部署私有Docker私有镜像仓库 harbor Registry-Docker
目录
高级之Harbor
安装Harbor1.4.0开源docker镜像仓库(含letsencrypt证书
初入门
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/registry:/var/lib/registry registry:2 93602b4311e2 k8s.gcr.io/pause:3.1 "/pause" commit 将一个容器提交成镜像 和指定tag root@k8s-node1:~# docker commit 93602b4311e2 192.168.88.59:5000/mypause:v1 335sha256:0937ae67cb675168c23ede1e15408d19d235112a892f1c095c33404f50c9bf9f docker push 192.168.88.59:5000/mypause:v1
使用Docker Registry
docker 运行
如何 docker-compose
info Registry server 192.168.88.52
mkdir /data/registry
#指定目录比指定配置文件更加重要
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /data/registry:/var/lib/registry \
registry:2
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
php 7.1-fpm-alpine cbfebc795f0b 4 weeks ago 70.1MB
docker tag php:7.1-fpm-alpine 192.168.88.52:5000/php
[root@localhost ~]# docker push 192.168.88.52:5000/php
The push refers to repository [192.168.88.52:5000/php]
Get https://192.168.88.52:5000/v2/: http: server gave HTTP response to HTTPS client
vi /etc/docker/daemon.json
{ "insecure-registries":["192.168.88.52:5000"] }
systemctl restart docker
#再次push成功
docker push 192.168.88.52:5000/php
配置SSL证书及nginx反向代理docker registry
SSL证书生成
搭建私有CA,初始化CA环境,在/etc/pki/CA/下建立证书索引数据库文件index.txt和序列号文件serial,并为证书序列号文件提供初始值。
# touch /etc/pki/CA/{index.txt,serial}
# echo 01 > /etc/pki/CA/serial
生成密钥并保存到/etc/pki/CA/private/cakey.pem
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
生成根证书
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
需要填写的信息:
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:hub
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:hub.com
Email Address []:[email protected]
使系统信任根证书
cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
安装nginx
yum install openssl模块已有
签发证书
创建ssl目录用来存放密钥文件和证书申请文件
mkdir /app/nginx/conf/ssl
创建密钥文件和证书申请文件
(umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048)
openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr
填写的申请信息前四项要和私有CA的信息一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:hub
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:hub.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #直接回车
An optional company name []:
签署,证书
openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650
output 省
Certificate is to be certified until Jun 30 02:55:22 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
配置nginx反向代理docker registry
添加认证
yum -y install httpd-tools
#docker-registry.htpasswd 文件看nginx 的配置文件便可知
htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd test
New password:
Re-type new password:
Adding password for user test
[root@localhost conf.d]# cat docker-registry.conf
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 80;
server_name hub.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name hub.com;
#charset koi8-r;
#access_log logs/host.access.log main;
ssl on;
ssl_certificate /app/nginx/conf/ssl/docker.crt;
ssl_certificate_key /app/nginx/conf/ssl/docker.key;
chunked_transfer_encoding on;
proxy_set_header X-Forwarded-Proto "https";
client_max_body_size 1G;
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
proxy_buffering off;
tcp_nodelay on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
location / {
auth_basic "Docker registry";
auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping{
auth_basic off;
proxy_pass http://docker-registry;
}
location /v2/_ping{
auth_basic off;
proxy_pass http://docker-registry;
}
}
systemctl restart nginx
registry usage
如果没有DNS解析内网域名,修改hosts文件
cat >>/etc/hosts <<EOF
192.168.88.52 hub.com
EOF
systemctl daemon-reload
systemctl restart docker
登录
[root@localhost conf.d]# docker login hub.com
Username: test
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
把一个容器提交为images
[root@localhost conf.d]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6d5f17124090 registry:2 "/entrypoint.sh /etc…" 2 hours ago Up 20 minutes 0.0.0.0:5000->5000/tcp registry
[root@localhost conf.d]# docker commit 6d5f17124090 hub.com/registry:v2
sha256:d7af5d03593d7f60903dc9da2b9a4d1d0a1a70878e0a7a09423372261cb4fccb
[root@localhost conf.d]# docker push hub.com/registry:v2
The push refers to repository [hub.com/registry]
上传镜像
docker tag nginx hub.com/nginx
docker push hub.com/nginx
查看
curl -u test:test https://hub.com/v2/_catalog
{"repositories":["httpd","nginx","php"]}
client
局域网内其他机器认证(192.168.88.60 ubuntu 其它机器 cat >>/etc/hosts <<EOF 192.168.88.52 hub.com EOF 把CA的密钥发送到客户机,并添加到ca-bundle.crt on 60 mkdir -p /etc/pki/tls/certs/ on 52 scp -p /etc/pki/tls/certs/ca-bundle.crt [email protected]:/etc/pki/tls/certs/ca-bundle.crt scp -p /etc/pki/CA/cacert.pem [email protected]:/etc/pki/CA/cacert.pem #on 60 cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt 重启docker systemctl restart docker
trouble
问题
[root@localhost conf.d]# docker login hub.com
Username: test
Password:
Error response from daemon: login attempt to https://hub.com/v2/ failed with status: 404 Not Found
host 搞错 要前面是ip 后面是域名
一开始注释了ssl证书
Username: test
Password:
Error response from daemon: Get https://hub.com/v2/: http: server gave HTTP response to HTTPS client
ssl err
#on ubuntu
root@k8s-node2:~# docker login hub.com
Username: test
Password:
Error response from daemon: Get https://hub.com/v2/: x509: certificate signed by unknown authority
cat /etc/docker/daemon.json
{
"insecure-registries" : ["hub.com"]
}
systemctl restart docker
docker push unknown blob received unexpected HTTP status: 502 Bad Gateway
docker push hub.com/httpd:2.4.16
最后老是
unknown blob
nginx 配置文件问题?
received unexpected HTTP status: 502 Bad Gateway
解决办法 在nginx.conf add
proxy_set_header X-Forwarded-Proto "https";
client_max_body_size 1G;
proxy_connect_timeout 3000;
proxy_send_timeout 3000;
proxy_read_timeout 3000;
proxy_buffering off;
tcp_nodelay on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
see also
https://docs.docker.com/registry/configuration/
docker login x509: certificate signed by unknown authority
docker push 出现:x509: certificate signed by unknown authority
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
Docker Hub 仓库使用,及搭建 Docker Registry
docker通过代理上传https协议的私服地址报错unknown blob
解决:Error response from daemon: Get https://index.docker.io/v1/search?q=openjdk&n=25: dial tcp: looku
docker login CA认证问题/添加自签发的 SSL 证书为受信任的根证书
CentOS7.4 Docker Harbor registry基于Https方式安全认证私有仓库搭建
Moving to Docker(二):搭建一个私有registry服务
other
How To Create a Self-Signed SSL Certificate for Nginx on CentOS 7
changelog
2019年 07月 03日 星期三 16:23:35 CST 添加ssl
