Docker私有Registry在CentOS6.X下安装指南
说明:
“
docker.yy.com 这是docker registry服务器的域名也就是你的公司docker私有服务器的主机地址,假定ip是192.168.2.114;因为https的SSL证书不能用IP地址,我就随便起了个名字。
registry 服务器作为上游服务器处理docker镜像的最终上传和下载,用的是官方的镜像。
nginx 1.4.x 是一个用nginx作为反向代理服务器
”
[X] Docker Server端配置
安装依赖
yum -y install gcc make file && \
yum -y install tar pcre-devel pcre-staticopenssl openssl-devel httpd-tools
配置SSL
(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:
192.168.2.114 docker.yy.com
(2) 生成根密钥
先把
“
/etc/pki/CA/cacert.pem
/etc/pki/CA/index.txt
/etc/pki/CA/index.txt.attr
/etc/pki/CA/index.txt.old
/etc/pki/CA/serial
/etc/pki/CA/serial.old
”
删除掉!
cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048
(3) 生成根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:youyuan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.yy.com
Email Address []:
“
会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。上面的自签证书cacert.pem应该生成在/etc/pki/CA下。
”
(4) 为我们的nginx web服务器生成ssl密钥
mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
openssl genrsa -out nginx.key 2048
“
我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成。
”
(5) 为nginx生成证书签署请求
openssl req -new -key nginx.key -out nginx.csr
输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:youyuan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.yy.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
“
同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。
”
(6) 私有CA根据请求来签发证书
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 00 > /etc/pki/CA/serial
openssl ca -in nginx.csr -out nginx.crt
输出:
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 9 09:59:20 2014 GMT
Not After : Dec 9 09:59:20 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = youyuan
commonName = docker.yy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66
X509v3 Authority Key Identifier:
keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41
Certificate is to be certified until Dec 9 09:59:20 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated