Posted at
DockerDay 19

とにかくdocker registryを動かしたい

More than 1 year has passed since last update.


概要

CentOS7のdockerホストで、生のIPアドレスとオレオレ証明書でとにかくdocker registryを動かしたい人のための設定手順です。本番で使う場合は適切な設定を入れてください。


事前作業・前提条件


  • 各ホストでdockerやdocker-composeが使える環境が構築されている

  • opensslやそのほか必要なパッケージが入っている

  • 作業ユーザは「vagrant」で各ホストにssh可能

ホスト
IPアドレス
役割

docker ホスト1
192.168.33.11
docker registryコンテナが起動している

docker ホスト2
192.168.33.12
イメージをdocker registryにpushする

docker ホスト3
192.168.33.13
イメージをdocker registryからpullする


作業手順


dockerホスト1の設定

[vagrant@192.168.33.11]

### IPアドレスで接続するための設定をv3_caセクション内に入れる
$ sudo vi /etc/pki/tls/openssl.cnf
================================================
...
[ v3_ca ]
...
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
subjectAltName = IP:192.168.33.11 ### <-これを追加
================================================

### イメージとサーバ証明書を保存するディレクトリを作成
$ mkdir -p /home/vagrant/containers/regitstry /home/vagrant/containers/certs
$ cd /home/vagrant/containers/certs

### サーバ証明書の作成。 Common Name以外は良しなに入れてください。
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 36500 -out domain.crt
================================================
Generating a 4096 bit RSA private key
.......++
.........................................................................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokushima
Locality Name (eg, city) [Default City]:Tokushima-shi
Organization Name (eg, company) [Default Company Ltd]:ftakao2007 company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.33.11 ### <- dockerホストのIPを入れる
Email Address []:
================================================
$ sudo chown root:root domain*

### dockerホスト2,3にサーバ証明書を配布する
$ sudo scp domain.crt vagrant@192.168.33.12:
$ sudo scp domain.crt vagrant@192.168.33.13:


dockerホスト2,3でサーバ証明書を配置

[vagrant@192.168.33.12, 192.168.33.13]

$ sudo mkdir -p /etc/docker/certs.d/192.168.33.11:5000
$ sudo chown root:root domain.crt
$ sudo mv domain.crt /etc/docker/certs.d/192.168.33.11:5000/ca.crt


dockerホスト1でコンテナを立ち上げる

[vagrant@192.168.33.11]

$ cd ~
$ vi docker-compose_registry.yml
================================================
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_STORAGE_DELETE_ENABLED: 'True'
volumes:
- /home/vagrant/containers/registry:/var/lib/registry
- /home/vagrant/containers/certs:/certs
================================================
$ docker-compose -f docker-compose_registry.yml up -d


dockerホスト2からイメージをpushする

[vagrant@192.168.33.12]

### イメージIDの確認
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================

### イメージにpushするためtagをつける
$ docker tag 0584b3d2cf6d 192.168.33.11:5000/centos:7
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.33.11:5000/centos 7 0584b3d2cf6d 4 days ago 196.5 MB
centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================

### pushする
$ docker push 192.168.33.11:5000/centos:7
================================================
The push refers to a repository [192.168.33.11:5000/centos]
97ca462ad9ee: Pushed
7: digest: sha256:b2f9d1c0ff5f87a4743104d099a3d561002ac500db1b9bfa02a783a46e0d366c size: 529
================================================


dockerホスト3でイメージをpullする

[vagrant@192.168.33.13]

$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
================================================

### イメージの確認
$ curl --insecure https://192.168.33.11:5000/v2/_catalog
================================================
{"repositories":["centos"]}
================================================

### タグの確認
$ curl --insecure https://192.168.33.11:5000/v2/centos/tags/list
================================================
{"name":"centos","tags":["7"]}
================================================

### イメージをpull
$ docker pull 192.168.33.11:5000/centos:7
================================================
7: Pulling from centos
08d48e6f1cff: Pull complete
Digest: sha256:b2f9d1c0ff5f87a4743104d099a3d561002ac500db1b9bfa02a783a46e0d366c
Status: Downloaded newer image for 192.168.33.11:5000/centos:7
================================================

$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.33.11:5000/centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================


参考