forked from TrueCloudLab/distribution
Merge pull request #361 from moxiegirl/docs-part-two
docs: updating with new RC work
This commit is contained in:
commit
c5f416119f
6 changed files with 1309 additions and 315 deletions
|
@ -15,7 +15,7 @@ This repository contains the following components:
|
|||
| **libraries** | A rich set of libraries for interacting with,distribution components. Please see [godoc](http://godoc.org/github.com/docker/distribution) for details. **Note**: These libraries are **unstable**. |
|
||||
| **dist** | An _experimental_ tool to provide distribution, oriented functionality without the `docker` daemon. |
|
||||
| **specifications** | _Distribution_ related specifications are available in [docs/spec](docs/spec) |
|
||||
| **documentation** | Documentation is available in [doc](http://docs.docker.com/distribution). |
|
||||
| **documentation** | Docker's full documentation set is available at [docs.docker.com](http://docs.docker.com). This repository [contains the subset](docs/overview.md) related just to the registry. |
|
||||
|
||||
### How does this integrate with Docker engine?
|
||||
|
||||
|
|
|
@ -1,23 +1,147 @@
|
|||
# Docker Compose V1 + V2 registry
|
||||
|
||||
This compose configuration will setup a v1 and v2 registry behind an nginx
|
||||
proxy. By default the combined registry may be accessed at localhost:5000.
|
||||
This registry does not support pushing images to v2 and pull from v1. Clients
|
||||
from before 1.6 will be configured to use the v1 registry, and newer clients
|
||||
will use the v2 registry.
|
||||
This compose configuration configures a `v1` and `v2` registry behind an `nginx`
|
||||
proxy. By default, you can access the combined registry at `localhost:5000`.
|
||||
|
||||
## Prerequisites
|
||||
Install [docker-compose](https://github.com/docker/compose)
|
||||
The configuration does not support pushing images to `v2` and pulling from `v1`.
|
||||
If a `docker` client has a version less than 1.6, Nginx will route its requests
|
||||
to the 1.0 registry. Requests from newer clients will route to the 2.0 registry.
|
||||
|
||||
## How to run
|
||||
```
|
||||
$ docker-compose up
|
||||
```
|
||||
### Install Docker Compose
|
||||
|
||||
1. Open a new terminal on the host with your `distribution` source.
|
||||
|
||||
2. Get the `docker-compose` binary.
|
||||
|
||||
$ sudo wget https://github.com/docker/compose/releases/download/1.1.0/docker-compose-`uname -s`-`uname -m` -O /usr/local/bin/docker-compose
|
||||
|
||||
This command installs the binary in the `/usr/local/bin` directory.
|
||||
|
||||
3. Add executable permissions to the binary.
|
||||
|
||||
$ sudo chmod +x /usr/local/bin/docker-compose
|
||||
|
||||
## Build and run with Compose
|
||||
|
||||
1. In your terminal, navigate to the `distribution/contrib/compose` directory
|
||||
|
||||
This directory includes a single `docker-compose.yml` configuration.
|
||||
|
||||
nginx:
|
||||
build: "nginx"
|
||||
ports:
|
||||
- "5000:5000"
|
||||
links:
|
||||
- registryv1:registryv1
|
||||
- registryv2:registryv2
|
||||
registryv1:
|
||||
image: registry
|
||||
ports:
|
||||
- "5000"
|
||||
registryv2:
|
||||
build: "../../"
|
||||
ports:
|
||||
- "5000"
|
||||
|
||||
This configuration builds a new `nginx` image as specified by the
|
||||
`nginx/Dockerfile` file. The 1.0 registry comes from Docker's official
|
||||
public image. Finally, the registry 2.0 image is built from the
|
||||
`distribution/Dockerfile` you've used previously.
|
||||
|
||||
2. Get a registry 1.0 image.
|
||||
|
||||
$ docker pull registry:0.9.1
|
||||
|
||||
The Compose configuration looks for this image locally. If you don't do this
|
||||
step, later steps can fail.
|
||||
|
||||
3. Build `nginx`, the registry 2.0 image, and
|
||||
|
||||
$ docker-compose build
|
||||
registryv1 uses an image, skipping
|
||||
Building registryv2...
|
||||
Step 0 : FROM golang:1.4
|
||||
|
||||
...
|
||||
|
||||
Removing intermediate container 9f5f5068c3f3
|
||||
Step 4 : COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
|
||||
---> 74acc70fa106
|
||||
Removing intermediate container edb84c2b40cb
|
||||
Successfully built 74acc70fa106
|
||||
|
||||
The commmand outputs its progress until it completes.
