Centos 7中Docker私有仓库的搭建方法
系统配置:CentOS7内核3.10.0-229.20.1.el7.x86_64,Dockerversion1.8.2
运行dockerregistry
执行下列命令:
dockerrun/ -d/ --nameprivate_registry --restart=always/ -eSETTINGS_FLAVOUR=dev/ -eSTORAGE_PATH=/registry-storage/ -v/data/docker/private-registry/storage:/registry-storage/ -uroot/ -p5000:5000/ registry:2
如果本地已有registry镜像,它会直接运行,否则它会到dockerhub共有仓库下载之后再运行,-v/data/docker/private-registry/storage:/registry-storage该命令将之后私有仓库的镜像存放到本地。
之后执行:
dockertagdocker.io/docker:1.8192.168.100.9:5000/docker:1.8 dockerpush192.168.100.9:5000/docker:1.8
这时会报很多错误:
FATA[0000]Errorresponsefromdaemon:v1pingattemptfailedwitherror:Gethttps://192.168.100.9:5000/v1/_ping:tls:oversizedrecordreceivedwithlength20527/. IfthisprivateregistrysupportsonlyHTTPorHTTPSwithanunknownCAcertificate,pleaseadd `--insecure-registry192.168.100.9:5000`tothedaemon'sarguments.InthecaseofHTTPS,ifyouhaveaccesstotheregistry'sCAcertificate,noneedfortheflag;simplyplacetheCAcertificateat/etc/docker/certs.d/192.168.100.9:5000/ca.crt
最简单的解决方法是修改/etc/sysconfig/docker文件添加INSECURE_REGISTRY='--insecure-registry192.168.100.9:5000',Ubuntu14.04的配置文件在/etc/default/docker在该文件里添加DOCKER_OPTS="--insecure-registry192.168.100.9:5000",添加过之后重启docker,重新运行dockerregistry即可生效。这样做的缺点是你的私有仓库不安全,其次,其他要下载或者上传镜像的机器都要修改相应的配置文件。
安全的做法是去认证机构购买签名证书,在此我们使用自认证的方式。
自签名认证
首先执行:
#mkdir-pcerts&&opensslreq/ -newkeyrsa:4096-nodes-sha256-keyoutcerts/domain.key/ -x509-days365-outcerts/domain.crt CountryName(2lettercode)[AU]:CNStateorProvinceName(fullname)[Some-State]:BeijingLocalityName(eg,city)[]:BeijingOrganizationName(eg,company)[InternetWidgitsPtyLtd]:SERCXTYFOrganizationalUnitName(eg,section)[]:ITCommonName(e.g.serverFQDNorYOURname)[]:192.168.100.9:5000EmailAddress[]:xxx.yyy@ymail.com
生成认证证书和密钥。接下来将刚生成的certs/domain.crt复制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt,之后重启docker并运行:
dockerrun/ -d/ --nameprivate_registry --restart=always/ -eSETTINGS_FLAVOUR=dev/ -eSTORAGE_PATH=/registry-storage/ -v/data/docker/private-registry/storage:/registry-storage/ -uroot/ -p5000:5000/ -v/root/certs:/certs/ -eREGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt/ -eREGISTRY_HTTP_TLS_KEY=/certs/domain.key/ registry:2
这样之后应该可以成功了吧,于是执行:
#dockerpush192.168.100.9:5000/docker:1.8
结果它还是报错了:
Thepushreferstoarepository192.168.100.9:5000/docker:1.8unabletopingregistryendpointhttps://192.168.100.9:5000/v0/v2pingattemptfailedwitherror:Gethttps://192.168.100.9:5000/v2/:x509:cannotvalidatecertificatefor192.168.100.9becauseitdoesn'tcontainanyIPSANsv1pingattemptfailedwitherror:Gethttps://192.168.100.9:5000/v1/_ping:x509:cannotvalidatecertificatefor192.168.100.9becauseitdoesn'tcontainanyIPSANs
解决方法:修改/etc/pki/tls/openssl.cnf配置,在该文件中找到[v3_ca],在它下面添加如下内容:
[v3_ca]#ExtensionsforatypicalCAsubjectAltName=IP:123.56.157.144
之后再次重启docker,并重新runregistry,启动成功之后,执行:
#dockerpush192.168.100.9:5000/docker:1.8 Thepushreferstoarepository[192.168.100.9:5000/docker](len:1)793ab2f3d322:Pushed e1232be51d09:Pushed 71ef33d4e0e5:Pushed e9d235d200dc:Pushed 3fb9a265fbfc:Pushed 9f50b4b1f00b:Pushed 413668359dd0:Pushed da0daae25b21:Pushed f4fddc471ec2:Pushed 1.8:digest:sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44size:17621
至此,上传终于成功。换台机器下载刚上传的镜像:
#dockerpull 192.168.100.9:5000/docker:1.8 Tryingtopullrepository192.168.100.9:5000/docker...failedunabletopingregistryendpointhttps://192.168.100.9:5000/v0/v2pingattemptfailedwitherror:Gethttps://192.168.100.9:5000/v2/:x509:certificatesignedbyunknownauthority v1pingattemptfailedwitherror:Gethttps://192.168.100.9:5000/v1/_ping:x509:certificatesignedbyunknownauthority
仔细分析错误信息,发现是没有证书,将在192.168.100.9上生成的证书拷贝到相应的目录下/etc/docker/certs.d/192.168.100.9:5000/ca.crt,拷贝之后重启docker,再次执行:
#dockerpull 192.168.100.9:5000/docker:1.8 1.8:Pullingfromdocker9d58b928bc15:Pullcomplete dbe7e8a7807c:Pullcomplete ce14982b73d4:Pullcomplete b9f70905d763:Pullcomplete b9c93a2fb3cf:Pullcomplete 1321a4d5d3ea:Pullcomplete 5941048a7e27:Pullcomplete f57edf7c2e71:Pullcomplete 5de2ade00f1b:Pullcomplete Digest:sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44Status:Downloadednewerimagefor192.168.100.9:5000/docker:1.8
至此,dockerregistry私有仓库安装成功。如果要部署到生产环境还需要进一步的配置,具体可以参考RegistryConfigurationReference。
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持毛票票。