Docker私有Registry在CentOS6.X下安装指南
说明:
“ docker.yy.com 这是docker registry服务器的域名也就是你的公司docker私有服务器的主机地址,假定ip是192.168.2.114;因为https的SSL证书不能用IP地址,我就随便起了个名字。
registry 服务器作为上游服务器处理docker镜像的最终上传和下载,用的是官方的镜像。
nginx 1.4.x 是一个用nginx作为反向代理服务器”[X] Docker Server端配置安装依赖yum -y install gcc make file && \yum -y install tar pcre-devel pcre-staticopenssl openssl-devel httpd-tools
配置SSL(1) 编辑/etc/hosts,把docker.yy.com的ip地址添加进来,例如:192.168.2.114 docker.yy.com
(2) 生成根密钥
先把
“ /etc/pki/CA/cacert.pem /etc/pki/CA/index.txt /etc/pki/CA/index.txt.attr /etc/pki/CA/index.txt.old /etc/pki/CA/serial /etc/pki/CA/serial.old”删除掉!cd /etc/pki/CA/openssl genrsa -out private/cakey.pem 2048
(3) 生成根证书openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:youyuanOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) []:docker.yy.comEmail Address []:
“ 会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是”Common Name”。上面的自签证书cacert.pem应该生成在/etc/pki/CA下。” (4) 为我们的nginx web服务器生成ssl密钥mkdir -p /etc/nginx/sslcd /etc/nginx/sslopenssl genrsa -out nginx.key 2048
“ 我们的CA中心与要申请证书的服务器是同一个,否则应该是在另一台需要用到证书的服务器上生成。” (5) 为nginx生成证书签署请求openssl req -new -key nginx.key -out nginx.csr
输出:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:youyuanOrganizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) []:docker.yy.comEmail Address []:
Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:
“ 同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。” (6) 私有CA根据请求来签发证书touch /etc/pki/CA/index.txttouch /etc/pki/CA/serialecho 00 > /etc/pki/CA/serialopenssl ca -in nginx.csr -out nginx.crt
输出:Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 9 09:59:20 2014 GMT Not After : Dec 9 09:59:20 2015 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = youyuan commonName = docker.yy.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5D:6B:02:FF:9E:F8:EA:1B:73:19:47:39:4F:88:93:9F:E7:AC:A5:66 X509v3 Authority Key Identifier: keyid:46:DC:F1:A5:6F:39:EC:6E:77:03:3B:C4:34:03:7E:B8:0A:ED:99:41
Certificate is to be certified until Dec 9 09:59:20 2015 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
以后我会去到很多很繁华或苍凉,
