Administrators guru Posted August 7 Administrators Posted August 7 Coding against virtual, disposable replicas of production helps you get more work done. Introduction: A Docker private registry is a valuable tool for managing and distributing Docker images within your organization. It allows you to store, share, and control access to container images privately. This document outlines the step-by-step process to set up a Docker private registry on an AlmaLinux system. Step 1: Docker Installation: Add the Docker repository: Use the dnf config-manager command to add the Docker repository for CentOS. dnf config-manager --add-repo=docker-ce.repo Verify the repository is added: Check the available repositories using dnf repolist -v. dnf repolist -v Install Docker: Use dnf install docker-ce to install Docker. dnf install docker-ce Start Docker: Use systemctl start docker systemctl start docker Enable Docker: Use systemctl enable docker to enable the Docker service. systemctl enable docker Status of Docker: Use systemctl status docker systemctl status docker Check Docker version: Verify the Docker installation with docker — version. docker — version Step 2: Registry Container Setup: Create a directory for registry storage: Use mkdir /docker_repo to create a directory for registry storage. mkdir /docker_repo Run the Docker registry container: Start the Docker registry container with the appropriate options, such as volume mappings and environment variables. docker run --detach --restart=always --name registry --volume /docker_repo:/docker_repo --env REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/docker_repo --publish 5000:5000 registry Verify the container status: Check the status of the registry container using docker ps. docker ps Check that port 5000 (the port you configured) is listening with netstat netstat -tlnp | grep :5000 Step 3: Install a TLS Certificate: Create directory for certs mkdir /certs Assign IP to hostname using the /etc/hosts file cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.222.134 hosangit.almalinux Generate a TLS certificate: Use the openssl req command to generate a self-signed TLS certificate with the appropriate subject alternate name (SAN). openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/hosangit.almalinux.key -addext "subjectAltName = DNS:hosangit.almalinux" -x509 -days 365 -out /certs/hosangit.almalinux.crt sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /certs/hosangit.almalinux.key -out /certs/hosangit.almalinux.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:MI Locality Name (eg, city) [Default City]:Flint Organization Name (eg, company) [Default Company Ltd]:HIT Organizational Unit Name (eg, section) []:DevOps Common Name ()eg, your name or your server's hostname) []:hosangit.almalinux Email Address []: hosangit@mwg.com Save the certificate: Store the generated certificate and private key files in the /certs directory. Step 4: Nginx Setup: Install Nginx: Use dnf install nginx to install the Nginx web server. dnf install nginx -y Configure Nginx: Edit the Nginx configuration files to set up a reverse proxy for the Docker registry. vi /etc/nginx/nginx.conf #add this line at http section client_max_body_size 2048m; vi /etc/nginx/conf.d/hosangit.almalinux.conf server { listen 80; server_name hosangit.almalinux; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name hosangit.almalinux; # ssl params ssl_certificate /certs/hosangit.almalinux.crt; ssl_certificate_key /certs/hosangit.almalinux.key; ssl_protocols TLSv1.2; location / { proxy_pass proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; } } Restart Nginx: Restart the Nginx service to apply the configuration changes. systemctl stop firewalld.service systemctl disable firewalld.service setenforce 0 systemctl restart nginx curl -kIL http://hosangit.almalinux/v2/ Step 5: Push Image to Private Registry: Run a sample container: Start a container using the docker run command. docker run --name webserver --detach nginx docker exec -it webserver /bin/bash apt update apt install iproute2 iputils-ping net-tools -y edit daemon.json vi /etc/docker/daemon.json { "insecure-registries" : ["https://hosangit.almalinux"] } mkdir -p /etc/docker/certs.d/hosangit.almalinux cp /certs/hosangit.almalinux.crt /etc/docker/certs.d/hosangit.almalinux/ systemctl restart docker docker image ls Commit the container: Use docker commit to create a new image from the running container. docker commit webserver nginx Tag the image: Assign a new tag to the image using docker tag. docker tag nginx ahosan1.almalinux/nginx docker image ls Push the image: Push the image to the private registry using docker push. docker push hosangit.almalinux/nginx curl -kL https://hosangit.almalinux/v2/_catalog --run in one tab docker logs -f registry --run in one tab tail -1000f /var/log/nginx/access.log Step 6: Pull & Push Images at Private Registry: Verify the private registry: Check the repositories available in the private registry using curl. Pull and tag the image: Pull an image from a public repository and tag it for the private registry. Push the image to the private registry: Use docker push to push the image to the private registry. Verify image availability: Check that the pushed image is available in the private registry. Step 7: Pull & Push Images from Remote Host: Configure remote host: Update the /etc/hosts file on a remote host to resolve the private registry hostname. Configure Docker on the remote host: Configure Docker on the remote host to use the private registry as a mirror. Restart Docker on the remote host: Restart the Docker service on the remote host to apply the configuration changes. Pull images from the remote host: Pull images from the private registry on the remote host. Step 8: Delete Image from Private Registry and Push Images from Remote: Delete image from private registry: Remove an image from the private registry. Restart the registry container: Restart the registry container to reflect the changes. Check the registry status: Use curl to verify the repositories in the private registry. Delete and push images from a remote host: Delete and push images from the private registry on a remote host. Verify image availability: Confirm that the images are pushed and available in the private registry. Conclusion: Setting up a Docker private registry on AlmaLinux involves multiple steps, including Docker installation, registry container setup, TLS certificate generation, Nginx configuration, image management, and interaction between local and remote hosts. Following these steps allows you to create a secure and controlled environment for storing and distributing Docker images within your organization.
