操作系统:Centos 7.4 x64
Iptables 必须启用,重启iptables前必须执行

service iptables save

安装依赖

yum -y install yum-utils device-mapper-persistent-data lvm2

安装源

yum-config-manager       --add-repo       https://download.docker.com/linux/centos/docker-ce.repo

更新操作系统

yum -y update

安装docker社区版

yum -y install docker-ce

启动docker

systemctl start docker
systemctl enable docker

安装私有仓库

docker run -d -p 5000:5000 --restart=always -v /var/lib/registry:/var/lib/registry --name registry registry:2

这种方式无法直接使用需要安装ssl证书,配置docker可以不使用ssl,添加完配置文件后需要重新启动docker

cat /etc/docker/daemon.json 
{
  "insecure-registries": ["ip:5000"], 
  "max-concurrent-downloads": 10
}

为私有仓库配置https:

搭建私有CA,初始化CA环境,在/etc/pki/CA/下建立证书索引数据库文件index.txt和序列号文件serial,并为证书序列号文件提供初始值。

touch /etc/pki/CA/{index.txt,serial}
echo 01 > /etc/pki/CA/serial

生成密钥并保存到/etc/pki/CA/private/cakey.pem

(umask 077;openssl genrsa -out  /etc/pki/CA/private/cakey.pem 2048)

生成根证书

openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

需要填写的信息:

Country Name (2 letter code) [XX]:*CN*
State or Province Name (full name) []:*Guangdong*               
Locality Name (eg, city) [Default City]:*Shenzhen*
Organization Name (eg, company) [Default Company Ltd]:*abc*
Organizational Unit Name (eg, section) []:*ops*
Common Name (eg, your name or your server's hostname) []:*hub.abc.com*
Email Address []:*whour@abc.com*

使系统信任根证书

cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

安装nginx,无特殊要求可直接yum安装

yum -y install nginx
mkdir -p /home/wwwroot/
mkdir -p /home/wwwlogs/
mkdir -p /usr/local/nginx/
ln -s /etc/nginx /usr/local/nginx/conf

创建ssl目录用来存放密钥文件和证书申请文件

mkdir -p /usr/local/nginx/conf/ssl

创建密钥文件和证书申请文件

(umask 077;openssl genrsa -out /usr/local/nginx/conf/ssl/docker.key 2048)
openssl req -new -key /usr/local/nginx/conf/ssl/docker.key -out /usr/local/nginx/conf/ssl/docker.csr

需要输入下面的信息

Country Name (2 letter code) [XX]:*CN*
State or Province Name (full name) []:*Guangdong*
Locality Name (eg, city) [Default City]:*Shenzhen*
Organization Name (eg, company) [Default Company Ltd]:*abc*
Organizational Unit Name (eg, section) []:*ops*
Common Name (eg, your name or your server's hostname) []:*hub.abc.com*
Email Address []:*whour@abc.com*

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:              *#直接回车不输入密码*
An optional company name []:         *#直接回车不输入密码*
openssl ca -in /usr/local/nginx/conf/ssl/docker.csr -out /usr/local/nginx/conf/ssl/docker.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 16 07:36:18 2019 GMT
            Not After : Mar 13 07:36:18 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            organizationName          = abc
            organizationalUnitName    = ops
            commonName                = hub.abc.com
            emailAddress              = whour@abc.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                8E:EC:FC:15:36:EF:C0:75:24:4F:C2:60:BC:B2:B3:5A:E0:3E:1F:C0
            X509v3 Authority Key Identifier: 
                keyid:5D:C5:A7:43:63:55:EB:EF:8D:FE:F8:E6:FA:91:FA:5C:F7:6C:03:C0

Certificate is to be certified until Mar 13 07:36:18 2029 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

配置nginx反向代理docker registry

添加认证添加认证

htpasswd -cb /usr/local/nginx/conf/docker-registry.htpasswd abc 密码 *#-cb参数中的c为新建密码文件,新加用户直接使用-b*

nginx相关配置nginx相关配置

upstream docker-registry {
        server 127.0.0.1:5000;
    }

    server {
        listen       443;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        ssl                   on;
        ssl_certificate       /usr/local/nginx/conf/ssl/docker.crt;
        ssl_certificate_key   /usr/local/nginx/conf/ssl/docker.key;
        client_max_body_size 0;
        chunked_transfer_encoding on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

        location / {
           auth_basic   "Docker registry";
               auth_basic_user_file /usr/local/nginx/conf/docker-registry.htpasswd;
               proxy_pass  http://docker-registry;
        }
        location /_ping{
               auth_basic off;
               proxy_pass  http://docker-registry;
               }
        location /v2/_ping{
               auth_basic off;
               proxy_pass  http://docker-registry;
        }
}

自签名证书如果要在客户端上面正常使用的话,需要客户端配置信任改正数,否则无法连接到私有仓库,同时因为域名没有在外网解析所以要在客户端上面配置host

echo “yourip hub.abc.com” >> /etc/hosts

把CA的密钥/etc/pki/tls/certs/ca-bundle.crt、/etc/pki/CA/cacert.pem发送到客户机/etc/pki/tls/certs/ca-bundle.crt、/etc/pki/CA/cacert.pem,并追加到ca-bundle.crt

cat cacert.pem >> /etc/pki/CA/cacert.pem  
cat ca-bundle.crt >> /etc/pki/tls/certs/ca-bundle.crt

安装portainer通过web界面管理docker

docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer

登陆服务器ip:9000即可访问

Last modified: 2019年3月30日

Author