|
||||
|
||||
4. Start your configuration with compose.
|
||||
|
||||
$ docker-compose up
|
||||
Recreating compose_registryv1_1...
|
||||
Recreating compose_registryv2_1...
|
||||
Recreating compose_nginx_1...
|
||||
Attaching to compose_registryv1_1, compose_registryv2_1, compose_nginx_1
|
||||
...
|
||||
|
||||
|
||||
5. In another terminal, display the running configuration.
|
||||
|
||||
$ docker ps
|
||||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||
a81ad2557702 compose_nginx:latest "nginx -g 'daemon of 8 minutes ago Up 8 minutes 80/tcp, 443/tcp, 0.0.0.0:5000->5000/tcp compose_nginx_1
|
||||
0618437450dd compose_registryv2:latest "registry cmd/regist 8 minutes ago Up 8 minutes 0.0.0.0:32777->5000/tcp compose_registryv2_1
|
||||
aa82b1ed8e61 registry:latest "docker-registry" 8 minutes ago Up 8 minutes 0.0.0.0:32776->5000/tcp compose_registryv1_1
|
||||
|
||||
### Explore a bit
|
||||
|
||||
1. Check for TLS on your `nginx` server.
|
||||
|
||||
$ curl -v https://localhost:5000
|
||||
* Rebuilt URL to: https://localhost:5000/
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 5000 (#0)
|
||||
* successfully set certificate verify locations:
|
||||
* CAfile: none
|
||||
CApath: /etc/ssl/certs
|
||||
* SSLv3, TLS handshake, Client hello (1):
|
||||
* SSLv3, TLS handshake, Server hello (2):
|
||||
* SSLv3, TLS handshake, CERT (11):
|
||||
* SSLv3, TLS alert, Server hello (2):
|
||||
* SSL certificate problem: self signed certificate
|
||||
* Closing connection 0
|
||||
curl: (60) SSL certificate problem: self signed certificate
|
||||
More details here: http://curl.haxx.se/docs/sslcerts.html
|
||||
|
||||
2. Tag the `v1` registry image.
|
||||
|
||||
$ docker tag registry:latest localhost:5000/registry_one:latest
|
||||
|
||||
2. Push it to the localhost.
|
||||
|
||||
$ docker push localhost:5000/registry_one:latest
|
||||
|
||||
If you are using the 1.6 Docker client, this pushes the image the `v2 `registry.
|
||||
|
||||
4. Use `curl` to list the image in the registry.
|
||||
|
||||
$ curl -v -X GET http://localhost:32777/v2/registry1/tags/list
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 32777 (#0)
|
||||
> GET /v2/registry1/tags/list HTTP/1.1
|
||||
> User-Agent: curl/7.36.0
|
||||
> Host: localhost:32777
|
||||
> Accept: */*
|
||||
>
|
||||
< HTTP/1.1 200 OK
|
||||
< Content-Type: application/json; charset=utf-8
|
||||
< Docker-Distribution-Api-Version: registry/2.0
|
||||
< Date: Tue, 14 Apr 2015 22:34:13 GMT
|
||||
< Content-Length: 39
|
||||
<
|
||||
{"name":"registry1","tags":["latest"]}
|
||||
* Connection #0 to host localhost left intact
|
||||
|
||||
This example refers to the specific port assigned to the 2.0 registry. You saw
|
||||
this port earlier, when you used `docker ps` to show your running containers.
|
||||
|
||||
## How to push images
|
||||
From a local project directory with Dockerfile
|
||||
```
|
||||
$ docker build -t localhost:5000/myimage .
|
||||
$ docker push localhost:5000/myimage
|
||||
```
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -16,13 +16,17 @@ deployment process. This registry image is sufficient for running local tests
|
|||
but is insufficient for production. For production you should configure and
|
||||
build your own custom registry image from the `docker/distribution` code.
|
||||
|
||||
>**Note**: The examples on this page were written and tested using Ubuntu 14.04.
|
||||
>If you are running Docker in a different OS, you may need to "translate"
|
||||
>the commands to meet the requirements of your own environment.
|
||||
|
||||
|
||||
## Simple example with the official image
|
||||
|
||||
In this section, you create a local registry using Docker's official image. You
|
||||
push an image to, and then pull the same image from, the registry. This a good
|
||||
exercise for understanding the basic interactions a client has with a
|
||||
local registry.
|
||||
In this section, you create a container running Docker's official registry
|
||||
image. You push an image to, and then pull the same image from, this registry.
