環(huán)境準(zhǔn)備
- docker v19.03.9
- docker-compose v1.26.2
- TLS 證書
1.創(chuàng)建工作目錄
$ mkdir /opt/registry
$ cd /opt/registry
2.編輯 docker-compose 文件
$ vim docker-compose.yml
version: "2.2"
services:
nginx:
image: registry.cn-qingdao.aliyuncs.com/kubeoperator/nginx:1.19.2-${OS_ARCH}
container_name: kubeoperator_nginx
restart: always
# 端口映射
ports:
- 443:443
- 8081:8081
- 8082:8082
volumes:
- ./conf/nginx.conf:/etc/nginx/conf.d/default.conf
- ./cert:/etc/nginx/cert
command: [,"nginx","-g","daemon off;"]
healthcheck:
test: ["CMD", "test", "-f", "/var/run/nginx.pid"]
interval: 10s
timeout: 10s
retries: 30
depends_on:
- nexus
nexus:
restart: always
image: registry.cn-qingdao.aliyuncs.com/kubeoperator/nexus3:3.25.0-${OS_ARCH}
container_name: kubeoperator_nexus
volumes:
- ./data/nexus-data/:/nexus-data
healthcheck:
test: ["CMD","curl","localhost:8081"]
interval: 10s
timeout: 10s
retries: 20
3.準(zhǔn)備證書
- 創(chuàng)建存放證書文件的目錄
$ mkdir -p /opt/registry/cert - 放入證書文件
$ ls /opt/registry/cert
server.crt server.key
4.準(zhǔn)備nginx.conf
vim /opt/registry/conf/nginx.conf
server {
# listen 80;
listen 443 ssl;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
client_max_body_size 5000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8081;
}
location /v2/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8082;
}
}
server {
listen 8081 ssl;
server_tokens off;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
# server_name registry.test.com;
client_max_body_size 10000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location /{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https; # 轉(zhuǎn)發(fā)時(shí)使用https協(xié)議
server_name_in_redirect on;
proxy_pass http://nexus:8081;
}
}
server {
listen 8082 ssl;
server_tokens off;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
# server_name registry.test.com;
client_max_body_size 5000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location / {
proxy_pass http://nexus:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
location /v2/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8082;
}
}
5.啟動(dòng)nexus和nginx
cd /opt/registry/
docker-compose up -d
6.登錄 Nexus 創(chuàng)建 docker倉庫,選擇host類型
訪問地址:https://172.16.10.11:8081
使用默認(rèn)用戶名密碼登錄
7. 嘗試 docker login
- 配置私有倉庫信任
[root@k8s-node~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://172.16.10.11:8082"],
"insecure-registries": ["172.16.10.11:8082"],
...
}
- 輸入密碼進(jìn)行登錄
[root@k8s-node~]# docker login 172.16.10.11:8082 -uadmin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 訪問 nexus web端
https://172.16.10.11:8081
學(xué)習(xí)參考:
