docker私服搭建nexus3

docker私服搭建有官方的registry镜像,也有改版后的NexusOss3.x,因为maven的原因搭建了nexus,所以一并将docker私服也搭建到nexus上。

nexus的安装过程就单独说了,如果是2.x系列需要升级到2.14版本再升级到3.y系列,如果3.x到3.y直接升级就可以。

从3.0版本开始,nexus不再只是一个maven仓库,还可以是docker、npm、bower的私有仓库。

配置SSL

docker的仓库链接是基于HTTPS的,故一般情况下需要将nexus的访问方式改为支持https。
配置SSL主要的难点在于证书,证书可以用公网证书,而一般情况下,私服部署在内网,没有域名,用内网IP访问,这种情况下用自签名的证书是最好的选择。证书生成工具用jdk自带的就可以。
配置过程,进入${nexus}/etc/ssl目录下面,执行命令过程中会输入多次密码,记下密码,后面有用处:

$ keytool -genkeypair -keystore example.jks -storepass password -alias example.com \ > -keyalg RSA -keysize 2048 -validity 5000 -keypass password \ > -dname 'CN=*.example.com, OU=Sonatype, O=Sonatype, L=Unspecified, ST=Unspecified, C=US' \ > -ext 'SAN=DNS:nexus.example.com,DNS:clm.example.com,DNS:repo.example.com,DNS:' Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore example.jks -destkeystore example.jks -deststoretype pkcs12". $ keytool -exportcert -keystore example.jks -alias example.com -rfc > example.cert Enter keystore password: password Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore example.jks -destkeystore example.jks -deststoretype pkcs12". $ keytool -importkeystore -srckeystore example.jks -destkeystore example.p12 -deststoretype PKCS12 Importing keystore example.jks to example.p12... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias example.com successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled $ openssl pkcs12 -nocerts -nodes -in example.p12 -out example.key Enter Import Password: MAC verified OK

修改配置文件:etc/nexus.properties

原: nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-requestlog.xml 修改后: application-port-ssl=8433 nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml

修改配置文件:etc/jetty/jetty-https.xml

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> // 文件名和前面证书的一致 <Set name="KeyStorePassword">password</Set> // 密码用前面的 <Set name="KeyManagerPassword">password</Set> <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set> <Set name="TrustStorePassword">password</Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> </Array> </Set> </New>

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zyzyxd.html