Centos 7 docker私有仓库的搭建

Centos 7 docker私有仓库的搭建

Centos 7 docker registry的搭建

系统配置： ​​Centos 7​​​ 内核 ​​3.10.0-229.20.1.el7.x86_64​​​ ， ​​Docker version 1.8.2​​

运行 docker registry

执行下列命令：

docker run / -d / --name private_registry --restart=always / -e SETTINGS_FLAVOUR=dev / -e STORAGE_PATH=/registry-storage / -v /data/docker/private-registry/storage:/registry-storage / -u root / -p 5000:5000 / registry:2

如果本地已有registry镜像，它会直接运行，否则它会到docker hub共有仓库-之后再运行， ​​-v /data/docker/private-registry/storage:/registry-storage​​ 该命令将之后私有仓库的镜像存放到本地。

之后执行：

docker tag docker.io/docker:1.8 192.168.100.9:5000/docker:1.8 docker push 192.168.100.9:5000/docker:1.8

这时会报很多错误：

FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get tls: oversized record received with length 20527/. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add `--insecure-registry 192.168.100.9:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.100.9:5000/ca.crt

最简单的解决方法是修改 ​​/etc/sysconfig/docker​​​ 文件添加 ​​INSECURE_REGISTRY='--insecure-registry 192.168.100.9:5000'​​​ , ​​Ubuntu 14.04​​​ 的配置文件在 ​​/etc/default/docker​​​ 在该文件里添加 ​​DOCKER_OPTS="--insecure-registry 192.168.100.9:5000"​​​ ，添加过之后重启 ​​docker​​​ ,重新运行 ​​docker registry​​ 即可生效。这样做的缺点是你的私有仓库不安全，其次，其他要-或者上传镜像的机器都要修改相应的配置文件。

安全的做法是去认证机构购买签名证书，在此我们使用自认证的方式。

自签名认证

首先执行：

# mkdir -p certs && openssl req / -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key / -x509 -days 365 -out certs/domain.crt Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERCXTYF Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:192.168.100.9:5000 Email Address []:xxx.yyy@ymail.com

生成认证证书和密钥。接下来将刚生成的 ​​certs/domain.crt​​​ 复制到 ​​/etc/docker/certs.d/192.168.100.9:5000/ca.crt​​​ ，之后重启 ​​docker​​ 并运行：

docker run / -d / --name private_registry --restart=always / -e SETTINGS_FLAVOUR=dev / -e STORAGE_PATH=/registry-storage / -v /data/docker/private-registry/storage:/registry-storage / -u root / -p 5000:5000 / -v /root/certs:/certs / -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt / -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key / registry:2

这样之后应该可以成功了吧，于是执行：

# docker push 192.168.100.9:5000/docker:1.8

结果它还是报错了：

The push refers to a repository 192.168.100.9:5000/docker:1.8 unable to ping registry endpoint v2 ping attempt failed with error: Get x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs v1 ping attempt failed with error: Get x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs

解决方法：修改 ​​/etc/pki/tls/openssl-f​​​ 配置，在该文件中找到 ​​[ v3_ca ]​​ ，在它下面添加如下内容：

[ v3_ca ] # Extensions for a typical CA subjectAltName = IP:123.56.157.144

之后再次重启docker,并重新 ​​run registry​​ ，启动成功之后，执行：

# docker push 192.168.100.9:5000/docker:1.8 The push refers to a repository [192.168.100.9:5000/docker] (len: 1) 793ab2f3d322: Pushed e1232be51d09: Pushed 71ef33d4e0e5: Pushed e9d235d200dc: Pushed 3fb9a265fbfc: Pushed 9f50b4b1f00b: Pushed 413668359dd0: Pushed da0daae25b21: Pushed f4fddc471ec2: Pushed 1.8: digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 size: 17621

至此，上传终于成功。换台机器-刚上传的镜像：

# docker pull 192.168.100.9:5000/docker:1.8 Trying to pull repository 192.168.100.9:5000/docker ... failed unable to ping registry endpoint v2 ping attempt failed with error: Get x509: certificate signed by unknown authority v1 ping attempt failed with error: Get x509: certificate signed by unknown authority

仔细分析错误信息，发现是没有证书，将在 ​​192.168.100.9​​​ 上生成的证书拷贝到相应的目录下 ​​/etc/docker/certs.d/192.168.100.9:5000/ca.crt​​​ ，拷贝之后重启 ​​docker​​ ，再次执行:

# docker pull 192.168.100.9:5000/docker:1.8 1.8: Pulling from docker 9d58b928bc15: Pull complete dbe7e8a7807c: Pull complete ce14982b73d4: Pull complete b9f70905d763: Pull complete b9c93a2fb3cf: Pull complete 1321a4d5d3ea: Pull complete 5941048a7e27: Pull complete f57edf7c2e71: Pull complete 5de2ade00f1b: Pull complete Digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 Status: Downloaded newer image for 192.168.100.9:5000/docker:1.8

至此， ​​docker registry​​​ 私有仓库安装成功。如果要部署到生产环境还需要进一步的配置，具体可以参考 ​​Registry Configuration Reference。​​

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。