很gitlab,竟然支持容器镜像仓库。该功能在gitlab有个名字叫container register,接下来介绍以下如何开启该功能。
开启container register需要提供https服务,官方给出两种方式:gitlab域名 + 端口方式和独立域名方式,本文采用第二种方式。
流程
一个是主机的nginx,对外方便提供域名服务;另外一个是gitlab的容器内部nginx,方便gitlab为主机提供https和其他网关服务。 docker push默认的https,所以必须要通过nginx搭建https,为了方便管理,两个nginx共用同一个域名,共享同一份域名证书。
以docker.gitlab.demo.com为contain register地址,gitlab.demo.com为gitlab访问地址为例,
docker push docker.gitlab.demo.com/workerman/thinkphp:latest ,我们查看下两个nginx conf:
nginx host下的conf
upstream docker_gitlab {
server docker.gitlab.thanhoo.com:8443;
}
server {
listen 443;
server_name docker.gitlab.demo.com;
ssl on;
ssl_certificate /etc/nginx/cert/docker.gitlab.demo.com.pem;
ssl_certificate_key /etc/nginx/cert/docker.gitlab.demo.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on; #依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
access_log /var/log/nginx/docker.gitlab.demo.com-access.log;
error_log /var/log/nginx/docker.gitlab.demo.com-error.log;
location / {
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://docker_gitlab; #注意这里是https
}
}
nginx container下的conf
几个相关知识点
docker exec -it gitlab /bin/bash进入正在运行name=gitlab的容器内部
/var/opt/gitlab/nginx/conf/gitlab-registry.conf为容器内部container registry配置文件
server {
listen *:443 ssl;
server_name docker.gitlab.demo.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
ssl_certificate /etc/gitlab/ssl/docker.gitlab.demo.com.pem;
ssl_certificate_key /etc/gitlab/ssl/docker.gitlab.demo.com.key;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
access_log /var/log/gitlab/nginx/gitlab_registry_access.log gitlab_access;
error_log /var/log/gitlab/nginx/gitlab_registry_error.log;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 900;
proxy_cache off;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_pass http://0.0.0.0:4567;
}
}
我们看到
ssl_certificate /etc/gitlab/ssl/docker.gitlab.demo.com.pem;
ssl_certificate_key /etc/gitlab/ssl/docker.gitlab.demo.com.key;
共享了主机域名的 docker.gitlab.demo.com 的证书。
我们看到
proxy_pass http://0.0.0.0:4567
意思是container register提供了服务端口,端口为4567,那么这个如何设置呢?我们接下来修改gitlab配置文件。
修改gitlab配置文件
vi /srv/gitlab/config/gitlab.rb
gitlab_rails['registry_enabled'] = true # 开启container register功能
gitlab_rails['registry_host'] = "docker.gitlab.demo.com" # gitlab对外提供镜像仓库地址,当然这里是docker
registry['registry_http_addr'] = "0.0.0.0:4567" # container register 对外提供的服务端口
gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry" # 镜像仓库地址,已挂载到主机上了
registry_nginx['ssl_certificate'] = "/etc/gitlab/ssl/docker.gitlab.thanhoo.com.pem" # 域名证书地址,必须配置
registry_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/docker.gitlab.thanhoo.com.key" # 域名证书地址,必须配置
更新配置
docker exec gitlab gitlab-ctl reconfigure
ssl_certificate,必须配置;否则会报错。
浏览器打开gitlab
docker操作
docker login docker.gitlab.demo.com
输入你的gitlab账号密码即可(非邮箱)即可。
docker tag zentao:latest docker.gitlab.demo.com/workerman/thinkphp:latest
为你的image打tag,workerman/thinkphp为gitlab的group/project
docker push docker.gitlab.demo.com/workerman/thinkphp:latest
推送成功,查看结果
优化
我们在push过程中发现,速度很慢,因为域名绑定的是公网ip,所以push实际占用的是公网带宽。
我的环境要推送的镜像和镜像仓库都是在同一台主机上,所以,我们需要在主机和docker上对docker.gitlab.demo.com本地做个解析,这样速度就快了。
主机设置和docker设置
cat /etc/hosts
127.0.0.1 docker.gitlab.demo.com
有点缺陷,如果容器gitlab重新生成了,还需要重新配置容器的
/etc/hosts。
我们查看gitlab容器内部nginx的conf反向代理到http://0.0.0.0:4567,因为我们主机端口4567,在docker run的时候已经和gitlab容器的4567端口做了映射,所以我们主机nginx可以不代理到容器内部的nginx,而是直接代理到http://0.0.0.0:4567。
接下来,将容器内部的nginx conf拷贝出来,和主机的nginx整合一下,得出新的主机conf:
server {
listen *:443 ssl;
server_name docker.gitlab.demo.com;
server_tokens off; ## Don't show the nginx version number, a security best practice
client_max_body_size 0;
chunked_transfer_encoding on;
ssl on;
ssl_certificate /etc/nginx/cert/docker.gitlab.demo.com.pem;
ssl_certificate_key /etc/nginx/cert/docker.gitlab.demo.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on; #依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
## Real IP Module Config
## http://nginx.org/en/docs/http/ngx_http_realip_module.html
access_log /var/log/nginx/docker.gitlab.demo.com-access.log;
error_log /var/log/nginx/docker.gitlab.demo.com-error.log;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 900;
proxy_cache off;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_pass http://0.0.0.0:4567;
}
}
具体流程如下:
