概要
CentOS7のdockerホストで、生のIPアドレスとオレオレ証明書でとにかくdocker registryを動かしたい人のための設定手順です。本番で使う場合は適切な設定を入れてください。
事前作業・前提条件
- 各ホストでdockerやdocker-composeが使える環境が構築されている
- opensslやそのほか必要なパッケージが入っている
- 作業ユーザは「vagrant」で各ホストにssh可能
ホスト | IPアドレス | 役割 |
---|---|---|
docker ホスト1 | 192.168.33.11 | docker registryコンテナが起動している |
docker ホスト2 | 192.168.33.12 | イメージをdocker registryにpushする |
docker ホスト3 | 192.168.33.13 | イメージをdocker registryからpullする |
作業手順
dockerホスト1の設定
[vagrant@192.168.33.11]
### IPアドレスで接続するための設定をv3_caセクション内に入れる
$ sudo vi /etc/pki/tls/openssl.cnf
================================================
...
[ v3_ca ]
...
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
subjectAltName = IP:192.168.33.11 ### <-これを追加
================================================
### イメージとサーバ証明書を保存するディレクトリを作成
$ mkdir -p /home/vagrant/containers/regitstry /home/vagrant/containers/certs
$ cd /home/vagrant/containers/certs
### サーバ証明書の作成。 Common Name以外は良しなに入れてください。
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 36500 -out domain.crt
================================================
Generating a 4096 bit RSA private key
.......++
.........................................................................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokushima
Locality Name (eg, city) [Default City]:Tokushima-shi
Organization Name (eg, company) [Default Company Ltd]:ftakao2007 company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.33.11 ### <- dockerホストのIPを入れる
Email Address []:
================================================
$ sudo chown root:root domain*
### dockerホスト2,3にサーバ証明書を配布する
$ sudo scp domain.crt vagrant@192.168.33.12:
$ sudo scp domain.crt vagrant@192.168.33.13:
dockerホスト2,3でサーバ証明書を配置
[vagrant@192.168.33.12, 192.168.33.13]
$ sudo mkdir -p /etc/docker/certs.d/192.168.33.11:5000
$ sudo chown root:root domain.crt
$ sudo mv domain.crt /etc/docker/certs.d/192.168.33.11:5000/ca.crt
dockerホスト1でコンテナを立ち上げる
[vagrant@192.168.33.11]
$ cd ~
$ vi docker-compose_registry.yml
================================================
registry:
restart: always
image: registry:2
ports:
- 5000:5000
environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_STORAGE_DELETE_ENABLED: 'True'
volumes:
- /home/vagrant/containers/registry:/var/lib/registry
- /home/vagrant/containers/certs:/certs
================================================
$ docker-compose -f docker-compose_registry.yml up -d
dockerホスト2からイメージをpushする
[vagrant@192.168.33.12]
### イメージIDの確認
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================
### イメージにpushするためtagをつける
$ docker tag 0584b3d2cf6d 192.168.33.11:5000/centos:7
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.33.11:5000/centos 7 0584b3d2cf6d 4 days ago 196.5 MB
centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================
### pushする
$ docker push 192.168.33.11:5000/centos:7
================================================
The push refers to a repository [192.168.33.11:5000/centos]
97ca462ad9ee: Pushed
7: digest: sha256:b2f9d1c0ff5f87a4743104d099a3d561002ac500db1b9bfa02a783a46e0d366c size: 529
================================================
dockerホスト3でイメージをpullする
[vagrant@192.168.33.13]
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
================================================
### イメージの確認
$ curl --insecure https://192.168.33.11:5000/v2/_catalog
================================================
{"repositories":["centos"]}
================================================
### タグの確認
$ curl --insecure https://192.168.33.11:5000/v2/centos/tags/list
================================================
{"name":"centos","tags":["7"]}
================================================
### イメージをpull
$ docker pull 192.168.33.11:5000/centos:7
================================================
7: Pulling from centos
08d48e6f1cff: Pull complete
Digest: sha256:b2f9d1c0ff5f87a4743104d099a3d561002ac500db1b9bfa02a783a46e0d366c
Status: Downloaded newer image for 192.168.33.11:5000/centos:7
================================================
$ docker images
================================================
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.33.11:5000/centos 7 0584b3d2cf6d 4 days ago 196.5 MB
================================================