离线搭建自已的私有docker仓库V1版

  • 2
  • 1,441 views
  • A+
所属分类:安装

以下是V1版本的安装方式,如果你使用的是docker1.6版本以下的那么你必须安装V1版本的仓库,

V2版本只有在docker1.6以上版本才被支持,在新的docker版本中已不支持V1版本了

配置一些yum源文件,为光盘中的包

[root@localhost ~]# mount /dev/cdrom /media/

[root@localhost media]# yum-config-manager --add-repo=file:///media/

[root@localhost media]# rpm --import /media/RPM-GPG-KEY-redhat-*

我这里是为了安装openshift所有挂载的yum比较多,安装httpd是为了给其他服务器提供yum源

OSE.iso镜像分享地址如下,仅供测试请勿用于商用

链接:http://pan.baidu.com/s/1dEOL109 密码:iq21

[root@localhost opt]# yum install httpd

[root@localhost opt]# mount -o loop -t iso9660 OSE.iso /var/www/html/

[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-extras-rpms

[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-optional-rpms/

[root@localhost rhel-7-server-extras-rpms]# yum-config-manager --add-repo=file:///var/www/html/rhel-7-server-ose-3.0-rpms/

安装docker以及docker-registry

[root@localhost yum.repos.d]# yum install docker docker-registry

启动服务,和设定开机启动

[root@localhost yum.repos.d]# systemctl start docker

[root@localhost yum.repos.d]# systemctl start docker-registry

[root@localhost yum.repos.d]# systemctl enable docker

ln -s '/usr/lib/systemd/system/docker.service' '/etc/systemd/system/multi-user.target.wants/docker.service'

[root@localhost yum.repos.d]# systemctl enable docker-registry

ln -s '/usr/lib/systemd/system/docker-registry.service' '/etc/systemd/system/multi-user.target.wants/docker-registry.service'

 
 

修改配置文件,目的是可以通过 curl  "x.x.x.x:5000/v1/search?q=xxx"  查询仓库镜像。   

vim /etc/docker-registry.yml

修改common标签下以下两行

search_backend: _env:SEARCH_BACKEND:sqlalchemy

sqlalchemy_index_database: _env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/docker-registry.db

 
 

可以修改端口,默认是5000 ,由于我为了做yum80端口被apache占用,就不修改了

vi /etc/sysconfig/docker-registry

REGISTRY_PORT=5000 //监听端口

 
 

生成自签名证书,

[root@localhost rhel-7-server-extras-rpms]# cd /etc/pki/tls/

[root@localhost tls]# openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/self.key -x509 -days 365 -out certs/self.crt

openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/self.key -x509 -days 365 -out certs/self.crt

 
 

复制证书到相关路径下,这里放到/etc/pki/tls/certs目录下

[root@registry certs]# ls

ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert self.crt self.key

[root@registry certs]# pwd

/etc/pki/tls/certs

 
 

配置registry使用自签名证书

vim /usr/lib/systemd/system/docker-registry.service

在启动时添加证书来做TLS认证,红色部分

ExecStart=/usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b ${REGISTRY_ADDRESS}:${REGISTRY_PORT} -w $GUNICORN_WORKERS docker_registry.wsgi:application

 
 

修改完成后重启registry服务,由于我们修改了服务文件,我们首现让systemd重新加载下

[root@registry certs]# systemctl daemon-reload

[root@registry certs]# systemctl restart docker-registry.service

 
 

可以查看服务器状态,是否带证书路径,在进行验证

[root@registry certs]# systemctl status docker-registry.service

docker-registry.service - Registry server for Docker

Loaded: loaded (/usr/lib/systemd/system/docker-registry.service; enabled)

Active: active (running) since 一 2016-07-04 16:37:24 CST; 17s ago

Main PID: 7018 (gunicorn)

CGroup: /system.slice/docker-registry.service

├─7018 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7023 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7024 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7029 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7034 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7035 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7036 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

├─7037 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

└─7038 /usr/bin/python /usr/bin/gunicorn --certfile=/etc/pki/tls/certs/self.crt --keyfile=/etc/pki/tls/certs/self.key --access-logfile - --...

 
 

如果发现报以下错误,就是没有加载证书,可以参考上面的方法进行配置

 注:这是在一个docker上进行查询测试的结果,需要配置docker的registry,方式如下,修改完成重启docker就可以连接我们自己的仓库了

[root@registry ~]# vim /etc/sysconfig/docker

BLOCK_REGISTRY='--block-registry public'

INSECURE_REGISTRY='--insecure-registry 192.168.150.200:5000'

 
 

 
 

[root@OpenShift-Master2 ~]# docker search open

Error response from daemon: invalid registry endpoint https://registry.dcl.home:5000/v0/: unable to ping registry endpoint https://registry.dcl.home:5000/v0/

v2 ping attempt failed with error: Get https://registry.dcl.home:5000/v2/: x509: certificate signed by unknown authority

v1 ping attempt failed with error: Get https://registry.dcl.home:5000/v1/_ping: x509: certificate signed by unknown authority. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry registry.dcl.home:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/registry.dcl.home:5000/ca.crt

 
 

 
 

原因是没有证书正常显示应该是下图的结果

110417 0839 docker1 - 离线搭建自已的私有docker仓库V1版

 如出现问题,我们参照上面的证书设定进行设定

[root@registry certs]# systemctl status docker-registry.service

docker-registry.service - Registry server for Docker

Loaded: loaded (/usr/lib/systemd/system/docker-registry.service; enabled)

Active: active (running) since 一 2016-07-04 16:36:30 CST; 23s ago

Main PID: 6920 (gunicorn)

CGroup: /system.slice/docker-registry.service

├─6920 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6925 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6926 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6931 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6936 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6937 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6938 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

├─6940 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

└─6942 /usr/bin/python /usr/bin/gunicorn --access-logfile - --max-requests 100 --graceful-timeout 3600 -t 3600 -k gevent -b 0.0.0.0:5000 -w...

 
 

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: Cache storage disabled!

7月 04 16:36:32 registry.dcl.home gunicorn[6920]: 04/Jul/2016:16:36:32 +0000 WARNING: LRU cache disabled!

 
 

 
 

正常安装完成后我们执行curl https://127.0.0.1:5000/v1/search?q=1 -k 就会看到如下信息,

这里-k参数是跳过我们的自签名证书检测

110417 0839 docker2 - 离线搭建自已的私有docker仓库V1版

 
 

 
 

 
 

 
 

 
 

 
 

 
 

头像

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

目前评论:2   其中:访客  0   博主  0   引用   2

    来自外部的引用: 2

    • 离线搭建自已的私有docker仓库V2版 | IT运维经验-青鸟技术联盟
    • Docker仓库Registry维护和管理 | IT运维经验-青鸟技术联盟