Docker学习与实践（四）

时间：2018-05-11 13:09:15 阅读：186 评论：0 收藏：0 [点我收藏+]

四、仓库管理

1.创建本地仓库

①获取官方registry镜像

[root@dockertest ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:2
Unable to find image ‘registry:2‘ locally
2: Pulling from library/registry
81033e7c1d6a: Pull complete 
b235084c2315: Pull complete 
c692f3a6894b: Pull complete 
ba2177f3a70e: Pull complete 
a8d793620947: Pull complete 
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2
f59d18d8302b6589d5e94f901c1161a48854593cc32ee3259c806bc648c437df

#默认情况下，仓库会被创建在容器的/var/lib/registry目录下，可以通过-v将镜像文件存放在宿主机的指定目录下。

docker run -d -p 5000:5000 --restart=always –v /opt/docker/registry/data:/var/lib/registry --name registry registry:2

② 推送一个镜像到镜像仓库

[root@dockertest ~]# docker tag nginx:latest 192.168.10.131:5000/nginx:latest
[root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latest
The push refers to repository [192.168.10.131:5000/nginx]
Get https://192.168.10.131:5000/v2/: http: server gave HTTP response to HTTPS client

#对于Centos7来说需要配置docker允许https的方式来访问仓库，并重启docker

[root@dockertest ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com"
    ],
"insecure-registries": [
"192.168.10.131:5000"
    ]
}
[root@dockertest ~]# systemctl restart docker.service

[root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latest
The push refers to repository [192.168.10.131:5000/nginx]
e89b70d28795: Pushed 
832a3ae4ac84: Pushed 
014cf8bfcb2d: Pushed 
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948
[root@dockertest ~]# curl 192.168.10.131:5000/v2/_catalog
{"repositories":["nginx"]}

③删除本地镜像，从仓库重新下载该镜像

[root@dockertest ~]# docker image rm 192.168.10.131:5000/nginx:latest
[root@dockertest ~]# docker pull 192.168.10.131:5000/nginx:latest
latest: Pulling from nginx
8176e34d5d92: Pull complete 
5b19c1bdd74b: Pull complete 
4e9f6296fa34: Pull complete 
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest

2.配置需要证书认证的私有仓库

①修改/etc/pki/tls/openssl.cnf文件使证书支持IP访问

[ v3_ca ]
subjectAltName = IP:192.168.10.131

②使用openssl生成证书和密钥

[root@dockertest registry]# mkdir -p certs 
[root@dockertest registry]# openssl req > -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key > -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...........++
..............................................................................................++
writing new private key to ‘certs/domain.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:192.168.10.131:5000
Email Address []:

③将刚生成的domain.crt复制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt，并重启docker

[root@dockertest registry]# mkdir -p /etc/docker/certs.d/192.168.100.9:5000
[root@dockertest registry]# cp certs/domain.crt /etc/docker/certs.d/192.168.100.9:5000/ca.crt
[root@dockertest registry]# systemctl restart docker

④运行registry

[root@dockertest registry]# docker run -d -u root -p 5000:5000 > --name private_registry  --restart=always > -v /opt/docker/registry/data:/var/lib/registry > -v /opt/docker/registry/certs:/certs > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt > -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key > registry:2
9d145ea538fda7687734a2a170ff21524bc8fc65fee81b2a12c43ef3a43a576a

⑤push一个到registry上

[root@dockertest ~]# docker push 192.168.10.131:5000/nginx
The push refers to repository [192.168.10.131:5000/nginx]
e89b70d28795: Pushed 
832a3ae4ac84: Pushed 
014cf8bfcb2d: Pushed 
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948

⑥换台机器下载刚上传的镜像

[root@localhost ~]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
Error response from daemon: Get https://192.168.10.131:5000/v2/: x509: certificate signed by unknown authority

#发现报错，原因是没有证书，将192.168.10.131上的证书拷贝到这台机器为/etc/docker/certs.d/192.168.10.131:5000/ca.crt，并重启docker

[root@localhost 192.168.10.131:5000]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
latest: Pulling from nginx
8176e34d5d92: Pull complete 
5b19c1bdd74b: Pull complete 
4e9f6296fa34: Pull complete 
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest

Docker学习与实践（四）

标签：registry docker

原文地址：http://blog.51cto.com/lullaby/2115130

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行