Installing Docker to my local server
[root@localhost
packages]# wget
http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
[root@localhost
packages]# rpm -ivh epel-release-7-5.noarch.rpm
[root@localhost packages]# yum install docker
[root@localhost packages]# chkconfig docker onNote: Forwarding request to 'systemctl enable docker.service'.
ln -s
'/usr/lib/systemd/system/docker.service'
'/etc/systemd/system/multi-user.target.wants/docker.service'
[root@localhost
packages]# docker info
Containers: 0Images: 0Storage Driver:
devicemapper Pool Name: docker-253:1-35027491-pool Pool Blocksize: 65.54 kB Data file:
/var/lib/docker/devicemapper/devicemapper/data Metadata file:
/var/lib/docker/devicemapper/devicemapper/metadata Data Space Used: 307.2 MB Data Space Total: 107.4 GB Metadata Space Used: 729.1 kB Metadata Space Total: 2.147 GB Library Version: 1.02.84-RHEL7 (2014-03-26)Execution Driver:
native-0.2Kernel Version:
3.10.0-123.el7.x86_64Operating System: CentOS
Linux 7 (Core)
Configuring Docker Registry to my local server
[root@localhost ~]# docker pull registry
Pulling repository registry
[root@localhost packages]# docker images
REPOSITORY
TAG IMAGE ID CREATED VIRTUAL SIZE
registry
latest
e33e81d7024c 4 days
ago 418 MB
[root@localhost system]# systemctl list-unit-files | grep docker
[root@localhost ~]# curl localhost:5000
[root@localhost ~]# systemctl list-unit-files | grep docker
docker-3bbfacfbeef2fd09...3032de81405171b70df94827b32b30b754cb9d8.scope
static
docker.service
enabledprivate-docker-registry.service enableddocker.socket disabled
[root@localhost ~]#
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES3bbfacfbeef2 registry:latest "docker-registry" 8 minutes ago Up 2 minutes 0.0.0.0:5000->5000/tcp private_registry
[root@localhost ~]#
[root@localhost ~]# curl
localhost:5000"\"docker-registry
server\""[root@localhost ~]#[root@localhost ~]#To secure my local registry, configuring https access
[root@localhost ~]# yum
info nginx
[root@localhost ~]# systemctl enable nginx.service
[root@localhost ~]# mkdir -p /etc/nginx/sites-available
[root@localhost ~]# cd /etc/nginx/sites-available
[root@localhost sites-available]# vi secure.my.domain.in
ln -s
'/usr/lib/systemd/system/nginx.service'
'/etc/systemd/system/multi-user.target.wants/nginx.service'
# For versions of Nginx >
1.3.9 that include chunked transfer encoding support
# Replace with appropriate values
where necessary
upstream private-docker-registry
{
server localhost:5000;
}
server {
listen 443;
server_name my.domain.in;
#ssl on;
#ssl_certificate
/data/ssl/certs/my.domain.in.crt;
#ssl_certificate_key
/data/ssl/private/my.domain.in.key;
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client IP
client_max_body_size 0; # disable any limits
to avoid HTTP 413 for large image uploads
# required to avoid HTTP 411: see Issue #1486
(https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
# let Nginx know about our auth file
auth_basic "Restricted";
auth_basic_user_file /data/ssl/docker-registry.htpasswd;
proxy_pass http://private-docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://private-docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://private-docker-registry;
}
}
[root@localhost sites-available]#
mkdir -p /data/ssl/
[root@localhost
sites-available]# htpasswd -c
/data/ssl/docker-registry.htpasswd renga
New password:
Re-type new password:
Adding password for user
renga
[root@localhost
sites-available]#
[root@localhost
sites-available]# mkdir -p
/etc/nginx/sites-enabled
[root@localhost
sites-available]# cd
/etc/nginx/sites-enabled
[root@localhost
sites-enabled]# ln -s
/etc/nginx/sites-available/secure.my.domain.in secure.my.domain.in
[root@localhost
sites-enabled]# ls -lrt
total 0
lrwxrwxrwx 1 root root 46
Mar 25 14:25 secure.my.domain.in ->
/etc/nginx/sites-available/secure.my.domain.in
[root@localhost
sites-enabled]# ls
secure.my.domain.in
[root@localhost sites-enabled]#
cat secure.my.domain.in
Add line in to the
/etc/nginx/nginx.conf
Next we have to make
sure that our Nginx virtual host configuration file can be found. Open the file
/etc/nginx/nginx.conf and add after the line “include
/etc/nginx/conf.d/*.conf;” the following
include /etc/nginx/sites-enabled/*;
[root@localhost
sites-enabled]# systemctl reload nginx.service
Checking HTTPS access
[root@localhost sites-enabled]# curl localhost:443
<html>
<head><title>401 Authorization
Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization
Required</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
[root@localhost sites-enabled]# curl
renga:renga123@localhost:443
"\"docker-registry
server\""
[root@localhost
sites-enabled]#
Configure Nginx to use SSL certificate
[root@localhost sites-enabled]#
mkdir /tmp/certs
[root@localhost sites-enabled]#
cd /tmp/certs
[root@localhost certs]# openssl
genrsa -out dockerCA.key 2048
Generating RSA private key, 2048
bit long modulus
................................................................................................................+++
...........+++
e is 65537 (0x10001)
[root@localhost certs]# openssl
req -x509 -new -nodes -key dockerCA.key -days 3650 -out dockerCA.crt
You are about to be asked to
enter information that will be incorporated
into your certificate request.
What you are about to enter is
what is called a Distinguished Name or a DN.
There are quite a few fields but
you can leave some blank
For some fields there will be a
default value,
If you enter '.', the field will
be left blank.
-----
Country Name (2 letter code)
[XX]:IN
State or Province Name (full
name) []:TN
Locality Name (eg, city) [Default
City]:xxxxx
Organization Name (eg, company)
[Default Company Ltd]:
Organizational Unit Name (eg,
section) []:
Common Name (eg, your name or
your server's hostname) []:
Email Address []:
[root@localhost certs]#
openssl genrsa -out my.domain.in.key 2048
Generating RSA private key, 2048
bit long modulus
.......................................................+++
...+++
e is 65537 (0x10001)
[root@localhost certs]# openssl
req -new -key my.domain.in.key -out my.domain.in.csr
You are about to be asked to
enter information that will be incorporated
into your certificate request.
What you are about to enter is
what is called a Distinguished Name or a DN.
There are quite a few fields but
you can leave some blank
For some fields there will be a
default value,
If you enter '.', the field will
be left blank.
-----
Country Name (2 letter code)
[XX]:IN
State or Province Name (full
name) []:TN
Locality Name (eg, city) [Default
City]:xxxx
Organization Name (eg, company)
[Default Company Ltd]:
Organizational Unit Name (eg,
section) []:
Common Name (eg, your name or
your server's hostname) []:my.domain.in
Email Address []:
Please enter the following
'extra' attributes
to be sent with your certificate
request
A challenge password []:
An optional company name []:
[root@localhost certs]#
openssl x509 -req -in my.domain.in.csr -CA dockerCA.crt -CAkey dockerCA.key
-CAcreateserial -out my.domain.in.crt -days 3650
Signature ok
subject=/C=IN/ST=TN/L=chennai/O=Default
Company Ltd/CN=my.domain.in
Getting CA Private Key
[root@localhost certs]# mkdir -p
/data/ssl/certs/
[root@localhost certs]# mkdir -p
/data/ssl/private/
[root@localhost certs]# cp
my.domain.in.crt /data/ssl/certs/
[root@localhost certs]# cp
my.domain.in.key /data/ssl/private/
[root@localhost certs]#
update-ca-trust enable
[root@localhost certs]# cp
dockerCA.crt /etc/pki/ca-trust/source/anchors/
[root@localhost certs]#
update-ca-trust extract
Restarting nginx service after configured certificate for HTTPS access.
[root@localhost certs]#
systemctl reload nginx.service
[root@localhost certs]# systemctl
status nginx.service
nginx.service - The nginx HTTP
and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
Active: active (running) since
Wed 2015-03-25 14:10:57 EDT; 29min ago
Process: 2517 ExecReload=/bin/kill -s HUP $MAINPID (code=exited,
status=0/SUCCESS)
Process: 2205 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 2204 ExecStartPre=/usr/sbin/nginx -t (code=exited,
status=0/SUCCESS)
Main PID: 2208 (nginx)
CGroup: /system.slice/nginx.service
├─2208 nginx: master process /usr/sbin/nginx
└─2519 nginx: worker process
Mar 25 14:10:56 localhost.localdomain
systemd[1]: Starting The nginx HTTP and reverse proxy server...
