document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-03 23:40:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Translated by DongShuaike

Browse Source
This commit is contained in:
DongShuaike 2015-04-29 21:40:12 +08:00
parent e240424ea9
commit 4c0e81d9d2
2 changed files with 241 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

242
sources/tech/20150128 Docker-2 Setting up a private Docker registry.md
View File

@ -1,242 +0,0 @@
[Translating by DongShuaike]
Setting up a private Docker registry
================================================================================
![](http://cocoahunter.com/content/images/2015/01/docker2.jpg)
[TL;DR] This is the second post in a series of 3 on how my company moved its infrastructure from PaaS to Docker based deployment.
- [First part][1]: where I talk about the process we went thru before approaching Docker;
- [Third pard][2]: where I show how to automate the entire process of building images and deploying a Rails app with Docker.
----------
Why would ouy want ot set up a provate registry? Well, for starters, Docker Hub only allows you to have one free private repo. Other companies are beginning to offer similar services, but they are all not very cheap. In addition, if you need to deploy production ready applications built with Docker, you might not want to publish those images on the public Docker Hub.
This is a very pragmatic approach to dealing with the intricacies of setting up a private Docker registry. For the tutorial we will be using a small 512MB instance on DigitalOcean (from now on DO). I also assume you already know the basics of Docker since I will be concentrating on some more complicated stuff.
### Local set up ###
First of all you need to install **boot2docker** and docker CLI. If you already have your basic Docker environment up and running, you can just skip to the next section.
From the terminal run the following command[1][3]:
brew install boot2docker docker
If everything is ok[2][4], you will now be able to start the VM inside which Docker will run with the following command:
boot2docker up
Follow the instructions, copy and paste the export commands that boot2docker will print in the terminal. If you now run `docker ps` you should be greeted by the following line
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Ok, Docker is ready to go. This will be enough for the moment. Let's go back to setting up the registry.
### Creating the server ###
Log into you DO account and create a new Droplet by selecting an image with Docker pre-installed[^n].
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-18-26-14.png)
You should receive your root credentials via email. Log into your instance and run `docker ps` to see if eveything is ok.
### Setting up AWS S3 ###
We are going to use Amazon Simple Storage Service (S3) as the storage layer for our registry / repository. We will need to create a bucket and user credentials to allow our docker container accessoing it.
Login into your AWS account (if you don't have one you can set one up at [http://aws.amazon.com/][5]) and from the console select S3 (Simple Storage Service).
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-29-21.png)
Click on **Create Bucket**, enter a unique name for your bucket (and write it down, we're gonna need it later), then click on **Create**.
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-22-50.png)
That's it! We're done setting up the storage part.
### Setup AWS access credentials ###
We are now going to create a new user. Go back to your AWS console and select IAM (Identity & Access Management).
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-29-08.png)
In the dashboard, on the left side of the webpage, you should click on Users. Then select **Create New Users**.
You should be presented with the following screen:
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-31-42.png)
Enter a name for your user (e.g. docker-registry) and click on Create. Write down (or download the csv file with) your Access Key and Secret Access Key that we'll need when running the Docker container. Go back to your users list and select the one you just created.
Under the Permission section, click on Attach User Policy. In the next screen, you will be presented with multiple choices: select Custom Policy.
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-41-21.png)
Here's the content of the custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeStatement",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::docker-registry-bucket-name/*",
"arn:aws:s3:::docker-registry-bucket-name"
]
}
]
}
This will allow the user (i.e. the registry) to manage (read/write) content on the bucket (make sure to use the bucket name you previously defined when setting up AWS S3). To sum it up: when you'll be pushing Docker images from your local machine to your repository, the server will be able to upload them to S3.
### Installing the registry ###
Now let's head back to our DO server and SSH into it. We are going to use[^n] one of the [official Docker registry images][6].
Let's start our registry with the following command:
docker run \
-e SETTINGS_FLAVOR=s3 \
-e AWS_BUCKET=bucket-name \
-e STORAGE_PATH=/registry \
-e AWS_KEY=your_aws_key \
-e AWS_SECRET=your_aws_secret \
-e SEARCH_BACKEND=sqlalchemy \
-p 5000:5000 \
--name registry \
-d \
registry
Docker should pull the required fs layers from the Docker Hub and eventually start the daemonised container.
