首页 > 代码库 > docker---nginx反向代理私有registry

docker---nginx反向代理私有registry

一。拓扑环境:

IP:192.168.93.202  docker registry服务器

IP:192.168.93.201  docker client服务器

关闭selinux及防火墙

修改/etc/hosts文件

192.168.93.202 docker.shengjing.com

hostnamectl set-hostname docker.shengjing.com  (永久修改主机名)

安装依赖的软件包:

yum install gcc make pcre-devel pcre openssl-devel httpd-tools zlib-devel -y

生成根密钥:

先把
/etc/pki/CA/cacert.pem 
/etc/pki/CA/index.txt 
/etc/pki/CA/index.txt.attr 
/etc/pki/CA/index.txt.old 
/etc/pki/CA/serial 
/etc/pki/CA/serial.old
删除掉!

cd /etc/pki/CA

openssl genrsa -out private/cakey.pem 2048

[root@docker CA]# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus

..................................................................................................................................+++

.......................................................+++

e is 65537 (0x10001)

生成根证书

openssl req -new -x509 -key private/cakey.pem -out cacert.pem


Generating RSA private key, 2048 bit long modulus

..................................................................................................................................+++

.......................................................+++

e is 65537 (0x10001)

[root@docker CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing 

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:sjwl

Organizational Unit Name (eg, section) []:sjwl

Common Name (eg, your name or your server‘s hostname) []:docker.shengjing.com

Email Address []:mengxl@shengjing360.com


会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。必须要和hostname显示的一致。mengxl@shengjing360.com要记住!
上面的自签证书cacert.pem应该生成在/etc/pki/CA下


[root@docker CA]# ls

cacert.pem  certs  crl  newcerts  private


 为nginx web服务器生成ssl密钥

#mkdir /etc/pki/CA/ssl
#cd /etc/pki/CA/ssl

openssl genrsa -out nginx.key 2048

[root@docker ssl]# openssl genrsa -out nginx.key 2048

Generating RSA private key, 2048 bit long modulus

.....................................................+++

....................................................................................................................+++

e is 65537 (0x10001)

注:因为CA中心与要申请证书的nginx服务器是同一个所以就在本机上执行为nginx服务器生成ssl密钥了,否则应该是在另一台需要用到证书的服务器上生成。
查看nginx服务器的密钥


[root@docker ssl]# ls

nginx.key

为nginx生成证书签署请求

执行    openssl req -new -key nginx.key -out nginx.csr


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing   

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:sjwl

Organizational Unit Name (eg, section) []:sjwl

Common Name (eg, your name or your server‘s hostname) []:docker.shengjing.com

Email Address []:mengxl@shengjing360.com


Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。

私有CA根据请求来签发证书

[root@docker ssl]# touch /etc/pki/CA/index.txt

[root@docker ssl]# touch /etc/pki/CA/serial

[root@docker ssl]# echo 00 > /etc/pki/CA/serial

执行
openssl ca -in nginx.csr -out nginx.crt

[root@docker ssl]# openssl ca -in nginx.csr -out nginx.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 0 (0x0)

        Validity

            Not Before: Nov  7 16:28:22 2016 GMT

            Not After : Nov  7 16:28:22 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = sjwl

            organizationalUnitName    = sjwl

            commonName                = docker.shengjing.com

            emailAddress              = mengxl@shengjing360.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                04:91:10:DD:9E:37:81:66:5E:66:E4:CE:EB:02:E0:D3:27:FC:F7:7B

            X509v3 Authority Key Identifier: 

                keyid:C8:F9:00:19:C0:61:7E:71:B8:16:FD:08:43:AD:82:F7:9E:BC:20:91


Certificate is to be certified until Nov  7 16:28:22 2017 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


同样会提示输入一些内容,选择y就可以了!

