Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to deploy Docker Registry in the local area network, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Deploying Docker Registry in the local area network can greatly improve the speed of pull and push images, thus shortening the process of automatic operation. At the same time, it can also alleviate the problem of insufficient bandwidth, which is really worth killing with one stone. This article will start with the creation of a stand-alone Docker Registry, gradually complete the creation of the Docker Registry available in the local area network, and focus on how to use the IP address to access the Registry.

Note that this article assumes that you have installed the docker engine in the OS you are using.

Create a Docker Registry for native use

This is a very simple process, as simple as running a docker container:

$docker run-d-p 5000 name registry 5000-- restart=always-- name registry\-v `pwd` / registry:/var/lib/registry\ registry:2

Check to see if port 5000 has been monitored:

It looks good. Let's try to push an image into the local Registry.

First, find an image and type your own tag:

$docker pull ubuntu$ docker tag ubuntu localhost:5000/myubuntu:20170520

As we can see from the image above, the two images are exactly the same, except that the name of the tag we created is different.

Next, add the image push to the local Registry:

$docker push localhost:5000/myubuntu:20170520

The figure above shows that the push operation is successful, so take a look at what has happened to the file system:

The directory where the image myubuntu is stored appears in the subdirectory of the ~ / registry directory that we mounted, and the image-related data is stored in this directory.

Finally, let's see if we can pull images from our own library. Delete the local image localhost:5000/myubuntu:20170520 first:

$docker rmi localhost:5000/myubuntu:20170520

Then pull the image from the local library:

$docker pull localhost:5000/myubuntu:20170520

Is the pull operation successful?

Create a Docker Registry available in the local area network

Can the Registry created above be used in the local area network? Let's do an experiment.

The IP of the machine running Registry is 192.168.171.156. We create the tag on another machine in the LAN and execute the push command:

The push failed! The reason is that to ensure security, https protocol is used by default in cross-machine image push operations. In other words, in order to use Docker Registry in the local area network, we must configure the https version of the Registry server.

Choose to access registry through an IP address

Due to various reasons, the author is unable to provide a valid domain name for this Docker Registry Server. Fortunately, its IP address is fixed, so it is decided to access the Registry server through the IP address. Suppose the IP address of this machine is 10.32.2.140. The following description takes the IP address as an example.

Create a self-signed certificate

Since it is used in the local area network, it will not make a big effort to buy a https certificate, it is enough to generate a self-signed one. However, there is a drawback, which is that you need to install the root certificate in the docker daemon as the client, which is described later in this article.

On ubuntu systems, the following command generates the secret key and self-signed certificate in the dcerts directory:

Openssl req\-newkey rsa:4096-nodes-sha256\-keyout dcerts/domain.key\-x509-days 356\-out dcerts/domain.crt

Note that the dcerts directory needs to be created under the current directory before executing this command. The details of this command will not be explained in this article, interested students to check the help documentation of the openssl command.

When generating the certificate, openssl requires us to enter the relevant information. For example, information about regions and companies and departments. The more important thing is Common Name, if you want to generate a certificate for a domain name, then this should be your domain name. We used the IP address, so I took it for granted that I put the IP address here. Unfortunately, this is not true! If we configure Docker Registry with the certificate generated at this time, we will not be able to complete the pull/push operation. The configured Registry cannot be used in the LAN at all.

Here is a subtle openssl configuration problem that we encounter when we use the IP address as the name of the access server. The solution is also simple: specify subjectAltName in the configuration file that generates the certificate. Open the file / etc/ssl/openssl.cnf and add a configuration item in the [v3_ca] node:

SubjectAltName = IP:10.32.2.140

Save and exit, and then re-execute the above command to generate the certificate.

Run the https version of Registry

With the certificate created earlier, we can run the new version of Registry:

$docker run-d-p 5000 dstorage:/var/lib/registry 5000\-- restart=always\-- name registry\-v `pwd` / dstorage:/var/lib/registry\-v `pwd` / dcerts:/certs\-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt\-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key\ registry:2

In the command, we mount the directory where the certificate is located to the container's / certs directory. Then you specify the container's environment variables REGISTRY_HTTP_TLS_CERTIFICATE and REGISTRY_HTTP_TLS_KEY, which refer to our common key files and certificate files.

Well, so far the new version of Docker Registry is ready for service.

Set the root certificate on the client side

In order to be quick, convenient and save money, we did not buy the commercial version of the certificate. The disadvantage of this approach is that the root certificate we generated must be installed on every client that needs to access the Registry server. The specific practices are as follows:

Copy the previously generated certificate file dcerts/domain.crt to the machine that needs to access the Registry server. Put it in the directory / etc/docker/certs.d/10.32.2.140:5000/ and rename it to ca.crt. Of course, this directory needs to be created by yourself. Finally, restart the docker service:

$sudo systemctl restart docker.service / / different systems may have different commands to restart the service.

Finally, let's push an image into Registry:

Look, redis:3.2 has been 10.32.2.140:5000/myredis:20170520 by tag and pushed to Docker Registry Server in the local area network.

In order to verify it, let's go to 10.32.2.140 and take a look at the status of the file storage:

We can see from this picture that myredis:20170520 has really been saved to the file system by Registry.

Thank you for reading this article carefully. I hope the article "how to deploy Docker Registry in the Local area Network" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.