki/ca-trust/source 、 / etc/pki/ca-trust/extracted 、

/ etc/pki/ca-trust/extracted/pem/ 、 / etc/pki/tls/certs/cacert.crt

Will report an error:

# docker login https://registry.domain.com:8000Username (sean): sean2014/11/14 02:32:48 Error response from daemon: Invalid Registry endpoint: Get https://registry.domain.com:8000/v1/_ping: x509: certificate signed by unknown authority# curl https://sean:sean@registry.domain.com:8000/curl: (60) Peer certificate cannot be authenticated with known CA certificatesMore details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default Using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the-- cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the-k (or-- insecure) option.

(6) currently, there is only one way to make the root certificate work:

# cp / etc/pki/tls/certs/ca-bundle.crt {, .bak} backup to prevent errors # cat / etc/pki/CA/cacert.pem > > / etc/pki/tls/certs/ca-bundle.crt# curl https://sean:sean@registry.domain.com:8000"docker-registry server (dev) (v0.8.1) "

Be sure to restart the docker background process after appending the cacert.pem root certificate to ca-bundle.crt.

If docker login still reports an error certificate signed by unknown authority, refer to Running Docker with https, and specify the trusted CA root certificate when starting the docker background process:

# docker-d-tlsverify-- tlscacert / etc/pki/CA/cacert.pem or copy cacert.pem to ~ / .docker / ca.pem# mkdir ~ / .docker & & cp / etc/pki/CA/cacert.pem ~ / .docker / ca.pem# docker-d it's best to restart registry# docker restart

The above use "if" because at the beginning always prompt certificate signed by unknown authority, some people say to put the root certificate under / etc/docker/certs.d, others say that start docker daemon to accept joining-- insecure-registry.. But in the end, it was because of the version difference that was not successful. But then miraculously I didn't need it-- just tlscacert.

This place has been struggling for a long time, so focus on the following issue:

Https://github.com/docker/docker-registry/issues/82

Https://github.com/docker/docker/pull/2687

Https://github.com/docker/docker/pull/2339

(7) finally:

# docker login https://registry.domain.com:8000Username: seanPassword: Email: zhouxiao@domain.comLogin Succeeded# curl https://sean:sean@registry.domain.com:8000"docker-registry server (dev) (v0.8.1) "# docker push registry.domain.com:8000/centos6:test_privThe push refers to a repository [registry.domain.com:8000/centos6] (len: 1) Sending image listPushing repository registry.domain.com:8000/centos6 (1 tags) 511136ea3c5a: Image successfully pushed 5b12ef8fd570 : Image successfully pushed 68edf809afe7: Image successfully pushed 40627956f44c: Image successfully pushed Pushing tag for rev [40627956f44c] on {https://registry.domain.com:8000/v1/repositories/centos6/tags/test_priv}

However, there is still a small problem that has not been solved. Although it can be used normally, there will still be [error] 8299 / 0: * 27 no user/password was provided for basic authentication in the error.log of nginx for each request, which should be the bug that has not been solved in this version of docker.

3.3 other questions

(1) after the docker background process is interrupted unexpectedly, re-docker start the error.

# docker start b36bd796bd3dError: Cannot start container b36bd796bd3d: Error getting container b36bd796bd3d463c4fedb70d98621e7318ec3d5cd14b2f60b1d182ad3cbcc652 from driver devicemapper: Error mounting'/ dev/mapper/docker-253:0-787676murb36bd796bd3d463c4fedb70d98621e7318ec3d5cd14b2f60b1d182ad3cbcc652' on'/ var/lib/docker/devicemapper/mnt/b36bd796bd3d463c4fedb70d98621e7318ec3d5cd14b2f60b1d182ad3cbcc652': device or resource busy2014/11/08 15:14:57 Error: failed to start one or more containers

After analysis, the reason for this problem is to do an operation: the terminal started by the docker background process will temporarily exit the log output of the background process after continuing to enter. I use yum to install the software package under this shell, but Yum is stuck due to network reasons, so I set up another terminal to kill the yum process, which somehow affects the docker that has been withdrawn from the foreground output. The solution is the umount container mount point: (see here)

# umount / var/lib/docker/devicemapper/mnt/b36bd796bd3d463c4fedb70d98621e7318ec3d5cd14b2f60b1d182ad3cbcc652# service docker start is normal

Another way you can think of is to redirect the output docker-d > / dev/null 2 > & 1 (/ var/log/docker has automatically logged) when you start the docker background process.

(2) start the error report after configuring the docker-registry.conf of nginx

# service nginx start [emerg] 147140: unknown directive "upstream" in / etc/nginx/conf.d/docker-registry.conf:4

The reason is that the nginx version is too low, some configuration instructions are not compatible, using yum install nginx installed 1.0.x by default, uninstall and re-download nginx-1.4.7-1.el6.ngx.x86_64.rpm installation solution.

(3) the problem of network setting agent

When mirroring the official website of pull and push, you need to set a proxy because of GFW, but not http_proxy but HTTP_PROXY. Setting these two values at the same time will be a problem for docker, and sometimes setting http_proxy to install software packages will lead to conflicts. If we forget which one is working in docker-registry, we can't find the cause of all the problems, and it is difficult to judge the error returned to us by docker. Remember ~

TO-DO

How to delete the image in docker-registry

Thank you for reading! This is the end of the article on "how to build docker private server". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.