|
||||
This a good exercise for understanding the basic interactions a client has with
|
||||
a local registry.
|
||||
|
||||
1. Install Docker.
|
||||
|
||||
|
@ -30,7 +34,8 @@ local registry.
|
|||
|
||||
$ docker run hello-world
|
||||
|
||||
The `run` command automatically pulls the image from Docker's official images.
|
||||
The `run` command automatically pulls a `hello-world` image from Docker's
|
||||
official images.
|
||||
|
||||
3. Start a registry service on your localhost.
|
||||
|
||||
|
@ -68,11 +73,40 @@ local registry.
|
|||
|
||||
You should see your new image in your listing.
|
||||
|
||||
5. Push this new image to your local registry.
|
||||
6. Push this new image to your local registry.
|
||||
|
||||
$ docker push localhost:5000/hello-mine:latest
|
||||
The push refers to a repository [localhost:5000/hello-mine] (len: 1)
|
||||
e45a5af57b00: Image already exists
|
||||
31cbccb51277: Image successfully pushed
|
||||
511136ea3c5a: Image already exists
|
||||
Digest: sha256:a1b13bc01783882434593119198938b9b9ef2bd32a0a246f16ac99b01383ef7a
|
||||
|
||||
6. Remove all the unused images from your local environment:
|
||||
7. Use the `curl` command and the Docker Registry Service API v2 to list your
|
||||
image in the registry:
|
||||
|
||||
$ curl -v -X GET http://localhost:5000/v2/hello-mine/tags/list
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 5000 (#0)
|
||||
> GET /v2/hello-mine/tags/list HTTP/1.1
|
||||
> User-Agent: curl/7.35.0
|
||||
> Host: localhost:5000
|
||||
> Accept: */*
|
||||
>
|
||||
< HTTP/1.1 200 OK
|
||||
< Content-Type: application/json; charset=utf-8
|
||||
< Docker-Distribution-Api-Version: registry/2.0
|
||||
< Date: Sun, 12 Apr 2015 01:29:47 GMT
|
||||
< Content-Length: 40
|
||||
<
|
||||
{"name":"hello-mine","tags":["latest"]}
|
||||
* Connection #0 to host localhost left intact
|
||||
|
||||
You can also get this information by entering the
|
||||
`http://52.10.125.146:5000/v2/hello-mine/tags/list` address in your browser.
|
||||
|
||||
8. Remove all the unused images from your local environment:
|
||||
|
||||
$ docker rmi -f $(docker images -q -a )
|
||||
|
||||
|
@ -86,7 +120,7 @@ local registry.
|
|||
registry 2.0 bbf0b6ffe923 3 days ago 545.1 MB
|
||||
golang 1.4 121a93c90463 5 days ago 514.9 MB
|
||||
|
||||
7. Try running `hello-mine`.
|
||||
9. Try running `hello-mine`.
|
||||
|
||||
$ docker run hello-mine
|
||||
Unable to find image 'hello-mine:latest' locally
|
||||
|
@ -96,7 +130,7 @@ local registry.
|
|||
The `run` command fails because your new image doesn't exist in the Docker public
|
||||
registry.
|
||||
|
||||
8. Now, try running the image but specifying the image's registry:
|
||||
10. Now, try running the image but specifying the image's registry:
|
||||
|
||||
$ docker run localhost:5000/hello-mine
|
||||
|
||||
|
@ -128,7 +162,7 @@ factors:
|
|||
access and/or authentication
|
||||
</th>
|
||||
<td>
|
||||
Do users should have full or controlled access? This can depend on whether
|
||||
Should users have full or controlled access? This can depend on whether
|
||||
you are serving images to the public or internally to your company only.
|
||||
</td>
|
||||
</tr>
|
||||
|
@ -156,7 +190,7 @@ You can configure your registry features to adjust for these factors. You do
|
|||
this by specifying options on the command line or, more typically, by writing a
|
||||
registry configuration file. The configuration file is in YAML format.
|
||||
|
||||
Docker's official repository image it is preconfigured using the following
|
||||
Docker's official repository image is preconfigured using the following
|
||||
configuration file:
|
||||
|
||||
```yaml
|
||||
|
@ -203,7 +237,6 @@ notifications:
|
|||
disabled: true
|
||||
```
|
||||
|
||||
|
||||
This configuration is very basic and you can see it would present some problems
|
||||
in a production. For example, the `http` section details the configuration for
|
||||
the HTTP server that hosts the registry. The server is not using even the most
|
||||
|
@ -213,10 +246,10 @@ minimal transport layer security (TLS). Let's configure that in the next section
|
|||
|
||||
In this section, you configure TLS on the server to enable communication through
|
||||
the `https` protocol. Enabling TLS on the server is the minimum layer of
|
||||
security recommended for running a registry behind a corporate firewall. The
|
||||
easiest way to do this is to build your own registry image.