### Testing the registry ###
If everything worked out, you should now be able to test the registry by pinging it and by searching its content (though for the time being it's still empty).
Our registry is very basic and it does not provide any means of authentication. Since there are no easy ways of adding authentication (at least none that I'm aware of that are easy enough to implment in order to justify the effort), I've decided that the easiest way of querying / pulling / pushing the registry is an unsecure (over HTTP) connection tunneled thru SSH.
Opening an SSH tunnel from your local machine is straightforward:
ssh -N -L 5000:localhost:5000 root@your_registry.com
The command is tunnelling connections over SSH from port 5000 of the registry server (which is the one we exposed with the `docker run` command in the previous paragraph) to port 5000 on the localhost.
If you now browse to the following address [http://localhost:5000/v1/_ping][7] you should get the following very simple response
{}
This just means that the registry is working correctly. You can also list the whole content of the registry by browsing to [http://localhost:5000/v1/search][8] that will get you a similar response:
{
"num_results": 2,
"query": "",
"results": [
{
"description": "",
"name": "username/first-repo"
},
{
"description": "",
"name": "username/second-repo"
}
]
}
### Building an image ###
Let's now try and build a very simple Docker image to test our newly installed registry. On your local machine, create a Dockerfile with the following content[^n]:
# Base image with ruby 2.2.0
FROM ruby:2.2.0
MAINTAINER Michelangelo Chasseur <michelangelo.chasseur@touchwa.re>
...and build it:
docker build -t localhost:5000/username/repo-name .
The `localhost:5000` part is especially important: the first part of the name of a Docker image will tell the `docker push` command the endpoint towards which we are trying to push our image. In our case, since we are connecting to our remote private registry via an SSH tunnel, `localhost:5000` represents exactly the reference to our registry.
If everything works as expected, when the command returns, you should be able to list your newly created image with the `docker images` command. Run it and see it for yourself.
### Pushing to the registry ###
Now comes the trickier part. It took a me a while to realize what I'm about to describe, so just be patient if you don't get it the first time you read and try to follow along. I know that all this stuff will seem pretty complicated (and it would be if you didn't automate the process), but I promise in the end it will all make sense. In the next post I will show a couple of shell scripts and Rake tasks that will automate the whole process and will let you deploy a Rails to your registry app with a single easy command.
The docker command you are running from your terminal is actually using the boot2docker VM to run the containers and do all the magic stuff. So when we run a command like `docker push some_repo` what is actually happening is that it's the boot2docker VM that is reacing out for the registry, not our localhost.
This is an extremely important point to understand: in order to push the Docker image to the remote private registry, the SSH tunnel needs to be established from the boot2docker VM and not from your local machine.
There are a couple of ways to go with it. I will show you the shortest one (which is not probably the easiest to understand, but it's the one that will let us automate the process with shell scripts).
First of all though we need to sort one last thing with SSH.
### Setting up SSH ###
Let's add our boot2docker SSH key to our remote server (registry) known hosts. We can do so using the ssh-copy-id utility that you can install with the following command shouldn't you already have it:
brew install ssh-copy-id
Then run:
ssh-copy-id -i /Users/username/.ssh/id_boot2docker root@your-registry.com
Make sure to substitute `/Users/username/.ssh/id_boot2docker` with the correct path of your ssh key.
This will allow us to connect via SSH to our remote registry without being prompted for the password.
Finally let's test it out:
boot2docker ssh "ssh -o 'StrictHostKeyChecking no' -i /Users/michelangelo/.ssh/id_boot2docker -N -L 5000:localhost:5000 root@registry.touchwa.re &" &
To break things out a little bit:
- `boot2docker ssh` lets you pass a command as a parameter that will be executed by the boot2docker VM;
- the final `&` indicates that we want our command to be executed in the background;
- `ssh -o 'StrictHostKeyChecking no' -i /Users/michelangelo/.ssh/id_boot2docker -N -L 5000:localhost:5000 root@registry.touchwa.re &` is the actual command our boot2docker VM will run;
- the `-o 'StrictHostKeyChecking no'` will make sure that we are not prompted with security questions;
- the `-i /Users/michelangelo/.ssh/id_boot2docker` indicates which SSH key we want our VM to use for authentication purposes (note that this should be the key you added to your remote registry in the previous step);
- finally we are opening a tunnel on mapping port 5000 to localhost:5000.
### Pulling from another server ###
You should now be able to push your image to the remote registry by simply issuing the following command:
docker push localhost:5000/username/repo_name
In the [next post][9] we'll se how to automate some of this stuff and we'll containerize a real Rails application. Stay tuned!
P.S. Please use the comments to let me know of any inconsistencies or fallacies in my tutorial. Hope you enjoyed it!
1. I'm also assuming you are running on OS X.
1. For a complete list of instructions to set up your docker environment and requirements, please visit [http://boot2docker.io/][10]
1. Select Image > Applications > Docker 1.4.1 on 14.04 at the time of this writing.
1. [https://github.com/docker/docker-registry/][11]
1. This is just a stub, in the next post I will show you how to bundle a Rails application into a Docker container.
--------------------------------------------------------------------------------
via: http://cocoahunter.com/2015/01/23/docker-2/
作者:[Michelangelo Chasseur][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://cocoahunter.com/author/michelangelo/
[1]:http://cocoahunter.com/2015/01/23/docker-1/
[2]:http://cocoahunter.com/2015/01/23/docker-3/
[3]:http://cocoahunter.com/2015/01/23/docker-2/#fn:1
[4]:http://cocoahunter.com/2015/01/23/docker-2/#fn:2
[5]:http://aws.amazon.com/
[6]:https://registry.hub.docker.com/_/registry/
[7]:http://localhost:5000/v1/_ping
[8]:http://localhost:5000/v1/search
[9]:http://cocoahunter.com/2015/01/23/docker-3/
[10]:http://boot2docker.io/
[11]:https://github.com/docker/docker-registry/

241
translated/tech/20150128 Docker-2 Setting up a private Docker registry.md Normal file
View File

@ -0,0 +1,241 @@
搭建一个私有的Docker registry
================================================================================
![](http://cocoahunter.com/content/images/2015/01/docker2.jpg)
[TL;DR]这是系列的第二篇文章这系列讲述了我的公司如何把基础服务从PaaS迁移到Docker上
- [First part][1]: 第一篇文章里我谈到了接触Docker之前的经历
- [Third pard][2]: 第三篇文章里我展示如何使创建images的过程自动化以及如何用Docker部署一个Rails应用。
----------
为什么需要搭建一个私有的registry呢Docker Hub一个Docker公共仓库只允许你拥有一个免费的私有版本库repo。其他的公司提供类似服务但是价格可不便宜。另外如果你需要部署一个基于Docker的应用产品恐怕你不希望这些images在开放的Docker Hub被公开吧
这篇文章提供了一个非常务实的方法来处理搭建私有Docke registry时出现的各种错综复杂的情况。我们将会使用一个运行于DigitalOcean之后简称为DO的非常小巧的512MB实例。并且我会假定你已经了解了Docker的基本概念因为我必须集中精力在复杂的事情上
###本地搭建###
首先你需要安装**boot2docker**以及docker CLI。如果你已经搭建好了基本的Docker环境你可以直接跳过这一步。
从终端运行以下命令[1][3]:
brew install boot2docker docker
如果一切顺利[2][4]你现在将能够启动VM在VM当中输入下列命令
boot2docker up
Follow the instructions, copy and paste the export commands that boot2docker will print in the terminal. If you now run `docker ps` you should be greeted by the following line
按照说明复制粘贴book2docker打印在终端的export命令这块翻译不太好。现在运行`docker ps`命令,终端将有以下显示。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
好了Docker已经准备就绪。我们回过头去搭建registry。
###创建服务器###
登录进你的DO账号选择一个提前安装好Docker的映像文件创建一个新的Drople。[^n]
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-18-26-14.png)
你将会以邮件的方式收到一个根用户凭证。登录进去,然后运行`docker ps`命令来查看系统状态。
### 搭建AWS S3 ###
我们现在将使用Amazo Simple Storage ServiceS3作为我们registry/repository的存储层。我们讲需要创建一个桶(bucket)以及用户凭证user credentials来允许我们的docker容器访问它。
登录到我们的AWS账号如果没有就申请一个[http://aws.amazon.com/][5]在控制台选择S3Simpole Storage Service
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-29-21.png)
点击 **Create Bucket**,为你的桶输入一个名字(把它写下来,我们一会需要用到它),然后点击**Create**。
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-22-50.png)
OK!我们已经搭建好存储部分了。
### 安装AWS访问凭证###
我们现在将要创建一个新的用户。退回到AWS控制台然后选择IAMIdentity & Access Management)。
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-29-08.png)
在dashboard的左边点击Users。然后选择 **Create New Users**
如图所示:
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-31-42.png)
输入你的用户名(例如 docker-registry然后点击Create。写下或者下载csv文件你的Access Key以及Secret Access Key。回到你的用户列表然后选择你刚刚创建的用户。
在Permission section下面点击Attach User Policy。之后选择Custom Policy。
![](http://cocoahunter.com/content/images/2015/01/Screenshot-2015-01-20-19-41-21.png)
custom policy的内容如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeStatement",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::docker-registry-bucket-name/*",
"arn:aws:s3:::docker-registry-bucket-name"
]
}
]
}
这个配置将允许用户也就是regitstry来对桶上的内容进行操作读/写确保使用你之前创建AWS S3时使用的桶名。总结起来当你想把你的Docker映像从你的本机推送到仓库中时服务器将能够将他们上传到S3。
### 安装registry ###
现在回过头来看我们的DO服务器SSH登录其上。我们将要使用[^n]一个官方Docker registry映像。[6]
输入如下命令开启registry。
docker run \
-e SETTINGS_FLAVOR=s3 \
-e AWS_BUCKET=bucket-name \
-e STORAGE_PATH=/registry \
-e AWS_KEY=your_aws_key \
-e AWS_SECRET=your_aws_secret \
-e SEARCH_BACKEND=sqlalchemy \
-p 5000:5000 \
--name registry \
-d \
registry
Docker将会从Docker Hub上拉取所需的文件系统层(fs layers)并启动守护容器(daemonised container)。
### 测试registry ###
如果上述操作奏效你可以通过ping命令或者查找它的内容来测试registry虽然这个时候容器还是空的
我们的registry非常基础而且没有提供任何“验明正身”的方式。因为添加身份验证可不是一件轻松事至少我认为没有一种部署方法是简单的像是为了证明你努力过似的我觉得 查询/拉取/推送 仓库内容的最简单方法就是通过SSH的未加密连接(通过HTTP)。
打开SSH通道的操作非常简单
ssh -N -L 5000:localhost:5000 root@your_registry.com
这条命令建立了一条从registry服务器前面执行`docker run`命令的时候我们见过它的5000号端口到本机的5000号端口之间的连接。
如果你现在登录[http://localhost:5000/v1/_ping][7],将会看到下面这个非常简短的回复。
{}
这个意味着registry工作正常。你还可以通过登录[http://localhost:5000/v1/search][8]来查看registry内容回复相似
{
"num_results": 2,
"query": "",
"results": [
{
"description": "",
"name": "username/first-repo"
},
{
"description": "",
"name": "username/second-repo"
}
]
}
### 创建一个映像 ###
我们现在创建一个非常简答的Docker映像来检验我们新弄好的registry。在我们的本机上用如下内容创建一个Dockerfile[^n]:
# Base image with ruby 2.2.0
FROM ruby:2.2.0
MAINTAINER Michelangelo Chasseur <michelangelo.chasseur@touchwa.re>
……创建:
docker build -t localhost:5000/username/repo-name .
`localhost:5000`非常重要Docker映像名的最前面一个部分将告知`docker push`命令我们将要把我们的image推送到哪里。在我们这个例子当中因为我们要通过SSH管道连接远端私有registry`localhost:5000`精确地表示了对我们的registry的一个引用。
如果一切顺利,当命令执行完成返回后,你可以输入`docker images`命令来列出新近创建的映像。执行它看看会出现什么现象?
