标签:registry 服务器 private 防火墙 软件包
一。拓扑环境:
IP:192.168.93.202 docker registry服务器
IP:192.168.93.201 docker client服务器
关闭selinux及防火墙
修改/etc/hosts文件
192.168.93.202 docker.shengjing.com
hostnamectl set-hostname docker.shengjing.com (永久修改主机名)
安装依赖的软件包:
yum install gcc make pcre-devel pcre openssl-devel httpd-tools zlib-devel -y
生成根密钥:
先把
/etc/pki/CA/cacert.pem
/etc/pki/CA/index.txt
/etc/pki/CA/index.txt.attr
/etc/pki/CA/index.txt.old
/etc/pki/CA/serial
/etc/pki/CA/serial.old
删除掉!
cd /etc/pki/CA
openssl genrsa -out private/cakey.pem 2048
[root@docker CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
[root@docker CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:sjwl
Organizational Unit Name (eg, section) []:sjwl
Common Name (eg, your name or your server‘s hostname) []:docker.shengjing.com
Email Address []:mengxl@shengjing360.com
会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。必须要和hostname显示的一致。mengxl@shengjing360.com要记住!
上面的自签证书cacert.pem应该生成在/etc/pki/CA下
[root@docker CA]# ls
cacert.pem certs crl newcerts private
为nginx web服务器生成ssl密钥
#mkdir /etc/pki/CA/ssl
#cd /etc/pki/CA/ssl
openssl genrsa -out nginx.key 2048
[root@docker ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
注:因为CA中心与要申请证书的nginx服务器是同一个所以就在本机上执行为nginx服务器生成ssl密钥了,否则应该是在另一台需要用到证书的服务器上生成。
查看nginx服务器的密钥
[root@docker ssl]# ls
nginx.key
为nginx生成证书签署请求
执行 openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:sjwl
Organizational Unit Name (eg, section) []:sjwl
Common Name (eg, your name or your server‘s hostname) []:docker.shengjing.com
Email Address []:mengxl@shengjing360.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。
私有CA根据请求来签发证书
[root@docker ssl]# touch /etc/pki/CA/index.txt
[root@docker ssl]# touch /etc/pki/CA/serial
[root@docker ssl]# echo 00 > /etc/pki/CA/serial
执行
openssl ca -in nginx.csr -out nginx.crt
[root@docker ssl]# openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 7 16:28:22 2016 GMT
Not After : Nov 7 16:28:22 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = sjwl
organizationalUnitName = sjwl
commonName = docker.shengjing.com
emailAddress = mengxl@shengjing360.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
04:91:10:DD:9E:37:81:66:5E:66:E4:CE:EB:02:E0:D3:27:FC:F7:7B
X509v3 Authority Key Identifier:
keyid:C8:F9:00:19:C0:61:7E:71:B8:16:FD:08:43:AD:82:F7:9E:BC:20:91
Certificate is to be certified until Nov 7 16:28:22 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
同样会提示输入一些内容,选择y就可以了!
查看nginx的证书
[root@docker ssl]# ls
nginx.crt nginx.csr nginx.key
安装,配置,运行nginx
(1) 添加组和用户
[root@docker ssl]# groupadd www -g 58
[root@docker ssl]# useradd -u 58 -g www www
cd /usr/local/src
wget http://nginx.org/download/nginx-1.11.2.tar.gz
tar -zxvf nginx-1.11.2.tar.gz
cd nginx-1.11.2
[root@docker nginx-1.11.2]# ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_addition_module --with-http_realip_module --with-http_flv_module
[root@docker nginx-1.11.2]# make && make install
vi /usr/local/nginx/conf/nginx.conf
# vi /opt/nginx/conf/nginx.conf
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.1.107:5000;
}
server {
listen 443 ssl;
server_name docker.benet.com;
ssl_certificate /etc/pki/CA/ssl/nginx.crt;
ssl_certificate_key /etc/pki/CA/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry; client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
}
}
}
验证配置:
/usr/local/nginx/sbin/nginx -t
启动nginx:
[root@docker conf]# /usr/local/nginx/sbin/nginx
[root@docker conf]# ss -ntpl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:* users:(("sshd",pid=841,fd=3))
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1408,fd=13))
LISTEN 0 128 *:443 *:* users:(("nginx",pid=4796,fd=6),("nginx",pid=4795,fd=6),("nginx",pid=4794,fd=6),("nginx",pid=4793,fd=6),("nginx",pid=4792,fd=6))
LISTEN 0 128 :::22 :::* users:(("sshd",pid=841,fd=4))
LISTEN 0 100 ::1:25 :::* users:(("master",pid=1408,fd=14))
[root@docker conf]# ps -ef | grep -i "nginx"
root 4792 1 0 12:07 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx
www 4793 4792 0 12:07 ? 00:00:00 nginx: worker process
www 4794 4792 0 12:07 ? 00:00:00 nginx: worker process
www 4795 4792 0 12:07 ? 00:00:00 nginx: worker process
www 4796 4792 0 12:07 ? 00:00:00 nginx: worker process
root 4804 1994 0 12:08 pts/0 00:00:00 grep --color=auto -i nginx
配置,运行Docker
停止docker
systemctl stop docker
)编辑/etc/sysconfig/docker文件,加上如下一行
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS=‘--selinux-enabled --log-driver=journald‘
DOCKER_OPTS="--insecure-registry docker.shengjing.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
DOCKER_CERT_PATH=/etc/docker
把根证书复制到/etc/docker/certs.d/docker.shengjing.com/目录下
cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.shengjing.com/ca-certificates.crt启动docker
systemctl start docker
运行私有仓库容器
通过获取官方 registry 镜像来运行
docker pull registry
使用官方的 registry 镜像来启动本地的私有仓库。 用户可以通过指定参数来配置私有仓库位置。
例如将目录/opt/data/registry作为私有仓库的位置
mkdir -p /etc/docker/certs.d/docker.shengjing.com
运行私有仓库容器
docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry docker.io/registry
验证registry
curl -i -k https://docker.benet.com
[root@localhost ~]# curl -i -k https://docker.shengjing.com
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Mon, 07 Nov 2016 17:35:12 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache
Docker客户端配置
编辑/etc/hosts,把docker.benet.com的ip地址添加进来,例如:
192.168.93.202 docker.shengjing.com
把docker registry服务器端的根证书追加到ca-certificates.crt文件里
先从docker registry服务器端把文件/etc/pki/CA/cacert.pem拷贝到本机,然后执行命令:
cat ./cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
标签:registry 服务器 private 防火墙 软件包
原文地址:http://mxlmgl.blog.51cto.com/9834691/1870360