|
||||
security recommended for running a registry behind a corporate firewall. One way
|
||||
to do this is to build your own registry image.
|
||||
|
||||
### Download the registry source and generated certificates
|
||||
### Download the source and generate certificates
|
||||
|
||||
1. [Download the registry
|
||||
source](https://github.com/docker/distribution/releases/tag/v2.0.0).
|
||||
|
@ -241,55 +274,21 @@ source](https://github.com/docker/distribution/releases/tag/v2.0.0).
|
|||
-newkey rsa:2048 -nodes -keyout certs/domain.key \
|
||||
-x509 -days 365 -out certs/domain.crt
|
||||
|
||||
This command prompts you for basic information it needs to create the certificates.
|
||||
|
||||
### Add the certificates to the image
|
||||
6. List the contents of the `certs` directory.
|
||||
|
||||
In this section, you copy the certifications from your `certs` directory into
|
||||
your base image.
|
||||
$ ls certs
|
||||
domain.crt domain.key
|
||||
|
||||
1. Edit the `Dockerfile` and add a `CERTS_PATH` environment variable.
|
||||
When you build this container, the `certs` directory and its contents
|
||||
automatically get copied also.
|
||||
|
||||
ENV CERTS_PATH /etc/docker/registry/certs
|
||||
### Add TLS to the configuration
|
||||
|
||||
2. Add a line to make the `CERTS_PATH` in the filesystem.
|
||||
|
||||
RUN mkdir -v $CERTS_PATH
|
||||
|
||||
3. Add `RUN` instructions to hard link your new certifications into this path:
|
||||
|
||||
RUN cp -lv ./certs/domain.crt $CERTS_PATH
|
||||
RUN cp -lv ./certs/domain.key $CERTS_PATH
|
||||
|
||||
This copies your certifications into your container.
|
||||
|
||||
4. Save your work.
|
||||
|
||||
At this point your Dockerfile should look like the following:
|
||||
|
||||
FROM golang:1.4
|
||||
|
||||
ENV CONFIG_PATH /etc/docker/registry/config.yml
|
||||
ENV CERTS_PATH /etc/docker/registry/certs
|
||||
ENV DISTRIBUTION_DIR /go/src/github.com/docker/distribution
|
||||
ENV GOPATH $DISTRIBUTION_DIR/Godeps/_workspace:$GOPATH
|
||||
|
||||
WORKDIR $DISTRIBUTION_DIR
|
||||
COPY . $DISTRIBUTION_DIR
|
||||
RUN make PREFIX=/go clean binaries
|
||||
RUN mkdir -pv "$(dirname $CONFIG_PATH)"
|
||||
RUN mkdir -v $CERTS_PATH
|
||||
RUN cp -lv ./certs/domain.crt $CERTS_PATH
|
||||
RUN cp -lv ./certs/domain.key $CERTS_PATH
|
||||
RUN cp -lv ./cmd/registry/config.yml $CONFIG_PATH
|
||||
|
||||
5. Before you close the Dockerfile look for an instruction to copy the `config.yml` file.
|
||||
|
||||
RUN cp -lv ./cmd/registry/config.yml $CONFIG_PATH
|
||||
|
||||
This is the default registry configuration file. You'll need to edit the file
|
||||
to add TLS.
|
||||
|
||||
### Add TLS to the registry configuration
|
||||
The `distribution` repo includes sample registry configurations in the `cmd`
|
||||
subdirectory. In this section, you edit one of these configurations to add TLS
|
||||
support.
|
||||
|
||||
1. Edit the `./cmd/registry/config.yml` file.
|
||||
|
||||
|
@ -311,8 +310,8 @@ your base image.
|
|||
debug:
|
||||
addr: localhost:5001
|
||||
tls:
|
||||
certificate: /etc/docker/registry/certs/domain.crt
|
||||
key: /etc/docker/registry/certs/domain.key
|
||||
certificate: /go/src/github.com/docker/distribution/certs/domain.crt
|
||||
key: /go/src/github.com/docker/distribution/certs/domain.key
|
||||
|
||||
You provide the paths to the certificates in the container. If you want
|
||||
two-way authentication across the layer, you can add an optional `clientcas`
|
||||
|
@ -321,7 +320,7 @@ your base image.