Mar 25 14:10:57
localhost.localdomain nginx[2204]: nginx: the configuration file
/etc/nginx/nginx.conf syntax is ok
Mar 25 14:10:57
localhost.localdomain nginx[2204]: nginx: configuration file
/etc/nginx/nginx.conf test is successful
Mar 25 14:10:57
localhost.localdomain systemd[1]: Failed to read PID from file /run/nginx.pid:
Invalid argument
Mar 25 14:10:57
localhost.localdomain systemd[1]: Started The nginx HTTP and reverse proxy
server.
Mar 25 14:26:18
localhost.localdomain systemd[1]: Reloading The nginx HTTP and reverse proxy
server.
Mar 25 14:26:18
localhost.localdomain systemd[1]: Reloaded The nginx HTTP and reverse proxy
server.
Mar 25 14:39:50
localhost.localdomain systemd[1]: Reloading The nginx HTTP and reverse proxy
server.
Mar 25 14:39:50
localhost.localdomain systemd[1]: Reloaded The nginx HTTP and reverse proxy
server.
In a Client node
[root@lab-client2 anchors]# update-ca-trust enable
[root@lab-client2 anchors]#update-ca-trust extract
[root@lab-client2 anchors]# docker
login --username='renga' --password='r*****' --email="renga@txy.in"
https://my.domain.in
WARNING: login credentials saved
in /root/.docker/config.json
Login Succeeded
[root@lab-client2 anchors]# cat
/root/.docker/config.json
{
"auths": {
"https://my.domain.in": {
"auth":
"cmVuZ2E6cmVuZ2ExMjM=",
"email":
"renga@txy.in"
}
}
}
[root@lab-client2 anchors]#
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 0cb40641836c 4 weeks ago 1.114 MB
swarm latest 32d67c5a4211 9 weeks ago 17.15 MB
hello-world latest 690ed74de00f 4 months ago 960 B
[root@lab-client2 anchors]#
docker tag busybox:latest my.domain.in/busybox:latest
[root@lab-client2 anchors]#
docker push my.domain.in/busybox:latest
The push refers to a repository
[my.domain.in/busybox]
5f70bf18a086: Image successfully
pushed
2c84284818d1: Image successfully
pushed
Pushing tag for rev
[0cb40641836c] on {https://my.domain.in/v1/repositories/busybox/tags/latest}
I have created my tomcat app and stored as a docker images into my local docker registry
[root@lab-client1 anchors]# docker tag vapp/opensuse-tomcat my.domain.in/vapp-new4
[root@lab-client1 anchors]# docker push my.domain.in/vapp-new4
The push refers to a repository [my.domain.in/vapp1-opensuse-tomcat]
44edd81aea93: Image successfully pushed
41b1bb3a2f2b: Image successfully pushed
8c0a3618ceb7: Image successfully pushed
5f70bf18a086: Image successfully pushed
Pushing tag for rev [445b2c5a5515] on {https://my.domain.in/v1/repositories/vapp-new4/tags/latest}
Pushing my local Docker image stored in my local registry to my public Docker repo
[root@lab-client1 ~]# docker tag rengarajang/vapp-new4
[root@lab-client1 ~]#
docker login
Pushing my images to public repo
WARNING: login credentials saved
in /root/.docker/config.json
Login Succeeded
[root@lab-client1 ~]#
[root@lab-client1 ~]# docker
push rengarajang/vapp-new4
The push refers to a repository
[docker.io/rengarajang/vapp-new4]
466445ad8481: Pushed
44edd81aea93: Pushed
41b1bb3a2f2b: Pushed
8c0a3618ceb7: Pushed
5f70bf18a086: Pushed
latest: digest:
sha256:b94d372fca55d6f06e9a6b1cc8fae824a474f0bd56f63b02cab32a31dbea12bf size:
3468
[root@lab-client1 ~]#
