Centos 7: Docker private warehouse setup method
- 2020-06-12 11:15:57
- OfStack
System configuration:
CentOS 7
The kernel
3.10.0-229.20.1.el7.x86_64
.
Docker version 1.8.2
Run docker registry
Execute the following command:
docker run / -d / --name private_registry --restart=always / -e SETTINGS_FLAVOUR=dev / -e STORAGE_PATH=/registry-storage / -v /data/docker/private-registry/storage:/registry-storage / -u root / -p 5000:5000 / registry:2
If there is an registry image locally, it will run directly, otherwise it will run after downloading from the docker hub common repository,
-v /data/docker/private-registry/storage:/registry-storage
This command stores images of subsequent private warehouses locally.
Then execute:
docker tag docker.io/docker:1.8 192.168.100.9:5000/docker:1.8 docker push 192.168.100.9:5000/docker:1.8
A lot of errors are reported:
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: tls: oversized record received with length 20527/. If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add `--insecure-registry 192.168.100.9:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.100.9:5000/ca.crt
The simplest solution is to modify it
/etc/sysconfig/docker
File to add
INSECURE_REGISTRY='--insecure-registry 192.168.100.9:5000'
, Ubuntu 14.04 profile in
/etc/default/docker
Add to the file
DOCKER_OPTS="--insecure-registry 192.168.100.9:5000"
, restart docker and rerun docker registry to take effect. The downside of this is that your private repository is not secure, and secondly, any other machine that downloads or uploads the image will have to modify the configuration file accordingly.
The safe way is to go to a certification authority and buy a signed certificate. Here we use self-certification.
Self-signed authentication
First execute:
# mkdir -p certs && openssl req / -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key / -x509 -days 365 -out certs/domain.crt Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:SERCXTYF Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:192.168.100.9:5000 Email Address []:xxx.yyy@ymail.com
Generate authentication certificates and keys. Will just generate certs/domain crt copied to/etc docker/certs d / 192.168.100.9:5000 / ca crt, after restart docker and run:
docker run / -d / --name private_registry --restart=always / -e SETTINGS_FLAVOUR=dev / -e STORAGE_PATH=/registry-storage / -v /data/docker/private-registry/storage:/registry-storage / -u root / -p 5000:5000 / -v /root/certs:/certs / -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt / -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key / registry:2
It should be successful after this, so it is executed:
# docker push 192.168.100.9:5000/docker:1.8
It turned out to be wrong:
The push refers to a repository 192.168.100.9:5000/docker:1.8 unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: cannot validate certificate for 192.168.100.9 because it doesn't contain any IP SANs
Solution: modify/etc pki/tls/openssl cnf configuration, found in the document [v3_ca], below it add the following content:
[ v3_ca ] # Extensions for a typical CA subjectAltName = IP:123.56.157.144
After that, restart docker again and restart run registry. After successful startup, execute:
# docker push 192.168.100.9:5000/docker:1.8 The push refers to a repository [192.168.100.9:5000/docker] (len: 1) 793ab2f3d322: Pushed e1232be51d09: Pushed 71ef33d4e0e5: Pushed e9d235d200dc: Pushed 3fb9a265fbfc: Pushed 9f50b4b1f00b: Pushed 413668359dd0: Pushed da0daae25b21: Pushed f4fddc471ec2: Pushed 1.8: digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 size: 17621
At this point, the upload finally succeeded. Switch to a different machine to download the image you just uploaded:
# docker pull 192.168.100.9:5000/docker:1.8 Trying to pull repository 192.168.100.9:5000/docker ... failed unable to ping registry endpoint https://192.168.100.9:5000/v0/ v2 ping attempt failed with error: Get https://192.168.100.9:5000/v2/: x509: certificate signed by unknown authority v1 ping attempt failed with error: Get https://192.168.100.9:5000/v1/_ping: x509: certificate signed by unknown authority
Careful analysis of the error message shows that there is no certificate, so copy the certificate generated on 192.168.100.9 to the corresponding directory
/etc/docker/certs.d/192.168.100.9:5000/ca.crt
After copying, restart docker and execute again:
# docker pull 192.168.100.9:5000/docker:1.8 1.8: Pulling from docker 9d58b928bc15: Pull complete dbe7e8a7807c: Pull complete ce14982b73d4: Pull complete b9f70905d763: Pull complete b9c93a2fb3cf: Pull complete 1321a4d5d3ea: Pull complete 5941048a7e27: Pull complete f57edf7c2e71: Pull complete 5de2ade00f1b: Pull complete Digest: sha256:28a02a8a50b750a300904b53e802bdf76516d591b2d233ae21cf771b8c776d44 Status: Downloaded newer image for 192.168.100.9:5000/docker:1.8
At this point, the docker registry private warehouse installation was successful. If a further configuration is required to deploy to a production environment, refer to Registry Configuration Reference.