|
|||
4. Save and close the file.
|
||||
|
||||
|
||||
### Run your new image
|
||||
### Build and run your registry image
|
||||
|
||||
1. Build your registry image.
|
||||
|
||||
|
@ -329,138 +328,238 @@ your base image.
|
|||
|
||||
2. Run your new image.
|
||||
|
||||
$ docker run -p 5000:5000 secure_registry
|
||||
$ docker run -p 5000:5000 registry_local:latest
|
||||
time="2015-04-12T03:06:18.616502588Z" level=info msg="endpoint local-8082 disabled, skipping" environment=development instance.id=bf33c9dc-2564-406b-97c3-6ee69dc20ec6 service=registry
|
||||
time="2015-04-12T03:06:18.617012948Z" level=info msg="endpoint local-8083 disabled, skipping" environment=development instance.id=bf33c9dc-2564-406b-97c3-6ee69dc20ec6 service=registry
|
||||
time="2015-04-12T03:06:18.617190113Z" level=info msg="using inmemory layerinfo cache" environment=development instance.id=bf33c9dc-2564-406b-97c3-6ee69dc20ec6 service=registry
|
||||
time="2015-04-12T03:06:18.617349067Z" level=info msg="listening on :5000, tls" environment=development instance.id=bf33c9dc-2564-406b-97c3-6ee69dc20ec6 service=registry
|
||||
time="2015-04-12T03:06:18.628589577Z" level=info msg="debug server listening localhost:5001"
|
||||
2015/04/12 03:06:28 http: TLS handshake error from 172.17.42.1:44261: remote error: unknown certificate authority
|
||||
|
||||
Watch the messages at startup. You should see that `tls` is running:
|
||||
|
||||
ubuntu@ip-172-31-34-181:~/repos/distribution$ docker run -p 5000:5000 secure_registry
|
||||
time="2015-04-05T23:56:47Z" level=info msg="endpoint local-8082 disabled, skipping" app.id=3dd802ad-3bd4-4413-b56d-90c4acff41c7 environment=development service=registry
|
||||
time="2015-04-05T23:56:47Z" level=info msg="endpoint local-8083 disabled, skipping" app.id=3dd802ad-3bd4-4413-b56d-90c4acff41c7 environment=development service=registry
|
||||
time="2015-04-05T23:56:47Z" level=info msg="using inmemory layerinfo cache" app.id=3dd802ad-3bd4-4413-b56d-90c4acff41c7 environment=development service=registry
|
||||
time="2015-04-05T23:56:47Z" level=info msg="listening on :5000, tls" app.id=3dd802ad-3bd4-4413-b56d-90c4acff41c7 environment=development service=registry
|
||||
time="2015-04-05T23:56:47Z" level=info msg="debug server listening localhost:5001"
|
||||
2015/04/05 23:57:23 http: TLS handshake error from 172.17.42.1:52057: remote error: unknown certificate authority
|
||||
Watch the messages at startup. You should see that `tls` is running.
|
||||
|
||||
3. Use `curl` to verify that you can connect over `https`.
|
||||
|
||||
$ curl https://localhost:5000
|
||||
$ curl -v https://localhost:5000
|
||||
* Rebuilt URL to: https://localhost:5000/
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 5000 (#0)
|
||||
* successfully set certificate verify locations:
|
||||
* CAfile: none
|
||||
CApath: /etc/ssl/certs
|
||||
* SSLv3, TLS handshake, Client hello (1):
|
||||
* SSLv3, TLS handshake, Server hello (2):
|
||||
* SSLv3, TLS handshake, CERT (11):
|
||||
* SSLv3, TLS alert, Server hello (2):
|
||||
* SSL certificate problem: self signed certificate
|
||||
* Closing connection 0
|
||||
curl: (60) SSL certificate problem: self signed certificate
|
||||
More details here: http://curl.haxx.se/docs/sslcerts.html
|
||||
|
||||
## Configure Nginx with a v1 and v2 registry
|
||||
|
||||
This sections describes how to user `docker-compose` to run a combined version
|
||||
1 and version 2.0 registry behind an `nginx` proxy. The combined registry is
|
||||
accessed at `localhost:5000`. If a `docker` client has a version less than 1.6,
|
||||
Nginx will route its requests to the 1.0 registry. Requests from newer clients
|
||||
will route to the 2.0 registry.
