以下是V1版本的安装方式,如果你使用的是docker1.6版本以下的那么你必须安装V1版本的仓库,
V2版本只有在docker1.6以上版本才被支持,在新的docker版本中已不支持V1版本了
配置一些yum源文件,为光盘中的包
[root@localhost ~]# mount /dev/cdrom /media/
[root@localhost media]# yum-config-manager --add-repo=file:///media/
[root@localhost media]# rpm --import /media/RPM-GPG-KEY-redhat-*
我这里是为了安装openshift所有挂载的yum比较多,安装httpd是为了给其他服务器提供yum源
OSE.iso镜像分享地址如下,仅供测试请勿用于商用
链接:http://pan.baidu.com/s/1dEOL109 密码:iq21
[root@localhost opt]# yum install httpd
[root@localhost opt]# mount -o loop -t iso9660 OSE.iso /var/www/html/
[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-extras-rpms
[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-optional-rpms/
[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-ose-3.0-rpms/
安装docker以及docker-registry
[root@localhost yum.repos.d]# yum install docker docker-registry
启动服务,和设定开机启动
[root@localhost yum.repos.d]# systemctl start docker
[root@localhost yum.repos.d]# systemctl start docker-registry
[root@localhost yum.repos.d]# systemctl enable docker
ln -s '/usr/lib/systemd/system/docker.service' '/etc/systemd/system/multi-user.target.wants/docker.service'
[root@localhost yum.repos.d]# systemctl enable docker-registry
ln -s '/usr/lib/systemd/system/docker-registry.service' '/etc/systemd/system/multi-user.target.wants/docker-registry.service'
修改配置文件,目的是可以通过 curl "x.x.x.x:5000/v1/search?q=xxx" 查询仓库镜像。
vim /etc/docker-registry.yml
修改common标签下以下两行
search_backend: _env:SEARCH_BACKEND:sqlalchemy
sqlalchemy_index_database: _env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/docker-registry.db
可以修改端口,默认是5000 ,由于我为了做yum80端口被apache占用,就不修改了
vi /etc/sysconfig/docker-registry
REGISTRY_PORT=5000 //监听端口
生成自签名证书,
[root@localhost rhel-7-server-extras-rpms]# cd /etc/pki/tls/
[root@localhost tls]# openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/self.key -x509 -days 365 -out certs/self.crt
openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/self.key -x509 -days 365 -out certs/self.crt
复制证书到相关路径下,这里放到/etc/pki/tls/certs目录下
[root@registry certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert self.crt self.key
[root@registry certs]# pwd
/etc/pki/tls/certs
配置registry使用自签名证书
vim /usr/lib/systemd/system/docker-registry.service
在启动时添加证书来做TLS认证,红色部分
ExecStart=/usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b ${REGISTRY_ADDRESS}:${REGISTRY_PORT} -w $GUNICORN_WORKERS docker_registry.wsgi:application
修改完成后重启registry服务,由于我们修改了服务文件,我们首现让systemd重新加载下
[root@registry certs]# systemctl daemon-reload
[root@registry certs]# systemctl restart docker-registry.service
可以查看服务器状态,是否带证书路径,在进行验证
[root@registry certs]# systemctl status docker-registry.service
docker-registry.service - Registry server for Docker
Loaded: loaded (/usr/lib/systemd/system/docker-registry.service; enabled)
Active: active (running) since 一 2016-07-04 16:37:24 CST; 17s ago
Main PID: 7018 (gunicorn)
CGroup: /system.slice/docker-registry.service
├─7018 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7023 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7024 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7029 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7034 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7035 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7036 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
├─7037 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
└─7038 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...
如果发现报以下错误,就是没有加载证书,可以参考上面的方法进行配置
注:这是在一个docker上进行查询测试的结果,需要配置docker的registry,方式如下,修改完成重启docker就可以连接我们自己的仓库了
[root@registry ~]# vim /etc/sysconfig/docker
BLOCK_REGISTRY='--block-registry public'
INSECURE_REGISTRY='--insecure-registry 192.168.150.200:5000'
[root@OpenShift-Master2 ~]# docker search open
Error response from daemon: invalid registry endpoint https://registry.dcl.home:5000/v0/: unable to ping registry endpoint https://registry.dcl.home:5000/v0/
v2 ping attempt failed with error: Get https://registry.dcl.home:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://registry.dcl.home:5000/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry registry.dcl.home:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry.dcl.home:5000/ca.crt
原因是没有证书正常显示应该是下图的结果
如出现问题,我们参照上面的证书设定进行设定
[root@registry certs]# systemctl status docker-registry.service
docker-registry.service - Registry server for Docker
Loaded: loaded (/usr/lib/systemd/system/docker-registry.service; enabled)
Active: active (running) since 一 2016-07-04 16:36:30 CST; 23s ago
Main PID: 6920 (gunicorn)
CGroup: /system.slice/docker-registry.service
├─6920 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6925 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6926 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6931 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6936 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6937 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6938 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
├─6940 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
└─6942 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!
7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!
正常安装完成后我们执行curl https://127.0.0.1:5000/v1/search?q=1 -k 就会看到如下信息,
这里-k参数是跳过我们的自签名证书检测
文章末尾固定信息
来自外部的引用