环境准备
- docker v19.03.9
- docker-compose v1.26.2
- TLS 证书
1.创建工作目录
$ mkdir /opt/registry
$ cd /opt/registry
2.编辑 docker-compose 文件
$ vim docker-compose.yml
version: "2.2"
services:
nginx:
image: registry.cn-qingdao.aliyuncs.com/kubeoperator/nginx:1.19.2-${OS_ARCH}
container_name: kubeoperator_nginx
restart: always
# 端口映射
ports:
- 443:443
- 8081:8081
- 8082:8082
volumes:
- ./conf/nginx.conf:/etc/nginx/conf.d/default.conf
- ./cert:/etc/nginx/cert
command: [,"nginx","-g","daemon off;"]
healthcheck:
test: ["CMD", "test", "-f", "/var/run/nginx.pid"]
interval: 10s
timeout: 10s
retries: 30
depends_on:
- nexus
nexus:
restart: always
image: registry.cn-qingdao.aliyuncs.com/kubeoperator/nexus3:3.25.0-${OS_ARCH}
container_name: kubeoperator_nexus
volumes:
- ./data/nexus-data/:/nexus-data
healthcheck:
test: ["CMD","curl","localhost:8081"]
interval: 10s
timeout: 10s
retries: 20
3.准备证书
- 创建存放证书文件的目录
$ mkdir -p /opt/registry/cert - 放入证书文件
$ ls /opt/registry/cert
server.crt server.key
4.准备nginx.conf
vim /opt/registry/conf/nginx.conf
server {
# listen 80;
listen 443 ssl;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
client_max_body_size 5000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8081;
}
location /v2/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8082;
}
}
server {
listen 8081 ssl;
server_tokens off;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
# server_name registry.test.com;
client_max_body_size 10000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location /{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议
server_name_in_redirect on;
proxy_pass http://nexus:8081;
}
}
server {
listen 8082 ssl;
server_tokens off;
ssl_certificate cert/server.crt;
ssl_certificate_key cert/server.key;
# server_name registry.test.com;
client_max_body_size 5000m;
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain application/javascript application/xml text/javascript;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
location / {
proxy_pass http://nexus:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
location /v2/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://nexus:8082;
}
}
5.启动nexus和nginx
cd /opt/registry/
docker-compose up -d
6.登录 Nexus 创建 docker仓库,选择host类型
访问地址:https://172.16.10.11:8081
使用默认用户名密码登录
7. 尝试 docker login
- 配置私有仓库信任
[root@k8s-node~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://172.16.10.11:8082"],
"insecure-registries": ["172.16.10.11:8082"],
...
}
- 输入密码进行登录
[root@k8s-node~]# docker login 172.16.10.11:8082 -uadmin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- 访问 nexus web端
https://172.16.10.11:8081
学习参考:
