Of Stack

centos7 How to set up docker Private Warehouse (kubernetes)

  • 2020-10-31 22:03:41
  • OfStack

We usually mirror images are used to put in the public warehouse, such as Dockerhub, Daocloud. But in the enterprise, we often need to build the company's own mirrored warehouse.

This article explains how to build your own mirror warehouse using the registry images provided by docker.

ssl-certified warehouses are not added

Now create the docker repository with the registry:2.6.2 image.

Map the host's port 5000 to the container's port 5000.

Hang the host /mnt/registry into the container's /var/lib/registry directory, where the image is stored. This allows you to persist the data so that the mirror is not lost when the container dies. 


mkdir /mnt/registry

docker run -d \
 -p 5000:5000 \
 --restart=always \
 --name registry \
 -v /mnt/registry:/var/lib/registry \
 registry:2.6.2

The docker warehouse requires ssl authentication. Since the ssl authentication is not added now, the parameters need to be added in the docker client: 


vim /etc/sysconfig/docker

#  in OPTIONS add --insecure-registry=<host-ip>:5000
OPTIONS='--selinux-enabled --log-driver=json-file --signature-verification=false --insecure-registry=10.34.31.13:5000'

#  restart docker
systemctl restart docker

We can test the availability of the new warehouse under 1. 


docker push 10.34.31.13:5000/hello-world:v1

However, this form of warehouse is not very usable. For example, if we have multiple mirror warehouses to use, we need to constantly modify the -- ES40en-registry parameter.

Here's how to create a high availability repository for the https protocol.

Create a high availability repository with ssl certification

1. Install openssl 


yum install -y openssl

2. Modify openssl. cnf file 


vim /etc/pki/tls/openssl.cnf

#  find v3_ca, Add the host's below IP address 
[ v3_ca ]
subjectAltName = IP:10.34.31.13

If this file is not modified, the resulting ssl certificate will report the following error when used:

[

x509: cannot validate certificate 10.34.31.13 because it doesn't contain any IP SANs

]

3. Generate ssl certificate 


mkdir /certs
openssl req -newkey rsa:4096 -nodes -sha256 \
      -keyout /certs/domain.key -x509 -days 1000 \
      -out /certs/domain.cert

#  The following parameters need to be filled in during the certificate generation process , in Conmmon the 1 Fill in the column for you dokcer Warehouse prepared domain name 
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:10.34.31.13:5000
Email Address []:

4. Create docker warehouse 


#  The boot mode here is not much different than above, with more mounts /certs Folder and add two certificate parameter 
docker run -d \
 --restart=always \
 --name registry \
 -v /certs:/certs \
 -v /var/lib/registry:/var/lib/registry \
 -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.cert \
 -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
 -p 5000:5000 \
 registry:2.6.2

5. Configure docker client 


#  Machines that will later need to use the repository will be configured on the client side like this 1 Just go ahead 
mkdir /etc/docker/certs.d/10.34.31.13:5000
cp /certs/domain.cert /etc/docker/certs.d/10.34.31.13:5000/ca.crt

#  You can test it now 1 Under the 
docker push 10.34.31.13:5000/hello-world:v1

Deploy the docker warehouse using kubernetes

The above container was started directly by doker, and since I'm using the kubernetes cluster, I want every cut container to be managed by kubernetes.

So I added one node node to the kubernetes cluster to mirror the k8s cluster.

1. Generate ssl certificate

Refer to the above to generate the ssl certificate on the prepared node node.

2. Add labels to node

Since I only want to run the registry container on this node, I need to tag this node so that the k8s deployment can only be selected on this node. 


# n3 It's the node hostname. If you don't add k8s Client permissions can be at master Execute on the node. 
kubectl label node n3 bind-registry=ture

3. Create registry directory to persist images data 


mkdir /var/lib/registry

4. Deploy registry. dockerhub-dp.yaml I'll post it at the back. 


vim /etc/sysconfig/docker

#  in OPTIONS add --insecure-registry=<host-ip>:5000
OPTIONS='--selinux-enabled --log-driver=json-file --signature-verification=false --insecure-registry=10.34.31.13:5000'

#  restart docker
systemctl restart docker
0

5. Configure docker client

This is a slightly different port than the one above. 


vim /etc/sysconfig/docker

#  in OPTIONS add --insecure-registry=<host-ip>:5000
OPTIONS='--selinux-enabled --log-driver=json-file --signature-verification=false --insecure-registry=10.34.31.13:5000'

#  restart docker
systemctl restart docker
1

For the convenience of access, I set the port of registry service to NodePort, but k8s restricts this port to more than 30,000, so I set it to 30003 here.

dockerhub-dp.yaml 


vim /etc/sysconfig/docker

#  in OPTIONS add --insecure-registry=<host-ip>:5000
OPTIONS='--selinux-enabled --log-driver=json-file --signature-verification=false --insecure-registry=10.34.31.13:5000'

#  restart docker
systemctl restart docker
2
Related articles: