部署私有Docker私有镜像仓库 harbor Registry-Docker
目录
高级之Harbor
安装Harbor1.4.0开源docker镜像仓库(含letsencrypt证书
初入门
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/registry:/var/lib/registry registry:2 93602b4311e2 k8s.gcr.io/pause:3.1 "/pause" commit 将一个容器提交成镜像 和指定tag root@k8s-node1:~# docker commit 93602b4311e2 192.168.88.59:5000/mypause:v1 335sha256:0937ae67cb675168c23ede1e15408d19d235112a892f1c095c33404f50c9bf9f docker push 192.168.88.59:5000/mypause:v1
使用Docker Registry
docker 运行
如何 docker-compose
info Registry server 192.168.88.52 mkdir /data/registry #指定目录比指定配置文件更加重要 docker run -d \ -p 5000:5000 \ --restart=always \ --name registry \ -v /data/registry:/var/lib/registry \ registry:2 docker images REPOSITORY TAG IMAGE ID CREATED SIZE php 7.1-fpm-alpine cbfebc795f0b 4 weeks ago 70.1MB docker tag php:7.1-fpm-alpine 192.168.88.52:5000/php [root@localhost ~]# docker push 192.168.88.52:5000/php The push refers to repository [192.168.88.52:5000/php] Get https://192.168.88.52:5000/v2/: http: server gave HTTP response to HTTPS client vi /etc/docker/daemon.json { "insecure-registries":["192.168.88.52:5000"] } systemctl restart docker #再次push成功 docker push 192.168.88.52:5000/php
配置SSL证书及nginx反向代理docker registry
SSL证书生成
搭建私有CA,初始化CA环境,在/etc/pki/CA/下建立证书索引数据库文件index.txt和序列号文件serial,并为证书序列号文件提供初始值。 # touch /etc/pki/CA/{index.txt,serial} # echo 01 > /etc/pki/CA/serial 生成密钥并保存到/etc/pki/CA/private/cakey.pem # (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) 生成根证书 # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 需要填写的信息: Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:hub Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:hub.com Email Address []:[email protected] 使系统信任根证书 cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt 安装nginx yum install openssl模块已有 签发证书 创建ssl目录用来存放密钥文件和证书申请文件 mkdir /app/nginx/conf/ssl 创建密钥文件和证书申请文件 (umask 077;openssl genrsa -out /app/nginx/conf/ssl/docker.key 2048) openssl req -new -key /app/nginx/conf/ssl/docker.key -out /app/nginx/conf/ssl/docker.csr 填写的申请信息前四项要和私有CA的信息一致 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:hub Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:hub.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #直接回车 An optional company name []: 签署,证书 openssl ca -in /app/nginx/conf/ssl/docker.csr -out /app/nginx/conf/ssl/docker.crt -days 3650 output 省 Certificate is to be certified until Jun 30 02:55:22 2029 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
配置nginx反向代理docker registry
添加认证 yum -y install httpd-tools #docker-registry.htpasswd 文件看nginx 的配置文件便可知 htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd test New password: Re-type new password: Adding password for user test [root@localhost conf.d]# cat docker-registry.conf upstream docker-registry { server 127.0.0.1:5000; } server { listen 80; server_name hub.com; return 301 https://$server_name$request_uri; } server { listen 443; server_name hub.com; #charset koi8-r; #access_log logs/host.access.log main; ssl on; ssl_certificate /app/nginx/conf/ssl/docker.crt; ssl_certificate_key /app/nginx/conf/ssl/docker.key; chunked_transfer_encoding on; proxy_set_header X-Forwarded-Proto "https"; client_max_body_size 1G; proxy_connect_timeout 3000; proxy_send_timeout 3000; proxy_read_timeout 3000; proxy_buffering off; tcp_nodelay on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always; location / { auth_basic "Docker registry"; auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd; proxy_pass http://docker-registry; } location /_ping{ auth_basic off; proxy_pass http://docker-registry; } location /v2/_ping{ auth_basic off; proxy_pass http://docker-registry; } } systemctl restart nginx
registry usage
如果没有DNS解析内网域名,修改hosts文件 cat >>/etc/hosts <<EOF 192.168.88.52 hub.com EOF systemctl daemon-reload systemctl restart docker 登录 [root@localhost conf.d]# docker login hub.com Username: test Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded 把一个容器提交为images [root@localhost conf.d]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6d5f17124090 registry:2 "/entrypoint.sh /etc…" 2 hours ago Up 20 minutes 0.0.0.0:5000->5000/tcp registry [root@localhost conf.d]# docker commit 6d5f17124090 hub.com/registry:v2 sha256:d7af5d03593d7f60903dc9da2b9a4d1d0a1a70878e0a7a09423372261cb4fccb [root@localhost conf.d]# docker push hub.com/registry:v2 The push refers to repository [hub.com/registry] 上传镜像 docker tag nginx hub.com/nginx docker push hub.com/nginx 查看 curl -u test:test https://hub.com/v2/_catalog {"repositories":["httpd","nginx","php"]}
client
局域网内其他机器认证(192.168.88.60 ubuntu 其它机器 cat >>/etc/hosts <<EOF 192.168.88.52 hub.com EOF 把CA的密钥发送到客户机,并添加到ca-bundle.crt on 60 mkdir -p /etc/pki/tls/certs/ on 52 scp -p /etc/pki/tls/certs/ca-bundle.crt [email protected]:/etc/pki/tls/certs/ca-bundle.crt scp -p /etc/pki/CA/cacert.pem [email protected]:/etc/pki/CA/cacert.pem #on 60 cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt 重启docker systemctl restart docker
trouble
问题 [root@localhost conf.d]# docker login hub.com Username: test Password: Error response from daemon: login attempt to https://hub.com/v2/ failed with status: 404 Not Found host 搞错 要前面是ip 后面是域名 一开始注释了ssl证书 Username: test Password: Error response from daemon: Get https://hub.com/v2/: http: server gave HTTP response to HTTPS client ssl err #on ubuntu root@k8s-node2:~# docker login hub.com Username: test Password: Error response from daemon: Get https://hub.com/v2/: x509: certificate signed by unknown authority cat /etc/docker/daemon.json { "insecure-registries" : ["hub.com"] } systemctl restart docker
docker push unknown blob received unexpected HTTP status: 502 Bad Gateway
docker push hub.com/httpd:2.4.16 最后老是 unknown blob nginx 配置文件问题? received unexpected HTTP status: 502 Bad Gateway 解决办法 在nginx.conf add proxy_set_header X-Forwarded-Proto "https"; client_max_body_size 1G; proxy_connect_timeout 3000; proxy_send_timeout 3000; proxy_read_timeout 3000; proxy_buffering off; tcp_nodelay on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
see also
https://docs.docker.com/registry/configuration/
docker login x509: certificate signed by unknown authority
docker push 出现:x509: certificate signed by unknown authority
https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
docker通过代理上传https协议的私服地址报错unknown blob
解决:Error response from daemon: Get https://index.docker.io/v1/search?q=openjdk&n=25: dial tcp: looku
docker login CA认证问题/添加自签发的 SSL 证书为受信任的根证书
CentOS7.4 Docker Harbor registry基于Https方式安全认证私有仓库搭建
Moving to Docker(二):搭建一个私有registry服务
other
How To Create a Self-Signed SSL Certificate for Nginx on CentOS 7
changelog
2019年 07月 03日 星期三 16:23:35 CST 添加ssl