|
||||
|
||||
This procedure uses the same `distribution` directory you created in the last
|
||||
procedure. The directory includes an example `compose` configuration.
|
||||
|
||||
### Install Docker Compose
|
||||
|
||||
1. Open a new terminal on the host with your `distribution` directory.
|
||||
|
||||
2. Get the `docker-compose` binary.
|
||||
|
||||
$ sudo wget https://github.com/docker/compose/releases/download/1.1.0/docker-compose-`uname -s`-`uname -m` -O /usr/local/bin/docker-compose
|
||||
|
||||
This command installs the binary in the `/usr/local/bin` directory.
|
||||
|
||||
3. Add executable permissions to the binary.
|
||||
|
||||
$ sudo chmod +x /usr/local/bin/docker-compose
|
||||
|
||||
|
||||
## Adding a middleware configuration
|
||||
### Do some housekeeping
|
||||
|
||||
This section describes how to configure storage middleware in a registry.
|
||||
Middleware allows the registry to server layers via a content delivery network
|
||||
(CDN). This is useful for reducing requests to the storage layer.
|
||||
1. Remove any previous images.
|
||||
|
||||
Currently, the registry supports [Amazon
|
||||
Cloudfront](http://aws.amazon.com/cloudfront/). You can only use Cloudfront in
|
||||
conjunction with the S3 storage driver.
|
||||
$ docker rmi -f $(docker images -q -a )
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>Parameter</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>name</code></td>
|
||||
<td>The storage middleware name. Currently <code>cloudfront</code> is an accepted value.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>disabled<code></td>
|
||||
<td>Set to <code>false</code> to easily disable the middleware.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>options:</code></td>
|
||||
<td>
|
||||
A set of key/value options to configure the middleware.
|
||||
<ul>
|
||||
<li><code>baseurl:</code> The Cloudfront base URL.</li>
|
||||
<li><code>privatekey:</code> The location of your AWS private key on the filesystem. </li>
|
||||
<li><code>keypairid:</code> The ID of your Cloudfront keypair. </li>
|
||||
<li><code>duration:</code> The duration in minutes for which the URL is valid. Default is 20. </li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
This step is a house keeping step. It prevents you from mistakenly picking up
|
||||
an old image as you work through this example.
|
||||
|
||||
The following example illustrates these values:
|
||||
2. Edit the `distribution/cmd/registry/config.yml` file and remove the `tls` block.
|
||||
|
||||
```
|
||||
middleware:
|
||||
storage:
|
||||
- name: cloudfront
|
||||
disabled: false
|
||||
options:
|
||||
baseurl: http://d111111abcdef8.cloudfront.net
|
||||
privatekey: /path/to/asecret.pem
|
||||
keypairid: asecret
|
||||
duration: 60
|
||||
```
|
||||
If you worked through the previous example, you'll have a `tls` block.
|
||||
|
||||
4. Save any changes and close the file.
|
||||
|
||||
### Configure SSL
|
||||
|
||||
1. Change to the `distribution/contrib/compose/nginx` directory.
|
||||
|
||||
This directory contains configuration files for Nginx and both registries.
|
||||
|
||||
2. Use SSL to generate some self-signed certificates.
|
||||
|
||||
$ openssl req \
|
||||
-newkey rsa:2048 -nodes -keyout domain.key \
|
||||
-x509 -days 365 -out domain.crt
|
||||
|
||||
This command prompts you for basic information it needs to create certificates.
|
||||
|
||||
3. Edit the `Dockerfile`and add the following lines.
|
||||
|
||||
COPY domain.crt /etc/nginx/domain.crt
|
||||
COPY domain.key /etc/nginx/domain.key
|
||||
|
||||
When you are done, the file looks like the following.
|
||||
|
||||
FROM nginx:1.7
|
||||
|
||||
COPY nginx.conf /etc/nginx/nginx.conf
|
||||
COPY registry.conf /etc/nginx/conf.d/registry.conf
|
||||
COPY docker-registry.conf /etc/nginx/docker-registry.conf
|
||||
COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
|
||||
COPY domain.crt /etc/nginx/domain.crt
|
||||
COPY domain.key /etc/nginx/domain.key
|
||||
|
||||
4. Save and close the `Dockerfile` file.
|
||||
|
||||
5. Edit the `registry.conf` file and add the following configuration.
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/nginx/domain.crt;
|
||||
ssl_certificate_key /etc/nginx/domain.key;
|
||||
|
||||
This is an `nginx` configuration file.
