docker 比较重要的一个组成部分就是它的共有镜像仓库,但如果公司或者团队内部使用,则需要搭建内部的私有仓库,今天就说一下私有仓库的搭建及过程中遇到的问题和解决方法。

Centos 7 docker registry的搭建

系统配置:Centos 7 内核3.10.0-229.20.1.el7.x86_64Docker version 1.8.2

运行 docker registry

执行下列命令:

docker run \
    -d \
    --name private_registry  --restart=always \
    -e SETTINGS_FLAVOUR=dev \
    -e STORAGE_PATH=/registry-storage \
    -v /data/docker/private-registry/storage:/registry-storage \
    -u root \
    -p 5000:5000 \
    registry:2

如果本地已有registry镜像,它会直接运行,否则它会到docker hub共有仓库下载之后再运行,-v /data/docker/private-registry/storage:/registry-storage该命令将之后私有仓库的镜像存放到本地。

之后执行:

docker tag docker.io/docker:1.8 192.168.100.9:5000/docker:1.8

docker push 192.168.100.9:5000/docker:1.8

这时会报很多错误:

FATA[0000] Error response from daemon: v1 ping attempt failed with error:
Get https://192.168.100.9:5000/v1/_ping: tls: oversized record received with length 20527\. 
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add 
`--insecure-registry 192.168.100.9:5000` to the daemon's arguments.
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/192.168.100.9:5000/ca.crt

最简单的解决方法是修改/etc/sysconfig/docker文件添加INSECURE_REGISTRY='--insecure-registry 192.168.100.9:5000',Ubuntu 14.04 的配置文件在/etc/default/docker 在该文件里添加DOCKER_OPTS="--insecure-registry 192.168.100.9:5000",添加过之后重启docker,重新运行docker registry即可生效。这样做的缺点是你的私有仓库不安全,其次,其他要下载或者上传镜像的机器都要修改相应的配置文件。

安全的做法是去认证机构购买签名证书,在此我们使用自认证的方式。

自签名认证

首先执行:

# mkdir -p certs && openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERCXTYF
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:192.168.100.9:5000
Email Address []:xxx.yyy@ymail.com

生成认证证书和密钥。接下来将刚生成的certs/domain.crt复制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt,之后重启docker并运行:

docker run \
    -d \
    --name private_registry  --restart=always \
    -e SETTINGS_FLAVOUR=dev \
    -e STORAGE_PATH=/registry-storage \
    -v /data/docker/private-registry/storage:/registry-storage \
    -u root \
    -p 5000:5000 \
    -v /root/certs:/certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    registry:2

这样之后应该可以成功了吧,于是执行:

# docker push 192.168.100.9:5000/docker:1.8

结果它还是报错了:

The push refers to a repository 192.168.100.9:5000/docker:1.8
unable to ping registry endpoint https://192.168.100.9:5000/v0/
v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs
v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs

解决方法:修改/etc/pki/tls/openssl.cnf配置,在该文件中找到[ v3_ca ],在它下面添加如下内容:

[ v3_ca ]
# Extensions for a typical CA
subjectAltName = IP:123.56.157.144

之后再次重启docker,并重新run registry,启动成功之后,执行:

# docker push 192.168.100.9:5000/docker:1.8

The push refers to a repository [192.168.100.9:5000/docker] (len: 1)
793ab2f3d322: Pushed 
e1232be51d09: Pushed 
71ef33d4e0e5: Pushed 
e9d235d200dc: Pushed 
3fb9a265fbfc: Pushed 
9f50b4b1f00b: Pushed 
413668359dd0: Pushed 
da0daae25b21: Pushed 
f4fddc471ec2: Pushed 
1.8: digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 size: 17621

至此,上传终于成功。换台机器下载刚上传的镜像:

# docker pull  192.168.100.9:5000/docker:1.8

Trying to pull repository 192.168.100.9:5000/docker ... failed
unable to ping registry endpoint https://192.168.100.9:5000/v0/
v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: certificate signed by unknown authority
 v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: certificate signed by unknown authority

仔细分析错误信息,发现是没有证书,将在192.168.100.9上生成的证书拷贝到相应的目录下/etc/docker/certs.d/192.168.100.9:5000/ca.crt,拷贝之后重启docker,再次执行:

# docker pull  192.168.100.9:5000/docker:1.8

1.8: Pulling from docker
9d58b928bc15: Pull complete 
dbe7e8a7807c: Pull complete 
ce14982b73d4: Pull complete 
b9f70905d763: Pull complete 
b9c93a2fb3cf: Pull complete 
1321a4d5d3ea: Pull complete 
5941048a7e27: Pull complete 
f57edf7c2e71: Pull complete 
5de2ade00f1b: Pull complete 
Digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44
Status: Downloaded newer image for 192.168.100.9:5000/docker:1.8

至此,docker registry 私有仓库安装成功。如果要部署到生产环境还需要进一步的配置,具体可以参考Registry Configuration Reference。

登录发表评论 注册

反馈意见