Of Stack

Centos 7: Docker private warehouse setup method

  • 2020-06-12 11:15:57
  • OfStack

System configuration: CentOS 7 The kernel 3.10.0-229.20.1.el7.x86_64 . Docker version 1.8.2

Run docker registry

Execute the following command: 



docker run /     -d /     --name private_registry  --restart=always /     -e SETTINGS_FLAVOUR=dev /     -e STORAGE_PATH=/registry-storage /     -v /data/docker/private-registry/storage:/registry-storage /     -u root /     -p 5000:5000 /     registry:2

If there is an registry image locally, it will run directly, otherwise it will run after downloading from the docker hub common repository, -v /data/docker/private-registry/storage:/registry-storage This command stores images of subsequent private warehouses locally.

Then execute: 



docker tag docker.io/docker:1.8 192.168.100.9:5000/docker:1.8  docker push 192.168.100.9:5000/docker:1.8

A lot of errors are reported: 



FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: tls: oversized record received with length 20527/.  If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add  `--insecure-registry 192.168.100.9:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.100.9:5000/ca.crt

The simplest solution is to modify it /etc/sysconfig/docker File to add INSECURE_REGISTRY='--insecure-registry 192.168.100.9:5000' , Ubuntu 14.04 profile in /etc/default/docker Add to the file DOCKER_OPTS="--insecure-registry 192.168.100.9:5000" , restart docker and rerun docker registry to take effect. The downside of this is that your private repository is not secure, and secondly, any other machine that downloads or uploads the image will have to modify the configuration file accordingly.

The safe way is to go to a certification authority and buy a signed certificate. Here we use self-certification.

Self-signed authentication

First execute: 



# mkdir -p certs && openssl req /   -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key /   -x509 -days 365 -out certs/domain.crt  Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERCXTYF Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:192.168.100.9:5000 Email Address []:xxx.yyy@ymail.com

Generate authentication certificates and keys. Will just generate certs/domain crt copied to/etc docker/certs d / 192.168.100.9:5000 / ca crt, after restart docker and run: 



docker run /     -d /     --name private_registry  --restart=always /     -e SETTINGS_FLAVOUR=dev /     -e STORAGE_PATH=/registry-storage /     -v /data/docker/private-registry/storage:/registry-storage /     -u root /     -p 5000:5000 /     -v /root/certs:/certs /     -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt /     -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key /     registry:2

It should be successful after this, so it is executed: 


# docker push 192.168.100.9:5000/docker:1.8

It turned out to be wrong: 



The push refers to a repository 192.168.100.9:5000/docker:1.8 unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs

Solution: modify/etc pki/tls/openssl cnf configuration, found in the document [v3_ca], below it add the following content: 



[ v3_ca ] # Extensions for a typical CA subjectAltName = IP:123.56.157.144

After that, restart docker again and restart run registry. After successful startup, execute: 



# docker push 192.168.100.9:5000/docker:1.8  The push refers to a repository [192.168.100.9:5000/docker] (len: 1) 793ab2f3d322: Pushed  e1232be51d09: Pushed  71ef33d4e0e5: Pushed  e9d235d200dc: Pushed  3fb9a265fbfc: Pushed  9f50b4b1f00b: Pushed  413668359dd0: Pushed  da0daae25b21: Pushed  f4fddc471ec2: Pushed  1.8: digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 size: 17621

At this point, the upload finally succeeded. Switch to a different machine to download the image you just uploaded: 



# docker pull  192.168.100.9:5000/docker:1.8  Trying to pull repository 192.168.100.9:5000/docker ... failed unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: certificate signed by unknown authority  v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: certificate signed by unknown authority

Careful analysis of the error message shows that there is no certificate, so copy the certificate generated on 192.168.100.9 to the corresponding directory /etc/docker/certs.d/192.168.100.9:5000/ca.crt After copying, restart docker and execute again: 



# docker pull  192.168.100.9:5000/docker:1.8  1.8: Pulling from docker 9d58b928bc15: Pull complete  dbe7e8a7807c: Pull complete  ce14982b73d4: Pull complete  b9f70905d763: Pull complete  b9c93a2fb3cf: Pull complete  1321a4d5d3ea: Pull complete  5941048a7e27: Pull complete  f57edf7c2e71: Pull complete  5de2ade00f1b: Pull complete  Digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 Status: Downloaded newer image for 192.168.100.9:5000/docker:1.8

At this point, the docker registry private warehouse installation was successful. If a further configuration is required to deploy to a production environment, refer to Registry Configuration Reference.

Related articles: