一、 普通模式, no ssl
setup private docker registry (参考 and )
On dedicated Docker private registry host, we use CentOS7:
add CentOS-Extras repository
yum -y install docker-registry
systemctl start docker-registrysystemctl enable docker-registryinstall docker to pull p_w_picpaths you needed, then
vi /etc/sysconfig/docker
INSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'systemctl restart docker docker tag p_w_picpath-id registry-host-name:5000/ubuntu:14.04.2 , etcdocker push registry-host-name:5000/ubuntu:14.04.2, etc查看docker private registry:
curl http://registry-host-name:5000/v1/search
on normal docker hosts that want to use this private registry:
CentOS7:
vi /etc/sysconfig/dockerINSECURE_REGISTRY='--insecure-registry=docker-registry-host:5000'systemctl restart dockerdocker pull docker-registry-host:5000/ubuntu:14.04.2CentOS6:
vi /etc/sysconfig/dockerother_args="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=docker-registry-host:5000" service docker restartdocker pull docker-registry-host:5000/ubuntu:14.04.2Ubuntu 14.04.2vi /etc/default/dockerDOCKER_OPTS="--registry-mirror=http://8c6d2546.m.daocloud.io --insecure-registry=192.168.1.6:5000"service docker restartdocker pull docker-registry-host:5000/ubuntu:14.04.2Notes: docker run -d -p 5000:5000 -v /opt/docker/registry:/tmp/registry registry:latest
一、 安全模式, with ssl
On dedicated Docker private registry host, we use CentOS7:
add CentOS-Extras repositoryyum -y install docker-registrysystemctl start docker-registrysystemctl enable docker-registry1. Installing Nginx:add EPEL repositoryyum -y install nginxsystemctl enable nginxsystemctl start nginx2. Configure access through Nginx to your private docker registryvi /etc/hostsip-address-of-docker-registry www.ilovedocker.commkdir /etc/nginx/sites-availablevi /etc/nginx/sites-available/docker-registry# For versions of Nginx > 1.3.9 that include chunked transfer encoding support# Replace with appropriate values where necessaryupstream private-docker-registry { server localhost:5000;}server { listen 443; server_name www.ilovedocker.com; #ssl on; #ssl_certificate /etc/pki/tls/certs/www.ilovedocker.com.crt; #ssl_certificate_key /etc/pki/tls/private/www.ilovedocker.com.key; proxy_set_header Host $http_host; # required for Docker client sake proxy_set_header X-Real-IP $remote_addr; # pass on real client IP client_max_body_size 0; # disable any limits to avoid HTTP 413 for large p_w_picpath uploads # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; location / { # let Nginx know about our auth file auth_basic "Restricted"; auth_basic_user_file docker-registry.htpasswd; proxy_pass http://private-docker-registry; } location /_ping { auth_basic off; proxy_pass http://private-docker-registry; } location /v1/_ping { auth_basic off; proxy_pass http://private-docker-registry; }}vi /etc/sysconfig/docker-registryREGISTRY_ADDRESS=127.0.0.1systemctl restart docker-registryyum -y install httpd-toolshtpasswd -c /etc/nginx/docker-registry.htpasswd USERNAMEOpen the file /etc/nginx/nginx.conf and add after the line “include /etc/nginx/conf.d/*.conf;”the following:include /etc/nginx/sites-enabled/*;mkdir /etc/nginx/sites-enabledln -s /etc/nginx/sites-available/docker-registry /etc/nginx/sites-enabled/docker-registrysystemctl reload nginxcurl USER:PASSWORD@www.ilovedocker.com:4433. Configure Nginx to use sslmkdir ~/certscd ~/certscreate a new root key:openssl genrsa -out dockerCA.key 2048create a root certificate, you don’t have to answer the upcoming question, just hit enter:openssl req -x509 -new -nodes -key dockerCA.key -days 3650 -out dockerCA.crtcreate a private key for your Nginx Server:openssl genrsa -out www.ilovedocker.com.key 2048Next a certificate signing request is needed:openssl req -new -key www.ilovedocker.com.key -out www.ilovedocker.com.csrAnswer the upcoming question for “Common Name” with the domain of your server, e.g: www.ilovedocker.com. Don’t provide a challenge password.sign the certificate request:openssl x509 -req -in www.ilovedocker.com.csr -CA dockerCA.crt -CAkey dockerCA.key -CAcreateserial -out www.ilovedocker.com.crt -days 3650vi /etc/nginx/sites-available/docker-registry to uncomment ssl linescp www.ilovedocker.com.crt /etc/pki/tls/certs/cp www.ilovedocker.com.key /etc/pki/tls/private/update-ca-trust enablecp dockerCA.crt /etc/pki/ca-trust/source/anchors/update-ca-trust extractsystemctl reload nginxcurl https://USER:PASSWORD@www.ilovedocker.com4. on remote docker hostdocker with your private remote docker registry
Ubuntu 14.04:vi /etc/hostsip-address-of-docker-registry www.ilovedocker.comcopy dockerCA.crt to /usr/local/share/ca-certificatesupdate-ca-certificates CentOS6/7:vi /etc/hostsip-address-of-docker-registry www.ilovedocker.comcopy dockerCA.crt to /etc/pki/ca-trust/source/anchorsupdate-ca-trust enable update-ca-trust extractdocker login https://www.ilovedocker.comdocker pull ubuntudocker tag ubuntu www.ilovedocker.com/ubuntu:hjdocker push www.ilovedocker.com/ubuntu:hj