|
||||
|
||||
6. Save and close the `registry.conf` file.
|
||||
|
||||
### Build and run
|
||||
|
||||
1. Go up to the `distribution/contrib/compose` directory
|
||||
|
||||
This directory includes a single `docker-compose.yml` configuration.
|
||||
|
||||
nginx:
|
||||
build: "nginx"
|
||||
ports:
|
||||
- "5000:5000"
|
||||
links:
|
||||
- registryv1:registryv1
|
||||
- registryv2:registryv2
|
||||
registryv1:
|
||||
image: registry
|
||||
ports:
|
||||
- "5000"
|
||||
registryv2:
|
||||
build: "../../"
|
||||
ports:
|
||||
- "5000"
|
||||
|
||||
This configuration builds a new `nginx` image as specified by the
|
||||
`nginx/Dockerfile` file. The 1.0 registry comes from Docker's official public
|
||||
image. Finally, the registry 2.0 image is built from the
|
||||
`distribution/Dockerfile` you've used previously.
|
||||
|
||||
2. Get a registry 1.0 image.
|
||||
|
||||
$ docker pull registry:0.9.1
|
||||
|
||||
The Compose configuration looks for this image locally. If you don't do this
|
||||
step, later steps can fail.
|
||||
|
||||
3. Build `nginx`, the registry 2.0 image, and
|
||||
|
||||
$ docker-compose build
|
||||
registryv1 uses an image, skipping
|
||||
Building registryv2...
|
||||
Step 0 : FROM golang:1.4
|
||||
|
||||
...
|
||||
|
||||
Removing intermediate container 9f5f5068c3f3
|
||||
Step 4 : COPY docker-registry-v2.conf /etc/nginx/docker-registry-v2.conf
|
||||
---> 74acc70fa106
|
||||
Removing intermediate container edb84c2b40cb
|
||||
Successfully built 74acc70fa106
|
||||
|
||||
The commmand outputs its progress until it completes.
|
||||
|
||||
4. Start your configuration with compose.
|
||||
|
||||
$ docker-compose up
|
||||
Recreating compose_registryv1_1...
|
||||
Recreating compose_registryv2_1...
|
||||
Recreating compose_nginx_1...
|
||||
Attaching to compose_registryv1_1, compose_registryv2_1, compose_nginx_1
|
||||
...
|
||||
|
||||
|
||||
>**Note**: Cloudfront keys exist separately to other AWS keys. See
|
||||
>[the documentation on AWS credentials](http://docs.aws.amazon.com/AWSSecurityCredentials/1.0/
|
||||
>AboutAWSCredentials.html#KeyPairs) for more information.
|
||||
5. In another terminal, display the running configuration.
|
||||
|
||||
$ docker ps
|
||||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||
a81ad2557702 compose_nginx:latest "nginx -g 'daemon of 8 minutes ago Up 8 minutes 80/tcp, 443/tcp, 0.0.0.0:5000->5000/tcp compose_nginx_1
|
||||
0618437450dd compose_registryv2:latest "registry cmd/regist 8 minutes ago Up 8 minutes 0.0.0.0:32777->5000/tcp compose_registryv2_1
|
||||
aa82b1ed8e61 registry:latest "docker-registry" 8 minutes ago Up 8 minutes 0.0.0.0:32776->5000/tcp compose_registryv1_1
|
||||
|
||||
**TODO(stevvooe): Need a "best practice" configuration overview. Perhaps, we can point to a documentation section.
|
||||
### Explore a bit
|
||||
|
||||
1. Check for TLS on your `nginx` server.
|
||||
|
||||
# Configure nginx to deploy alongside v1 registry
|
||||
$ curl -v https://localhost:5000
|
||||
* Rebuilt URL to: https://localhost:5000/
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 5000 (#0)
|
||||
* successfully set certificate verify locations:
|
||||
* CAfile: none
|
||||
CApath: /etc/ssl/certs
|
||||
* SSLv3, TLS handshake, Client hello (1):
|
||||
* SSLv3, TLS handshake, Server hello (2):
|
||||
* SSLv3, TLS handshake, CERT (11):
|
||||
* SSLv3, TLS alert, Server hello (2):
|
||||
* SSL certificate problem: self signed certificate
|
||||
* Closing connection 0
|
||||
curl: (60) SSL certificate problem: self signed certificate
|
||||
More details here: http://curl.haxx.se/docs/sslcerts.html
|
||||
|
||||
This sections describes how to configure nginx to proxy to both a v1 and v2
|
||||
registry. Nginx will handle routing of to the correct registry based on the
|
||||
URL and Docker client version.
