Centos7.1 搭建docker私有仓库

Posted 2022-12-07 涛子GE哥

在公司中，会根据公司特有业务去制作镜像，这些镜像往往不希望暴露出去，在这种情况下，我们有必要搭建一个本地私有镜像仓库。

搭建仓库有两种方法
1、基于容器安装Registry镜像
2、本地安装

此文是基于容器安装仓库

环境准备：

IP	角色	系统
192.168.0.100	registry 镜像仓库	centos7.1
192.168.0.101	nginx-proxy 代理	centos7.1

 

1、下载并运行registry

1.1 配置环境
#由于国内去docker官网下载镜像速度很慢，可以使用阿里云加速，重启生效
#不知道怎么设置阿里云加速的可以在我之前博客查阅
[root@192.168.0.100 test]#cat /etc/docker/daemon.json

    "registry-mirrors": ["https://xxx.mirror.aliyuncs.com"]

[root@192.168.0.100 test]#systemctl restart docker

1.2 下载镜像
[root@192.168.0.100 test]#docker pull registry

1.3 运行镜像
#registry默认配置文件为/etc/docker/registry/config.yml
#registry默认存储位置为/var/lib/registry
#可以通过-v参数将其映射出来，自定义编辑配置文件，我这里没有进行任何修改，所以不做映射

[root@192.168.0.100 test]#docker run -d -p 192.168.0.100:5000:5000 -v /data/registry/:/var/lib/registry --name=registry docker.io/registry:latest

2、配置nginx代理，使用ssl验证

2.1 使用之前做的nginx镜像（1.15版本）
#不知道怎么做的，可以自己手动按章nginx，或者看我之前写的博客
#安装httpd-tools 
#使用nginx安全验证的功能，需要一个地方放置用户名和密码对。 
#使用由httpd-tools提供的htpasswd工具生成用户名密码对
[root@192.168.0.101 test]#docker pull registry.cn-hangzhou.aliyuncs.com/test/centos7-nginx
[root@192.168.0.101 test]#docker run -d -p 80:80 --name=nginx-proxy registry.cn-hangzhou.aliyuncs.com/test/centos7-nginx /usr/sbin/init
[root@192.168.0.101 test]#docker exec -ti nginx-proxy /bin/bash
#若想在容器内部使用systemctl来启动关闭服务，需要在run容器是加/usr/sbin/init，否则会报错：Failed to get D-Bus connection: Operation not permitted

2.2 编辑nginx配置文件
[root@3c43f960088b /]# cd /usr/local/nginx/conf/
[root@3c43f960088b conf]# vi nginx.conf
========================================================================================
#配置文件如下
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events
    worker_connections  1024;

http
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

#upstream 定义registry服务地址以及端口
    upstream my_docker_registry
        server 192.168.0.100:5000;
   

#代理服务器监听80/443端口
    server
        listen       80;
        listen       443 ssl;
        server_name  192.168.0.101;

#开启ssl及定义ssl证书位置
        #ssl on
        ssl_certificate /registry/192.168.0.101.crt;
        ssl_certificate_key /registry/192.168.0.101.key;

#请求转发的必要请求头信息
        proxy_set_header Host       $http_host;   # required for Docker client sake
        proxy_set_header X-Real-IP  $remote_addr; # pass on real client IP
        client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads

        chunked_transfer_encoding on;
        add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

#添加用户验证
        location /
            proxy_pass http://my_docker_registry;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            # proxy_redirect          off;
            # proxy_buffering         off;
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_read_timeout                  900;
            auth_basic  "please input username/password ";
            auth_basic_user_file /registry/passwd/docker-registry.htpasswd;
       
        location /_ping
            auth_basic off;
            proxy_pass http://my_docker_registry;
       
        location /v2/_ping
            auth_basic off;
            proxy_pass http://my_docker_registry;
     
   

========================================================================================

2.3 检查语法，启动nginx
[root@3c43f960088b conf]# ../sbin/nginx -t
nginx: [emerg] BIO_new_file("/registry/192.168.0.101.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/registry/192.168.0.101.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#可以看到报错，原因是应为没有ssl证书文件

3、创建证书文件、用户密码存储文件
3.1 创建证书文件
[root@3c43f960088b conf]#mkdir -p /registry/passwd/
[root@3c43f960088b conf]#cd /registry
[root@3c43f960088b conf]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.101.key -x509 -days 365 -out 192.168.0.101.crt
=====================================================================
Generating a 4096 bit RSA private key
........................................................................++
..............................................++
writing new private key to '192.168.0.101.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:192.168.0.101
Email Address []:test@163.com #以上标记内容可以根据自己所需添加
=====================================================================
[root@3c43f960088b registry]# ls
192.168.0.101.crt  192.168.0.101.key  passwd

3.2 创建用户test，并添加密码
[root@3c43f960088b registry]#htpasswd -c /registry/passwd/docker-registry.htpasswd test

3.3 验证并启动nginx服务
[root@3c43f960088b conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@3c43f960088b conf]# /usr/local/nginx/sbin/nginx

4、验证
4.1 在/etc/sysconfig/docker文件中最后一行添加参数，避免报错
[root@192.168.0.101 test]#echo "INSECURE_REGISTRY='--insecure-registry 192.168.0.101'" >> /etc/sysconfig/docker
[root@192.168.0.101 test]#systemctl restart docker

4.2
[root@192.168.0.101 test]#docker login 192.168.0.101
Username (test): dasda
Password: 
Error response from daemon: login attempt to http://192.168.0.101/v2/ failed with status: 401 Unauthorized
[root@192.168.0.101 test]#docker login 192.168.0.101
Username (test): test
Password: 
Login Succeeded

成功！！！