Shulou(Shulou.com)06/02 Report--

We are used to keeping images in public repositories, such as Dockerhub and Daocloud. But in the enterprise, we often need to build the company's own image warehouse.

This article explains how to use registry images provided by docker to build your own image repository.

Do not add ssl certified warehouse

Let's use the registry:2.6.2 image to create the docker repository.

Map port 5000 of the host to port 5000 of the container.

Hang the host / mnt/registry in the / var/lib/registry directory of the container, which is where the image is stored. This persists the data so that the image is not lost when the container is hung up.

Mkdir / mnt/registrydocker run-d\-p 5000 mnt/registry:/var/lib/registry 5000\-- restart=always\-- name registry\-v / mnt/registry:/var/lib/registry\ registry:2.6.2

Ssl authentication is required for docker repository. Since no ssl authentication has been added, parameters need to be added in the docker client:

Add vim / etc/sysconfig/docker# under OPTIONS-- insecure-registry=:5000OPTIONS='--selinux-enabled-- log-driver=json-file-- signature-verification=false-- insecure-registry=10.34.31.13:5000'# restart dockersystemctl restart docker

We can test the availability of the new warehouse.

Docker push 10.34.31.13:5000/hello-world:v1

However, the availability of this form of repository is not high. For example, we have multiple image repositories to use, and we need to modify the-insecure-registry parameter frequently.

The following will explain how to create a highly available repository of the https protocol.

Create a highly available warehouse with ssl certification

1. Install openssl

Yum install-y openssl

2. Modify openssl.cnf file

Vim / etc/pki/tls/openssl.cnf# finds the v3_ca and adds the host's IP address [v3_ca] subjectAltName = IP:10.34.31.13 below

If this file is not modified, the final generated ssl certificate will report an error as follows:

X509: cannot validate certificate 10.34.31.13 because it doesn't contain any IP SANs

3. Generate ssl certificate

Mkdir / certsopenssl req-newkey rsa:4096-nodes-sha256\-keyout / certs/domain.key-x509-days 1000\-out / certs/domain.cert# needs to fill in the following parameters in the Conmmon column, enter the domain name Country Name (2 letter code) [AU]: CNState or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg) Company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. Server FQDN or YOUR name) []: 10.34.31.13:5000Email Address []:

4. Create a docker warehouse

# the startup mode here is not different from that above Add mount / certs folder and add two certificate parameters docker run-d\-restart=always\-- name registry\-v / certs:/certs\-v / var/lib/registry:/var/lib/registry\-e REGISTRY_HTTP_ADDR=0.0.0.0:5000\-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.cert\-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key\-p 5000 restart=always 5000\ registry:2.6.2

5. Configure the docker client

# in the future, you need to use the machine of this warehouse. Just configure it like this on the client side. Mkdir / etc/docker/certs.d/10.34.31.13:5000cp / certs/domain.cert / etc/docker/certs.d/10.34.31.13:5000/ca.crt# can now test docker push 10.34.31.13:5000/hello-world:v1.

Deploy docker repositories using kubernetes

The above containers are started directly by doker, and since I'm using a kubernetes cluster, I want all containers to be managed by kubernetes.

So I added a node node to the kubernetes cluster to act as the mirror repository for the K8s cluster.

1. Generate ssl certificate

Refer to the above to generate the ssl certificate on the prepared node node.

2. Add tags to node

Because I only want to run the registry container on this node, I need to tag this node so that the K8s deployment can select only this node.

# N3 is the hostname of this node. If no k8s client permission is added, it can be executed on the master node. Kubectl label node n3 bind-registry=ture

3. Create a registry directory to persist images data

Mkdir / var/lib/registry

4. Deploy registry. Dockerhub-dp.yaml, I'll post it at the back.

Kubectl create-f dockerhub-dp.yaml

5. Configure the docker client

This is slightly different from the above idea, the port.

# you need to use the machine of this warehouse in the future. You can configure mkdir / etc/docker/certs.d/10.34.31.13:30003cp / certs/domain.cert / etc/docker/certs.d/10.34.31.13:5000/ca.crt on the client side like this.

For convenience of access, I set the port of registry service to NodePort, but K8s limits this port to more than 30000, so I set it to 30003 here.

Dockerhub-dp.yaml

ApiVersion: apps/v1beta2kind: Deploymentmetadata: name: docker-local-hub namespace: kube-system labels: app: registryspec: replicas: 1 selector: matchLabels: app: registry template: metadata: labels: app: registryspec: containers:-name: registry image: registry:2.6.2 ports:-containerPort: 5000 env:-name: REGISTRY_HTTP_TLS_CERTIFICATE value: "/ certs/domain.cert"-name: REGISTRY_HTTP_TLS _ KEY value: "/ certs/domain.key" volumeMounts:-mountPath: / var/lib/registry name: docker-hub-mountPath: / certs name: certs nodeSelector: bind-registry: "ture" volumes:-name: docker-hub hostPath: path: / var/lib/registry type: Directory- name: certs hostPath: path: / certs type: Directory---apiVersion: v1kind : Servicemetadata: name: docker-local-hub namespace: kube-system labels: app: registryspec: selector: app: registry ports:-port: 5000 targetPort: 5000 nodePort: 30003 type: NodePort

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.