|
||||
2. Tag the `v1` registry image.
|
||||
|
||||
## Example configuration
|
||||
With v1 registry running at `localhost:5001` and v2 registry running at
|
||||
`localhost:5002`. Add this to `/etc/nginx/conf.d/registry.conf`.
|
||||
```
|
||||
server {
|
||||
listen 5000;
|
||||
server_name localhost;
|
||||
$ docker tag registry:latest localhost:5000/registry_one:latest
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/docker/registry/certs/domain.crt;
|
||||
ssl_certificate_key /etc/docker/registry/certs/domain.key;
|
||||
2. Push it to the localhost.
|
||||
|
||||
client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads
|
||||
$ docker push localhost:5000/registry_one:latest
|
||||
|
||||
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
||||
chunked_transfer_encoding on;
|
||||
If you are using the 1.6 Docker client, this pushes the image the `v2 `registry.
|
||||
|
||||
location /v2/ {
|
||||
# Do not allow connections from docker 1.5 and earlier
|
||||
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
|
||||
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
|
||||
return 404;
|
||||
}
|
||||
4. Use `curl` to list the image in the registry.
|
||||
|
||||
proxy_pass http://localhost:5002;
|
||||
proxy_set_header Host $http_host; # required for docker client's sake
|
||||
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||
proxy_read_timeout 900;
|
||||
}
|
||||
$ curl -v -X GET http://localhost:32777/v2/registry1/tags/list
|
||||
* Hostname was NOT found in DNS cache
|
||||
* Trying 127.0.0.1...
|
||||
* Connected to localhost (127.0.0.1) port 32777 (#0)
|
||||
> GET /v2/registry1/tags/list HTTP/1.1
|
||||
> User-Agent: curl/7.36.0
|
||||
> Host: localhost:32777
|
||||
> Accept: */*
|
||||
>
|
||||
< HTTP/1.1 200 OK
|
||||
< Content-Type: application/json; charset=utf-8
|
||||
< Docker-Distribution-Api-Version: registry/2.0
|
||||
< Date: Tue, 14 Apr 2015 22:34:13 GMT
|
||||
< Content-Length: 39
|
||||
<
|
||||
{"name":"registry1","tags":["latest"]}
|
||||
* Connection #0 to host localhost left intact
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5001;
|
||||
proxy_set_header Host $http_host; # required for docker client's sake
|
||||
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||
proxy_set_header Authorization ""; # see https://github.com/docker/docker-registry/issues/170
|
||||
proxy_read_timeout 900;
|
||||
}
|
||||
}
|
||||
```
|
||||
This example refers to the specific port assigned to the 2.0 registry. You saw
|
||||
this port earlier, when you used `docker ps` to show your running containers.
|
||||
|
||||
## Running nginx without a v1 registry
|
||||
When running a v2 registry behind nginx without a v1 registry, the `/v1/` endpoint should
|
||||
be explicitly configured to return a 404 if only the `/v2/` route is proxied. This
|
||||
is needed due to the v1 registry fallback logic within Docker 1.5 and 1.6 which will attempt
|
||||
to retrieve content from the v1 endpoint if no content was retrieved from v2.
|
||||
|
||||
Add this location block to explicitly block v1 requests.
|
||||
```
|
||||
localhost /v1/ {
|
||||
return 404;
|
||||
}
|
||||
```
|
||||
|
|
|
@ -10,7 +10,7 @@ pushes and pulls and layer pushes and pulls. These actions are serialized into
|
|||
events. The events are queued into a registry-internal broadcast system which
|
||||
queues and dispatches events to [_Endpoints_](#endpoints).
|
||||
|
||||
![](/distribution/images/notifications.png)
|
||||
![](../images/notifications.png)
|
||||
|
||||
## Endpoints
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ is collection of images. Users interact with the registry by pushing images to
|
|||
or pulling images from the registry. The Docker Registry includes several
|
||||
optional features that you can configure according to your needs.
|
||||
|
||||
![](/distribution/images/registry.png)
|
||||
![](../images/registry.png)
|
||||
|
||||
The architecture supports a configurable storage backend. You can store images
|
||||
on a file system or on a service such as Amazon S3 or Microsoft Azure. The
|
||||
|
@ -64,4 +64,3 @@ For more information and resources, please visit the [Getting Help project page]
|
|||
- [Storage driver model](storagedrivers.md)
|
||||
- [Working with notifications](notifications.md)
|
||||
- [Registry API v2](spec/api.md)
|
||||
|
||||
|
|
Loading…
Reference in a new issue