Docker-配置私有仓库
时间:2023-06-23 00:37:00
Docker简介
Docker 仓库用于包含镜像的位置,Docker提供注册服务器
(Register)为了保存多个仓库,每个仓库可以包含多个不同的仓库tag
的镜像。
Docker默认仓库用于运行 Docker Hub 公共仓库。
2. Registry 工作原理
2.1 一次docker pull 或 push背后发生的事
index服务主要提供镜像索引和用户认证。下载镜像时,首先
会去index做服务认证,然后找镜像所在registry并放回地址docker客户
端,docker客户端再从registry下载镜像,在下载过程中 registry会去index校验客
户端token不同的镜像可以保存不同的合法性registry在服务方面,所有索引信息都被放置在服务中
在index服务上。
2. 2 Docker Registry有三个角色,分别是index、registry和registry client。
index
? 负责并维护用户账户、镜像的验证和公共命名空间的信息。
? Web UI
? 元数据存储
? 认证服务
? 符号化
registry
? 它是一个没有本地数据库和用户认证的镜像和图表的仓库。
Index Auth service的Token的方式进行认证。
? Registry Client
? Docker充当registry客户端维护推送和提取,以及客户端授权。
Registry Client
? Docker充当registry客户端维护推送和提取,以及客户端授权。
2.3 情景A:用户需要获取并下载镜像。
2.4 情景B:用户要把镜像推到registry中。
2.5 情景C:用户要从index或registry镜像中删除。
3 . 配有镜像加速器
从docker hub上下载镜像的速度太慢,需要配置镜像加速器。以阿里云为例:(需要提前注册阿里云账号)
3.1 配置docker daemon文件
[root@lnmp0 ~]# cd /etc/docker/ [root@lnmp0 docker]# vim daemon.json { "registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"] } 3.2 重载docker服务
[root@lnmp0 ~]# systemctl daemon-reload [root@lnmp0 ~]# systemctl restart docker.service4. 搭建私人仓库
docker hub虽然方便,但还是有限制的。
? 需要internet慢速连接
? 每个人都可以访问
? 由于安全原因,企业不允许将镜像放在外网
好消息是docker公司已经将registry我们可以快速建立企业私人仓库
[root@lnmp0 ~]# docker pull registry Using default tag: latest latest: Pulling from library/registry 2408cc74d12b: Pull complete ea60b727a1ce: Pull complete c87369050336: Pull complete e69d20d3dd20: Pull complete fc30d7061437: Pull complete Digest: sha256:bedef0f1d248508fe0a16d2cacea1d2e68e899b2220e2258f1b604e1f327d475 Status: Downloaded newer image for registry:latest docker.io/library/registry:latest 4.2运行registry容器
[root@lnmp0 ~]# docker run -d --name registry -p 5000:5000 registry 176a6d135ca800390cc61c3c114934259ae64d204f3de3e781e343a61db5a316 [root@lnmp0 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 176a6d135ca8 registry "/entrypoint.sh /etc…" 12 seconds ago Up 11 seconds 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry 4.3将镜像上传到当地仓库
本地镜像在命名时需要添加仓库ip和端口
[root@lnmp0 ~]# docker tag nginx:latest localhost:5000/nginx:latest [root@lnmp0 ~]# docker push localhost:5000/nginx Using default tag: latest The push refers to repository [localhost:5000/nginx] 33e3df466e11: Pushed 747b7a567071: Pushed 57d3fc88cb3f: Pushed 53ae81198b64: Pushed 58354abe5f0e: Pushed ad6562704f37: Pushed latest: digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 size: 1570 [root@lnmp0 ~]# curl localhost:5000/v2/_catalog {"repositories":["nginx"]} 5 .为Docker仓库加密功能加密证书
域名在生成证书时reg.
westos.org
要求在主机上进行分析
5.1 生成密钥时,是的openssl版本有要求,需要先升级openssl到openssl11
[root@lnmp0 ~]# yum install openssl11-1.1.1k-2.el7.x86_64.rpm openssl11-libs-1.1.1k-2.el7.x86_64.rpm -y Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Examining openssl11-1.1.1k-2.el7.x86_64.rpm: 1:openssl11-1.1.1k-2.el7.x86_64 Marking openssl11-1.1.1k-2.el7.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package openssl11.x86_64 1:1.1.1k-2.el7 will be installed --> Finished Dependency Resolution .......
5.2 生成证书
[root@lnmp0 ~]# mkdir certs ##存放证书的目录
[root@lnmp0 ~]# openssl11 req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -addext "subjectAltName = DNS:reg.westos.org" -x509 -days 365 -out certs/westos.org.crt ##生成证书
Generating a RSA private key
..++++
........................++++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org
##这里的Common Name (eg, your name or your server's hostname) []:reg.westos.org,域名一定要和"subjectAltName = DNS:reg.westos.org"的域名一样,否则无法解析
6 . 重建registry容器
6.1 先删除容器和容器创建的卷
[root@lnmp0 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
176a6d135ca8 registry "/entrypoint.sh /etc…" 28 minutes ago Up 28 minutes 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry
[root@lnmp0 docker]# docker rm -f 176a6d135ca8
176a6d135ca8
[root@lnmp0 docker]# docker volume prune
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Volumes:
766c4987441e379c4890e6e3acd000774e7a388581f50219faeecc068e791401
5216f00b72a6fdeefa98f484ba6c294385b09de715c26f22b3e87c2e931873f0
ad58e70a93475ca724b9316356dc79504502bc3e81b8a16c971399574c9bc056
7db19d4105051add9fd884b488a3b2078f39590668a17c6a42f85fa0d50daf83
c822caf78106b2db18b2b64748ddbe73ce22b52a21b374a5774805a2b5f519c1
6.2 添加解析,重新运行容器
[root@lnmp0 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.155.100 lnmp0 reg.westos.org
[root@lnmp0 ~]# docker run -d --restart=always --name registry -v /root/certs:/certs -v /opt/registry:/var/lib/registry -v /root/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
0dce86653079cd51b40c29b78e74bd5a639007e6b4f668d59509f6cf70ccf20c
[root@lnmp0 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0dce86653079 registry "/entrypoint.sh /etc…" 20 seconds ago Up 19 seconds 0.0.0.0:443->443/tcp, :::443->443/tcp, 5000/tcp registry
[root@lnmp0 ~]# curl -k https://reg.westos.org/v2/_catalog -u admin:westos
{"repositories":["nginx"]}
6.2.1 重新运行容器的参数详解
docker run -d #后台运行
--restart=always #跟随docker启动
--name registry #容器名称
-v /root/certs:/certs #目录映射关系——宿主机目录:容器内目录
-v /opt/registry:/var/lib/registry #目录映射
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 #允许端口
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt #证书名称及域名
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key #证书名称及域名
-p 443:443 #端口映射——宿主机端口:容器端口
registry #镜像名称6.3 拷贝证书到docker主机
[root@lnmp0 certs]# mkdir -p /etc/docker/certs.d/reg.westos.org ##建立的目录名字和域名“reg.westos.org”保持一致,docker会自动识别
[root@lnmp0 certs]# cp westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt ##拷贝到这个固定目录后,docker会自动识别
6.4 测试上传镜像
[root@lnmp0 certs]# docker tag nginx:latest reg.westos.org/nginx:latest ##更改成私有仓库的标签 [root@lnmp0 certs]# docker push reg.westos.org/nginx:latest ##上传镜像 The push refers to repository [reg.westos.org/nginx] 33e3df466e11: Pushed 747b7a567071: Pushed 57d3fc88cb3f: Pushed 53ae81198b64: Pushed 58354abe5f0e: Pushed ad6562704f37: Pushed latest: digest: sha256:25dedae0aceb6b4fe5837a0acbacc6580453717f126a095aa05a3c6fcea14dd4 size: 1570
7. 为Docker仓库添加用户认证功能
7. 1 下载创建密钥所要用的工具,删除运行的registry容器
[root@lnmp0 ~]# mkdir auth ##创建存储信息的目录
[root@lnmp0 ~]# yum install httpd-tools -y ##下载创建密钥所要用的工具
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.4.6-88.el7 will be updated
..............
[root@lnmp0 ]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0300e39e8acb registry "/entrypoint.sh /etc…" 42 minutes ago Up 13 minutes 0.0.0.0:443->443/tcp, :::443->443/tcp, 5000/tcp registry
[root@lnmp0 ]# docker rm -f 0300e39e8acb ##删除运行的registry容器
0300e39e8acb
7.2 创建用户,生成文件
[root@lnmp0 ~]# htpasswd -cB auth/htpasswd admin ##第一次创建admin用户,要用到参数-cB
New password:
Re-type new password:
Adding password for user admin
[root@lnmp0 ~]# htpasswd -B auth/htpasswd westos ##第二次创建用户时不能添加参数-c只用到-B,否则会覆盖第一次所创建的文件
New password:
Re-type new password:
Adding password for user westos
[root@lnmp0 ~]# cat auth/htpasswd ##生成的证书文件
admin:$2y$05$5Eh751dZlXKD/NFggCKlW.1gFaNeOlYaUhleZTXmlMEeHPrqgjkHu
westos:$2y$05$Vb0aCA5RcxEuUWRwPbEt/uJ4.mmBXVzmkr5XxKjWY2uj26ipcoDk6
7.3 重新运行容器registry
[root@lnmp0 ~]# docker run -d --restart=always --name registry -v /root/certs:/certs -v /opt/registry:/var/lib/registry -v /root/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
0dce86653079cd51b40c29b78e74bd5a639007e6b4f668d59509f6cf70ccf20c
[root@lnmp0 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0dce86653079 registry "/entrypoint.sh /etc…" 20 seconds ago Up 19 seconds 0.0.0.0:443->443/tcp, :::443->443/tcp, 5000/tcp registry
[root@lnmp0 ~]# curl -k https://reg.westos.org/v2/_catalog -u admin:westos ##查看私有仓库的镜像
{"repositories":["nginx"]}
8. docker主机认证
[root@lnmp0 ~]# docker login reg.westos.org ##用之前创建的用户密码登录私有仓库
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@lnmp0 ~]# docker yakexi007/busyboxplus reg.westos.org/yakexi007/busyboxplus
[root@lnmp0 ~]# docker push reg.westos.org/yakexi007/busyboxplus ##测试上传镜像至私有仓库
Using default tag: latest
The push refers to repository [reg.westos.org/yakexi007/busyboxplus]
5f70bf18a086: Pushed
774600fa57ae: Pushed
075a34aac01b: Pushed
latest: digest: sha256:9d1c242c1fd588a1b8ec4461d33a9ba08071f0cc5bb2d50d4ca49e430014ab06 size: 1353
[root@lnmp0 ~]# curl -k https://reg.westos.org/v2/_catalog -u admin:westos
{"repositories":["nginx","yakexi007/busyboxplus"]} ##上传成功
