由于公有仓库有时连接会出现超时,下载速度慢等情况
故搭建私有仓库镜像
server端可以login官方的Doker Hub,可以pull,push和私有仓库
但client只能操作自己搭建的仓库
server 192.168.127.142
client 192.168.127.128
关闭selinux
setenforce 0
防火墙443端口放行
firewall-cmd --add-port=443/tcp
通过yum安装依赖支持包
yum -y install pcre-devel zlib-devel openssl openssl-devel
pcre在编译nginx时需要
zlib库提供开发人员的压缩算法
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.127.142 gjy.com 添加本地ip和域名
修改主机名
hostnamectl set-hostname gjy.com
bash
系统为centos7.0所以命令不一样
接下来生成根密钥
由于首次配置直接进入目录生成配置文件
cd /etc/pki/CA/ openssl genrsa -out private/cakey.pem2048
生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
可以选择不填写,但填写后要保持一致
为nginx web服务器生成ssl密钥
mkdir /etc/pki/CA/ssl cd /etc/pki/CA/ssl
openssl genrsa -out nginx.key 2048
为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr
这里需要保持一致
私有CA根据请求签发证书
touch /etc/pki/CA/index.txt touch /etc/pki/CA/serial echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
安装Nginx
groupadd www -g 58 useradd -u 58 -g www www
wget http://nginx.org/download/nginx-1.11.2.tar.gz
直接下载nginx源码包,进行编译安装
./configure--user=www --group=www --prefix=/opt/nginx --with-pcre--with-http_stub_status_module--with-http_ssl_module--with-http_addition_module--with-http_realip_module--with-http_flv_module make && make install
成功后编辑配置文件
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.127.142:5000;
}
server {
listen 443 ssl;
server_name gjy.com;
ssl_certificate /etc/pki/CA/ssl/nginx.crt;
ssl_certificate_key /etc/pki/CA/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
}
}
}
启动nginx
/opt/nginx/sbin/nginx
配置Docker
停止Docker,编辑/etc/sysconfig/docker加入
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
复制根证书
mkdir -p /etc/docker/certs.d/docker.benet.com cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.benet.com/ca-certificates.crt
启动Docker
systemctl start docker
直接导入registry运行
创建目录作为私有仓库位置
mkdir -p /opt/data/registry
运行容器
docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry -e GUNICORN_OPTS=["--preload"] docker.io/registry
通过curl验证
curl -i -k https://gjy.com
client配置
本地hosts文件需要添加服务器的解析
把 docker registry 服务器端的根证书追加到 certificates.crt 文件
scp root@192.168.127.142:/etc/pki/CA/cacert.pem ./
cacat ./cacert.pem>> /etc/pki/tls/certs/ca-certificates.crt
测试能否访问
curl -i -k https://gjy.com
查看仓库是否有镜像
curl 192.168.127.142:5000/v1/search
所有build,pull,push只能在私有仓库的server操作,降低风险
server,client都可以上传下载
可以更加快速方便的上传下载镜像,不受网络影响
本文出自 “JianYu” 博客,请务必保留此出处http://jianyu97.blog.51cto.com/12222102/1971513
原文地址:http://jianyu97.blog.51cto.com/12222102/1971513
