一、下載官方registry鏡像并啟動測試
#docker pull registry
#mkdir /opt/data/registry -pv
# docker run -d -p 5000:5000 -v /opt/data/registry/:/var/lib/registry --name local-hub registry
如果不需要ssl安全認證,可以在/etc/docker/daemon.json 添加如下信息,默認是要啟用ssl認證,不添加無法使用,IP地址替換為自己registry主機的IP地址。
{
"registry-mirror": [
"https://uf3mgws6.mirror.aliyuncs.com"
],
"insecure-registries": [
"192.168.15.102:5000"
]
}
添加好以后,提交鏡像測試
#docker tag java/tomcat:1.8.0_192 192.168.15.102:5000/java/tomcat:1.8.0_192
#docker push 192.168.15.102:5000/java/tomcat:1.8.0_192
#curl 192.168.15.102:5000/v2/_catalog #訪問測試是否是否成功
二、配置私有CA認證機構
#cd /etc/pki/CA
#(umask 077; openssl genrsa -out private/cakey.pem) #生成一對密鑰
#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3667 #生成自簽證書,然后填寫相關信息
創建相應文件,如果/etc/pki/CA已經有這些文件夾可以不用創建
#mkdir certs crl newcerts
#touch index.txt
#echo 00 > serial #設置序列號
三、創建認證證書
#mkdir /root/hub
#cd /root/hub
#(umask 077; openssl genrsa 1024 >hub.key) #創建一對1024位長度的密鑰
#openssl req -new -key hub.key -out hub.csr #生成證書頒發請求(然后將請求傳送給CA服務器,如果認證服務器也是同一臺服務器就不用拷貝),此處填寫的信息要和前面CA生成自簽證書時候填寫的信息要一致
# openssl ca -in ./hub.csr -out ./hub.crt -days 3650 #簽署此證書10年的有效期
錯誤1:
wrong number of fields on line 1 (looking for field 6, got 1, '' left)
原因:是你的index.txt文件不為空,改為空文件即可。
錯誤2:
error while loading serial number
3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
原因:是因為serial文件中沒有賦初值,即沒有執行echo 00 > serial
四、配置私有倉庫
#mkdir {ssl,auth}
#mv hub.crt hub.key ./ssl
#rm -rf hub.crs
#docker run --rm --entrypoint htpasswd registry -Bbn admin admin123 > auth/nginx.htpasswd #生成 http 認證文件,賬號密碼替換成自己的
配置config.yml文件,注意對齊
#cat config.yml
version: 0.1 log: accesslog: disabled: true level: debug formatter: text fields: service: registry environment: staging storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry auth: htpasswd: realm: basic-realm path: /etc/docker/registry/auth/nginx.htpasswd http: addr: :443 host: https://hub.amd5.cn headers: X-Content-Type-Options: [nosniff] http2: disabled: false tls: certificate: /etc/docker/registry/ssl/hub.crt key: /etc/docker/registry/ssl/hub.key health: storagedriver: enabled: true interval: 10s threshold: 3
五、安裝docker-compose
1、在 Linux 64 位系統上直接下載對應的二進制包
#curl -L https://github.com/docker/compose/releases/download/1.17.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
#chmod +x /usr/local/bin/docker-compose
2、bash補全命令
#curl -L https://raw.githubusercontent.com/docker/compose/1.8.0/contrib/completion/bash/docker-compose > /etc/bash_completion.d/docker-compose
3、編輯docker-compose.yml文件
#cat docker-compose.yml
version: '3' services: registry: image: registry ports: - "443:443" volumes: - ./:/etc/docker/registry - registry-data:/var/lib/registry volumes: registry-data:
4、配置host文件
# cat << EOF >> /etc/hosts
> 192.168.15.102 hub.amd5.cn
> EOF
5、配置讓docker識別證書,否則docker login會報錯Error response from daemon: Get https://hub.amd5.cn/v1/users/: x509: certificate signed by unknown authority
#cat /etc/pki/CA/cacert.pem >>/etc/pki/tls/certs/ca-bundle.crt #讓操作系統信任我們的自簽名證書,如果需要在其他服務器登錄上傳下載鏡像,也需要把此文件內容添加到對應服務器的ca-bundle.crt 里面
#mkdir /etc/docker/certs.d
#cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/ca.crt
#systemctl restart docker
#docker-compose up -d #啟動測試
六、上傳下載測試
1、上傳鏡像測試
鏡像封裝參考docker封裝java/tomcat最小鏡像
#docker tag java/tomcat:1.8.0_192 hub.amd5.cn/java/tomcat:1.8.0_192 #在另外一臺服務器tag以后測試上傳
#docker push hub.amd5.cn/java/tomcat:1.8.0_192
2、查看證書
3、添加倉庫地址
#cat /etc/docker/daemon.json
{
"registry-mirrors":[
"https://uf3mgws6.mirror.aliyuncs.com"
],
"insecure-registries":[
"https://hub.amd5.cn"
]
}
4、配置kubernetes拉取私有倉庫鏡像
#kubectl create secret docker-registry registrysecret --docker-server=hub.amd5.cn --docker-username=admin --docker-password=admin123 #創建secret
#kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registrysecret"}]}' #將該密鑰設置到k8s的默認賬號中
#kubectl run java --image=hub.amd5.cn/java/tomcat:1.8.0_192 --relicas=2 #拉取鏡像測試
