Set Up a Private Docker Registry on Ubuntu 14.04

Installing Package for Added Security

$ sudo apt-get -y install apache2-utils

Installing and Configuring the Docker Registry

创建目录

$ mkdir ~/docker-registry && cd $_
$ mkdir data
$ mkdir nginx

创建docker-compose.yml

vim docker-compose.yml
nginx:
  image: "nginx:1.9"
  container_name: nginx
  ports:
    - 443:443
  links:
    - registry:registry
  volumes:
    - ./nginx/:/etc/nginx/conf.d
registry:
  image: registry:2
  container_name:registry
  ports:
    - 5000:5000
  environment:
    REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
  volumes:
    - ./data:/data

创建nginx配置文件

$ vim ~/docker-registry/nginx/registry.conf
upstream docker-registry {
  server registry:5000;
}
 
server {
  listen 443;
  server_name _;
 
  # SSL
  # ssl on;
  # ssl_certificate /etc/nginx/conf.d/domain.crt;
  # ssl_certificate_key /etc/nginx/conf.d/domain.key;
 
  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;
 
  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;
 
  location /v2/ {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }
 
    # To add basic authentication to v2 use auth_basic setting plus add_header
    # auth_basic "registry.localhost";
    # auth_basic_user_file /etc/nginx/conf.d/registry.password;
    # add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
 
    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

启动服务

$ docker-compose up -d

测试服务

# 注意需要结尾的/
$ curl http://localhost:443/v2/
{}

Setting Up Authentication

为HTTP添加用户

$ cd ~/docker-registry/nginx
$ htpasswd -c registry.password USERNAME

修改nginx配置文件

$ vim ~/docker-registry/nginx/registry.conf
# To add basic authentication to v2 use auth_basic setting plus add_header
auth_basic "registry.localhost";
auth_basic_user_file /etc/nginx/conf.d/registry.password;
add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

重新启动服务

$ cd ~/docker-registry
$ docker-compose restart

验证

# 失败
$ curl http://localhost:443/v2/
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.9.7</center>
</body>
</html>
 
# 成功
$ curl http://USERNAME:PASSWORD@localhost:443/v2/
{}

Setting Up SSL

修改nginx配置文件

$ vim ~/docker-registry/nginx/registry.conf
# SSL
ssl on;
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;

创建秘钥

自己的密钥

$ cd ~/docker-registry/nginx
# Generate a new root key
$ openssl genrsa -out devdockerCA.key 2048
# Generate a root certificate (enter whatever you'd like at the prompts):
$ openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.crt

服务器密钥

# Generate a new root key
$ openssl genrsa -out domain.key 2048
# Generate a root certificate
# Common Name 一项填写你打算使用的域名或者ip
# challenge password 不要输入,直接回车
$ openssl req -new -key domain.key -out dev-docker-registry.com.csr

sign the certificate request

$ openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.crt -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000

跟新服务器证书

$ sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
$ sudo cp devdockerCA.crt /usr/local/share/ca-certificates/docker-dev-cert
$ sudo update-ca-certificates
$ sudo service docker restart

验证ssl

$ docker-compose restart
$ curl https://USERNAME:PASSWORD@localhost/v2/
{}

Starting Docker Registry as a Service

修改位置

cd ~/docker-registry
docker-compose down
sudo mv ~/docker-registry /docker-registry
sudo chown -R root: /docker-registry

创建upstart脚本

$ sudo vim /etc/init/docker-registry.conf
description "Docker Registry"
 
start on runlevel [2345]
stop on runlevel [016]
 
respawn
respawn limit 10 5
 
chdir /docker-registry
 
exec /usr/local/bin/docker-compose up

启动服务

$ sudo service docker-registry start

验证服务

$ docker-compose restart
$ curl https://USERNAME:PASSWORD@localhost/v2/
{}

Accessing Your Docker Registry from a Client Machine

复制证书(registry server)

# copy这里的输出内容
$ sudo cat /docker-registry/nginx/devdockerCA.crt

创建跟新证书(client machine)

$ sudo mkdir /usr/local/share/ca-certificates/docker-dev-cert
# 黏贴刚刚复制的内容
$ sudo vim /usr/local/share/ca-certificates/docker-dev-cert/devdockerCA.crt
$ sudo update-ca-certificates
$ sudo service docker restart

验证(login)

# 输入一开始创建的用户名密码,出现Login Succeeded就OK了。
$ docker login https://YOUR-DOMAIN

Publish to Your Private Docker Registry

$ docker login https://your-domain
$ docker pull busybox
$ docker tag docker tag busybox your-domain/busybox
$ docker push your-domain/busybox

Pull from Your Docker Registry

# 先删除刚刚的
$ docker rmi your-domain/busybox
$ docker pull your-domain/busybox
$ docker images

参考文献