Administrators guru Posted August 7 Author Administrators Posted August 7 Pretty cool way of creating a home lab is utilizing Container Station on a QNAP NAS device which offers Docker and LXD. My goal is to test NGINX as a loadbalancer and what I have to use is... 1 QNAP 6bay NAS 1 QNAP 2bay NAS **both running Container Station I'm running three NGINX Containers on the QNAP 6bay and using bridge networking and assigning static IPs 192.168.10.101 192.168.10.102 192.168.10.103 On the 2bay NAS I'm running my pool members which are LAMP web servers 192.168.10.121 192.168.10.122 To build the alpine linux docker containers I ssh to the 2bay NAS [scode lang="{language}"]mkdir -p alpine-sshd cd alpine-sshd/ touch Dockerfile[/scode] [scode lang="{language}"]vi Dockerfile FROM alpine:latest LABEL maintainer="hosang i.t. [email protected]" RUN apk add --update --no-cache openssh RUN echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config RUN adduser -h /home/dennis -s /bin/sh -D dennis RUN echo -n 'dennis:somepassword!' | chpasswd ENTRYPOINT ["/entrypoint.sh"] EXPOSE 22 COPY entrypoint.sh /[/scode] [scode lang="{language}"]vi entrypoint.sh #!/bin/sh ssh-keygen -A exec /usr/sbin/sshd -D -e "$@"[/scode] [scode lang="{language}"]chmod +x -v entrypoint.sh[/scode] [scode lang="{language}"]docker build -t alpine-sshd .[/scode] To build the ubuntu linux docker containers I ssh to the 2bay NAS [scode lang="{language}"]mkdir -p ubuntu-sshd cd ubuntu-sshd/ touch Dockerfile[/scode] [scode lang="{language}"]vi Dockerfile # Download base image ubuntu 22.04 FROM ubuntu:22.04 LABEL maintainer="hosang i.t. [email protected]" LABEL version="0.1" LABEL description="This is a custom Docker Image for PHP-FPM and Nginx." # Disable Prompt During Packages Installation ARG DEBIAN_FRONTEND=noninteractive # Update Ubuntu Software repository RUN apt update # Install nginx, php-fpm and supervisord from ubuntu repository RUN apt install -y nginx php-fpm supervisor openssh RUN rm -rf /var/lib/apt/lists/* RUN apt clean # Define the ENV variable ENV nginx_vhost /etc/nginx/sites-available/default ENV php_conf /etc/php/8.1/fpm/php.ini ENV nginx_conf /etc/nginx/nginx.conf ENV supervisor_conf /etc/supervisor/supervisord.conf # Enable PHP-fpm on nginx virtualhost configuration COPY default ${nginx_vhost} RUN sed -i -e 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' ${php_conf} && echo "ndaemon off;" >> ${nginx_conf} #Copy supervisor configuration COPY supervisord.conf ${supervisor_conf} RUN mkdir -p /run/php RUN chown -R www-data:www-data /var/www/html RUN chown -R www-data:www-data /run/php # Volume configuration VOLUME ["/etc/nginx/sites-enabled", "/etc/nginx/certs", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"] # Copy start.sh script and define default command for the container COPY start.sh /start.sh CMD ["./start.sh"] # Expose Port for the Application EXPOSE 80 443 22[/scode] [scode lang="{language}"]vi default server { listen 80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.1-fpm.sock; } }[/scode] [scode lang="{language}"]vi supervisord.conf [unix_http_server] file=/dev/shm/supervisor.sock ; (the path to the socket file) [supervisord] logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log) logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) logfile_backups=10 ; (num of main logfile rotation backups;default 10) loglevel=info ; (log level;default info; others: debug,warn,trace) pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid) nodaemon=false ; (start in foreground if true;default false) minfds=1024 ; (min. avail startup file descriptors;default 1024) minprocs=200 ; (min. avail process descriptors;default 200) user=root ; [rpcinterface:supervisor] supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface [supervisorctl] serverurl=unix:///dev/shm/supervisor.sock ; use a unix:// URL for a unix socket [include] files = /etc/supervisor/conf.d/*.conf [program:php-fpm8.1] command=/usr/sbin/php-fpm8.1 -F numprocs=1 autostart=true autorestart=true [program:nginx] command=/usr/sbin/nginx numprocs=1 autostart=true autorestart=true[/scode] [scode lang="{language}"]vi start.sh #!/bin/sh /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf[/scode] [scode lang="{language}"]chmod +x start.sh [/scode] [scode lang="{language}"]docker build -t nginx-image .[/scode] [scode lang="{language}"]mkdir -p /var/webroot docker run -d -v /var/webroot:/var/www/html -p 8080:80 --name test-container nginx-image[/scode] Create index.html test page [scode lang="{language}"]echo ' Nginx and PHP-FPM 8.1 inside Docker Container with Ubuntu 22.04 Base Image ' > /var/webroot/index.html [/scode] Test by running these commands [scode lang="{language}"]curl server-ip:8080 curl -I server-ip:8080[/scode]
Recommended Posts