由于公有仓库有时连接会出现超时,下载速度慢等情况
故搭建私有仓库镜像
server端可以login官方的Doker Hub,可以pull,push和私有仓库
但client只能操作自己搭建的仓库
server 192.168.127.142
client 192.168.127.128
关闭selinux
setenforce 0
防火墙443端口放行
firewall-cmd --add-port=443/tcp
通过yum安装依赖支持包
yum -y install pcre-devel zlib-devel openssl openssl-devel
pcre在编译nginx时需要
zlib库提供开发人员的压缩算法
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.127.142 gjy.com 添加本地ip和域名
修改主机名
hostnamectl set-hostname gjy.com
bash
系统为centos7.0所以命令不一样
接下来生成根密钥
由于首次配置直接进入目录生成配置文件
cd /etc/pki/CA/ openssl genrsa -out private/cakey.pem2048
生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
可以选择不填写,但填写后要保持一致
为nginx web服务器生成ssl密钥
mkdir /etc/pki/CA/ssl cd /etc/pki/CA/ssl
openssl genrsa -out nginx.key 2048
为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr
这里需要保持一致
私有CA根据请求签发证书
touch /etc/pki/CA/index.txt touch /etc/pki/CA/serial echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
安装Nginx
groupadd www -g 58 useradd -u 58 -g www www
wget http://nginx.org/download/nginx-1.11.2.tar.gz
./configure--user=www --group=www --prefix=/opt/nginx --with-pcre--with-http_stub_status_module--with-http_ssl_module--with-http_addition_module--with-http_realip_module--with-http_flv_module make && make install
成功后编辑配置文件
user www; worker_processes 4; events { worker_connections 4096; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; upstream registry { server 192.168.127.142:5000; } server { listen 443 ssl; server_name gjy.com; ssl_certificate /etc/pki/CA/ssl/nginx.crt; ssl_certificate_key /etc/pki/CA/ssl/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://registry; client_max_body_size 3000m; proxy_set_header Host $host; proxy_set_header X-Forward-For $remote_addr; } } }
启动nginx
/opt/nginx/sbin/nginx
配置Docker
停止Docker,编辑/etc/sysconfig/docker加入
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
复制根证书
mkdir -p /etc/docker/certs.d/docker.benet.com cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.benet.com/ca-certificates.crt
启动Docker
systemctl start docker
直接导入registry运行
创建目录作为私有仓库位置
mkdir -p /opt/data/registry
运行容器
docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry -e GUNICORN_OPTS=["--preload"] docker.io/registry
通过curl验证
curl -i -k https://gjy.com
client配置
本地hosts文件需要添加服务器的解析
把 docker registry 服务器端的根证书追加到 certificates.crt 文件
scp root@192.168.127.142:/etc/pki/CA/cacert.pem ./
cacat ./cacert.pem>> /etc/pki/tls/certs/ca-certificates.crt
测试能否访问
curl -i -k https://gjy.com
查看仓库是否有镜像
curl 192.168.127.142:5000/v1/search
所有build,pull,push只能在私有仓库的server操作,降低风险
server,client都可以上传下载
可以更加快速方便的上传下载镜像,不受网络影响
本文出自 “JianYu” 博客,请务必保留此出处http://jianyu97.blog.51cto.com/12222102/1971513
原文地址:http://jianyu97.blog.51cto.com/12222102/1971513