Coup de Grace

Pi cluster上配套registry

2017-01-03 更新

本文是2016年中时候在树莓派集群上搭建k8s集群时才催生了自建Registry的想法,所以有些内容可能会莫名其妙.

但是完全不妨碍其他环境Registry的搭建.

解决问题:

本文暂时不考虑harbor或者portus这种大型私服管理工具.

registry不是mirror,不具备proxy功能.


更换mirror

这里我是用了Daocloud的Mirror来加速官方镜像下载.

# 这样
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://[yours].m.daocloud.io
# 或者这样
vim /etc/default/docker
--registry-mirror=http://[yours].m.daocloud.io
# 而后重启docker

本步骤Optional.


搭建Registry

如下几种简易搭建方式,我们选择第三种:

同步hosts

echo '192.168.31.100 index.slahser.com' >> /etc/hosts

自签证书准备

cd ~/.ssh
openssl genrsa -out index.slahser.com.key 2048
# 倒数第二步的name设置成index.slahser.com
openssl req -newkey rsa:4096 -nodes -sha256 -keyout index.slahser.com.key -x509 -days 365 -out index.slahser.com.crt

创建compose环境与配置文件

创建基本目录结构:

mkdir -p ~/Documents/repository/compose/registry/nginx
# 复制ssl必要文件到挂载目录
cp ~/.ssh/index.slahser.com.crt ~/Documents/repository/compose/registry/nginx
cp ~/.ssh/index.slahser.com.key ~/Documents/repository/compose/registry/nginx
# nginx配置文件
vim ~/Documents/repository/compose/registry/nginx/registry.conf

nginx配置文件registry.conf:

upstream docker-registry {
  server registry:5000;
}

server {
  listen 443;
  server_name index.slahser.com;

  # SSL
  ssl on;
  ssl_certificate /etc/nginx/conf.d/index.slahser.com.crt;
  ssl_certificate_key /etc/nginx/conf.d/index.slahser.com.key;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Docker Issue #1486
  chunked_transfer_encoding on;

  location /v2/ {
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    proxy_pass                          http://docker-registry;
    proxy_set_header  Host              $http_host; 
    proxy_set_header  X-Real-IP         $remote_addr;
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;
  }
}

compose配置文件docker-compose.yaml

nginx:
    container_name : nginx
    image : nginx:1.11.4
    ports :
        - 443:443
    links :
        - registry:registry
    volumes:
        - /Users/Slahser/Documents/repository/compose/registry/nginx:/etc/nginx/conf.d

registry:
    container_name : registry
    image : registry:2.5.1
    ports:
        - 5000:5000
    volumes:
        - /Users/Slahser/Documents/repository/registry:/var/lib/registry

仓库启动与测试访问

docker-compose up -d
curl -k https://index.slahser.com/v2/

客户机证书信任

mkdir -p /etc/docker/certs.d/index.slahser.com
# ansible copy或者单机cp 
ansible pis -m copy -a 'src=~/.ssh/index.slahser.com.crt dest=/etc/docker/certs.d/index.slahser.com/'
cp ~/.ssh/index.slahser.com.crt /etc/docker/certs.d/index.slahser.com/

在不同的平台这一步不太一样,可以查看Docker-for-Mac若干问题修复看下在MacOS与win10下的设置.


怎么打TAG

mac上操作:

docker pull index.tenxcloud.com/google_containers/etcd-arm:2.2.5
docker tag [yourimageid] index.slahser.com/google_containers/etcd-arm:2.2.5
docker push index.slahser.com/google_containers/etcd-arm:2.2.5

pi上操作:

docker pull index.slahser.com/google_containers/etcd-arm:2.2.5
docker tag [yourimageid] gcr.io/google_containers/etcd-arm:2.2.5

done.