由於公有倉庫有時連接會出現超時,下載速度慢等情況
故搭建私有倉庫鏡像
server端可以login官方的Doker Hub,可以pull,push和私有倉庫
但client只能操作自己搭建的倉庫
server 192.168.127.142
client 192.168.127.128
關閉selinux
setenforce 0
防火牆443端口放行
firewall-cmd --add-port=443/tcp
通過yum安裝依賴支持包
yum -y install pcre-devel zlib-devel openssl openssl-devel
pcre在編譯nginx時需要
zlib庫提供開發人員的壓縮算法
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.127.142 gjy.com 添加本地ip和域名
修改主機名
hostnamectl set-hostname gjy.com
bash
系統爲centos7.0所以命令不一樣
接下來生成根密鑰
由於首次配置直接進入目錄生成配置文件
cd /etc/pki/CA/ openssl genrsa -out private/cakey.pem2048
生成根證書
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
可以選擇不填寫,但填寫後要保持一致
爲nginx web服務器生成ssl密鑰
mkdir /etc/pki/CA/ssl cd /etc/pki/CA/ssl
openssl genrsa -out nginx.key 2048
爲nginx生成證書籤署請求
openssl req -new -key nginx.key -out nginx.csr
這裏需要保持一致
私有CA根據請求籤發證書
touch /etc/pki/CA/index.txt touch /etc/pki/CA/serial echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
安裝Nginx
groupadd www -g 58 useradd -u 58 -g www www
wget http://nginx.org/download/nginx-1.11.2.tar.gz
直接下載nginx源碼包,進行編譯安裝
./configure--user=www --group=www --prefix=/opt/nginx \ --with-pcre\ --with-http_stub_status_module\ --with-http_ssl_module\ --with-http_addition_module\ --with-http_realip_module\ --with-http_flv_module make && make install
成功後編輯配置文件
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.127.142:5000;
}
server {
listen 443 ssl;
server_name gjy.com;
ssl_certificate /etc/pki/CA/ssl/nginx.crt;
ssl_certificate_key /etc/pki/CA/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
}
}
}
啓動nginx
/opt/nginx/sbin/nginx
配置Docker
停止Docker,編輯/etc/sysconfig/docker加入
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
複製根證書
mkdir -p /etc/docker/certs.d/docker.benet.com cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.benet.com/ca-certificates.crt
啓動Docker
systemctl start docker
直接導入registry運行
創建目錄作爲私有倉庫位置
mkdir -p /opt/data/registry
運行容器
docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry -e GUNICORN_OPTS=["--preload"] docker.io/registry
通過curl驗證
curl -i -k https://gjy.com
client配置
本地hosts文件需要添加服務器的解析
把 docker registry 服務器端的根證書追加到 certificates.crt 文件
scp [email protected]:/etc/pki/CA/cacert.pem ./
cacat ./cacert.pem>> /etc/pki/tls/certs/ca-certificates.crt
測試能否訪問
curl -i -k https://gjy.com
查看倉庫是否有鏡像
curl 192.168.127.142:5000/v1/search
所有build,pull,push只能在私有倉庫的server操作,降低風險
server,client都可以上傳下載
可以更加快速方便的上傳下載鏡像,不受網絡影響