### 推送到仓库 ###
接下来是更好玩的部分。实现我所描述的东西着实花了我一点时间所以如果你第一次读的话就耐心一点吧跟着我一起操作。我知道接下来的东西会非常复杂如果你不自动化进程就一定会这样但是我保证到最后你一定都能明白。在下一篇文章里我将会使用到一大波shell脚本和Rake任务通过它们实现自动化并且用简单的命令实现部署Rails应用。
你运行的docker命令都是实际上都是在boot2docker虚拟机上运行的。所以当你执行像`docker push some_repo`这样的命令时是boot2docker虚拟机在与registry交互而不是我们自己的机器。
接下来是一个非常重要的点为了将Docker映像推送到远端的私有才哭SSH管道需要在boot2docker虚拟机上配置好。
由许多种方法实现它。我给你展示最简短的一种(可能不是最容易理解的,但是能够帮助你实现自动化)
First of all though we need to sort one last thing with SSH.
(不太会翻译)
### Setting up SSH ###
我们添加boot2docker SSH key到远端服务器已知的hosts里面。我们可以使用ssh-copy-id工具通过下面的命令就可以安装上它了
brew install ssh-copy-id
然后运行:
ssh-copy-id -i /Users/username/.ssh/id_boot2docker root@your-registry.com
用你ssh key的真实路径代替`/Users/username/.ssh/id_boot2docker`。
这样做能够让我们面密码登录SSH。
现在我们来测试以下:
boot2docker ssh "ssh -o 'StrictHostKeyChecking no' -i /Users/michelangelo/.ssh/id_boot2docker -N -L 5000:localhost:5000 root@registry.touchwa.re &" &
分开阐述:
- `boot2docker ssh`允许你以参数的形式传递给boot2docker虚拟机一条执行命令
- 最后面那个`&`表明这条命令将在后台执行;
- `ssh -o 'StrictHostKeyChecking no' -i /Users/michelangelo/.ssh/id_boot2docker -N -L 5000:localhost:5000 root@registry.touchwa.re &`是boot2docker虚拟机实际运行的命令
-`-o 'StrictHostKeyChecking no'`——不提示安全问题;
- `-i /Users/michelangelo/.ssh/id_boot2docker`指出虚拟机使用哪个SSH key来进行身份验证。注意这里的key应该是你前面添加到远程仓库的那个
- 最后我们将打开一条端口5000到本地端口5000的SSH通道。
### 从其他服务器上拉取 ###
你现在将可以通过下面的简单命令将你的映像推送到远端仓库:
docker push localhost:5000/username/repo_name
在下一篇文章[9]中我们将会了解到如何自动化处理这些事务并且真正地容器化一个Rails应用。请继续收听
如有错误请不吝指出。祝你Docker之路顺利
1. 我假设你使用OS X。
1. 想要了解搭建docker环境的完整之南请参阅[http://boot2docker.io/][10]。
1. 本文写成时选择的是 Image > Applications > Docker 1.4.1 on 14.04。
1. [https://github.com/docker/docker-registry/][11]
1. 这是一个存根在下一篇文章里我将会展示给你如何将一个Rails应用绑定进Docker容器中。
--------------------------------------------------------------------------------
via: http://cocoahunter.com/2015/01/23/docker-2/
作者:[Michelangelo Chasseur][a]
译者:[DongShuaike](https://github.com/DongShuaike)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://cocoahunter.com/author/michelangelo/
[1]:http://cocoahunter.com/2015/01/23/docker-1/
[2]:http://cocoahunter.com/2015/01/23/docker-3/
[3]:http://cocoahunter.com/2015/01/23/docker-2/#fn:1
[4]:http://cocoahunter.com/2015/01/23/docker-2/#fn:2
[5]:http://aws.amazon.com/
[6]:https://registry.hub.docker.com/_/registry/
[7]:http://localhost:5000/v1/_ping
[8]:http://localhost:5000/v1/search
[9]:http://cocoahunter.com/2015/01/23/docker-3/
[10]:http://boot2docker.io/
[11]:https://github.com/docker/docker-registry/