查看nginx的证书


[root@docker ssl]# ls

nginx.crt  nginx.csr  nginx.key


安装,配置,运行nginx

(1) 添加组和用户

[root@docker ssl]# groupadd www -g 58

[root@docker ssl]# useradd -u 58 -g www www


cd /usr/local/src

wget http://nginx.org/download/nginx-1.11.2.tar.gz

tar -zxvf nginx-1.11.2.tar.gz 

cd  nginx-1.11.2

[root@docker nginx-1.11.2]# ./configure --user=www --group=www --prefix=/usr/local/nginx  --with-http_ssl_module --with-http_stub_status_module  --with-pcre  --with-http_addition_module --with-http_realip_module  --with-http_flv_module


[root@docker nginx-1.11.2]# make && make install

vi /usr/local/nginx/conf/nginx.conf

# vi /opt/nginx/conf/nginx.conf
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.1.107:5000;
}
server {
listen 443 ssl;
server_name docker.benet.com;
ssl_certificate /etc/pki/CA/ssl/nginx.crt;
ssl_certificate_key /etc/pki/CA/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry; client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forward-For $remote_addr;
}
}
}

验证配置:

/usr/local/nginx/sbin/nginx -t 

启动nginx:


[root@docker conf]# /usr/local/nginx/sbin/nginx 

[root@docker conf]# ss -ntpl

State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port              

LISTEN      0      128                                                                 *:22                                                                              *:*                   users:(("sshd",pid=841,fd=3))

LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*                   users:(("master",pid=1408,fd=13))

LISTEN      0      128                                                                 *:443                                                                             *:*                   users:(("nginx",pid=4796,fd=6),("nginx",pid=4795,fd=6),("nginx",pid=4794,fd=6),("nginx",pid=4793,fd=6),("nginx",pid=4792,fd=6))

LISTEN      0      128                                                                :::22                                                                             :::*                   users:(("sshd",pid=841,fd=4))

LISTEN      0      100                                                               ::1:25                                                                             :::*                   users:(("master",pid=1408,fd=14))


[root@docker conf]# ps -ef | grep -i "nginx"

root      4792     1  0 12:07 ?        00:00:00 nginx: master process /usr/local/nginx/sbin/nginx

www       4793  4792  0 12:07 ?        00:00:00 nginx: worker process

www       4794  4792  0 12:07 ?        00:00:00 nginx: worker process

www       4795  4792  0 12:07 ?        00:00:00 nginx: worker process

www       4796  4792  0 12:07 ?        00:00:00 nginx: worker process

root      4804  1994  0 12:08 pts/0    00:00:00 grep --color=auto -i nginx


 配置,运行Docker

停止docker

systemctl stop docker

)编辑/etc/sysconfig/docker文件,加上如下一行
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"


# /etc/sysconfig/docker


# Modify these options if you want to change the way the docker daemon runs

OPTIONS=‘--selinux-enabled --log-driver=journald‘

DOCKER_OPTS="--insecure-registry docker.shengjing.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"

DOCKER_CERT_PATH=/etc/docker


 把根证书复制到/etc/docker/certs.d/docker.shengjing.com/目录下

cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.shengjing.com/ca-certificates.crt启动docker

systemctl start docker

运行私有仓库容器
通过获取官方 registry 镜像来运行

docker pull registry

使用官方的 registry 镜像来启动本地的私有仓库。 用户可以通过指定参数来配置私有仓库位置。
例如将目录/opt/data/registry作为私有仓库的位置

mkdir -p /etc/docker/certs.d/docker.shengjing.com


运行私有仓库容器


docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry docker.io/registry

验证registry

curl -i -k https://docker.benet.com


[root@localhost ~]# curl -i -k https://docker.shengjing.com

HTTP/1.1 200 OK

Server: nginx/1.11.2

Date: Mon, 07 Nov 2016 17:35:12 GMT

Content-Type: text/plain; charset=utf-8

Content-Length: 0

Connection: keep-alive

Cache-Control: no-cache



Docker客户端配置

编辑/etc/hosts,把docker.benet.com的ip地址添加进来,例如:

192.168.93.202 docker.shengjing.com


把docker registry服务器端的根证书追加到ca-certificates.crt文件里
先从docker registry服务器端把文件/etc/pki/CA/cacert.pem拷贝到本机,然后执行命令:
cat ./cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt

















docker---nginx反向代理私有registry