青云虚拟机部署私有Docker Registry

青云虚机部署私有Docker Registry Felix.Liang

软件安装包 Docker公司提供的docker-registry有两个版本：python版本和go版本

Python版本在0.9.1版本后已不再更新，实现了docker-registry的V0和V1版本API，Github地址为https://github.com/docker/docker-registry

Go版本实现了docker-registry的V2版本API，最新版本为2.0.1，只能用于docker 1.6+，Github地址为https://github.com/docker/distribution

基于docker-registry API构建的第三方UI工具：docker-registry-ui和docker-registry-frontend

Python版本 + docker-registry-frontend

Docker Registry安装软件包安装(Ubuntu 14.04) # sudo apt-get update # sudo apt-get install -y build-essential python-dev libevent-dev python-pip liblzma-dev # sudo apt-get install swig # sudo apt-get install libssl-dev # sudo pip install docker-registry

修改配置文件 # cd /usr/local/lib/python2.7/dist-packages/config/ # cp config_sample.yml config.yml 修改镜像存储目录，默认配置在/tmp目录下 local: &local <<: *common storage: local storage_path: _env:STORAGE_PATH:/var/lib/docker-registry/registry 修改数据库文件存储目录，默认配置在/tmp目录下 sqlalchemy_index_database: _env:SQLALCHEMY_INDEX_DATABASE:sqlite:////var/lib/docker-registry/docker-registry.db

Docker Registry安装封装docker registry为服务 # sudo mkdir -p /var/log/docker-registry # touch /etc/init/docker-registry.conf 配置Upstart脚本 description "Docker Registry" start on runlevel [2345] stop on runlevel [016] respawn respawn limit 10 5 script exec gunicorn --access-logfile /var/log/docker-registry/access.log --error-logfile /var/log/docker-registry/server.log -k gevent --max-requests 100 --graceful-timeout 3600 -t 3600 -b localhost:5000 -w 8 docker_registry.wsgi:application end script 启动docker registry # sudo service docker-registry start docker-registry start/running, process 25303

Authentication & SSL 安装配置nginx # sudo apt-get -y install nginx apache2-utils 创建docker用户，设置密码 # sudo htpasswd -c /etc/nginx/docker-registry.htpasswd felix.liang New password: 123456 Re-type new password:123456 Adding password for user felix.liang 生成自签名SSL证书 # mkdir ~/certs && cd ~/certs # openssl genrsa -out devdockerCA.key 2048 # openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt (直接输入回车即可) # openssl genrsa -out dev-docker-registry.com.key 2048 # openssl req -new -key dev-docker-registry.com.key -out dev-docker-registry.com.csr (Common Name需设置) Common Name (e.g. server FQDN or YOUR name) []: registry.22gi5d.gd1.qingcloud.com (建议使用青云内部域名别名) # openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out dev-docker-registry.com.crt -days 10000 # sudo cp dev-docker-registry.com.crt /etc/ssl/certs/docker-registry # sudo cp dev-docker-registry.com.key /etc/ssl/private/docker-registry

upstream docker-registry { server localhost:5000; } server { listen 8080; server_name registry.22gi5d.gd1.qingcloud.com ; ssl on; ssl_certificate /etc/ssl/certs/docker-registry; ssl_certificate_key /etc/ssl/private/docker-registry; proxy_set_header Host $http_host; # required for Docker client sake proxy_set_header X-Real-IP $remote_addr; # pass on real client IP client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads chunked_transfer_encoding on; location / { auth_basic "Restricted"; auth_basic_user_file docker-registry.htpasswd; proxy_pass http://docker-registry; } location /_ping { auth_basic off; proxy_pass http://docker-registry; } location /v1/_ping { auth_basic off; proxy_pass http://docker-registry; } }

创建nginx配置文件/etc/nginx/sites-available/docker-registry

# sudo ln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registry # sudo service nginx restart

需要通过青云console创建防火墙规则打开8080端口，否则docker无法连接registry

Docker连接Registry 更新docker主机的证书 # sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert # sudo touch /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt 将registry主机上生成的devdockerCA.crt中证书内容拷贝到docker主机的证书中 # sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. # sudo service docker restart

连接registry # docker login registry.22gi5d.gd1.qingcloud.com:8080 Username: felix.liang Password: 123456 Email: WARNING: login credentials saved in /root/.docker/config.json Login Succeeded

Docker连接Registry 从docker主机上传镜像到registry 从公共registry下载mysql镜像 # sudo docker pull mysql:5.5 # sudo docker tag mysql:5.5 registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5 # sudo docker push registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5

从registry下载镜像到docker主机清空本地所有镜像，然后从registry查询和下载镜像 # sudo docker search registry.22gi5d.gd1.qingcloud.com:8080/mysql NAME DESCRIPTION STARS OFFICIAL AUTOMATED library/mysql # sudo docker pull registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5 … Status: Downloaded newer image for registry.22gi5d.gd1.qingcloud.com:8080/mysql:5.5

运行Registry前端工具直接以容器方式启动docker-registry-frontend # sudo docker run -d -e ENV_DOCKER_REGISTRY_HOST=registry.22gi5d.gd1.qingcloud.com -e ENV_DOCKER_REGISTRY_PORT=8080 -e ENV_DOCKER_REGISTRY_USE_SSL=1 -p 8090:80 konradkleine/docker-registry-frontend

查看容器是否启动成功 # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d953be033dfd konradkleine/docker-registry-frontend "/bin/sh -c $START_S 14 seconds ago Up 13 seconds 443/tcp, 0.0.0.0:8090->80/tcp condescending_leakey

运行Registry前端工具

青云虚拟机部署私有Docker Registry

Internet

Transcript of 青云虚拟机部署私有Docker Registry