码迷,mamicode.com
首页 > 其他好文 > 详细

Docker私有仓库registry

时间:2018-08-28 17:06:20      阅读:153      评论:0      收藏:0      [点我收藏+]

标签:好的   open   cond   密码   ring   仓库   mon   ref   信任   

1、docker私有仓库的搭建与使用
    docker不仅有一个中央仓库,同时也允许我们搭建自己的私有仓库,如果读者对maven有了解,将很容易理解私有仓库的优势:
    1、节省带宽,镜像无需从中央仓库下载,只需要从私有仓库中下载即可
    2、对于私有仓库中已经有的镜像,提升了下载速度
    3、便于内部镜像的统一管理
2、下面我们来讲解一下如何搭建、使用私有仓库:
    1、准备两台安装有docker的Centos7的机器,主机规划如下:
        主机         IP               角色
        node1       192.168.56.11    docker开发机
        node2        192.168.56.12    docker私有仓库
3、安装、使用私有仓库
    1、使用域名搭建https的私有仓库
        1、首先修改两台机器的hosts,配置192.168.56.12到 docker.reg.com的映射,如果内部有 DNS,则不需要这样配置

echo 192.168.56.12 docker.reg.com>> /etc/hosts
操作方法:
[root@linux-node2 ~]# echo 192.168.11.12 docker.reg.com>> /etc/hosts
[root@linux-node2 ~]# 
[root@linux-node1 ~]# echo 192.168.11.12 docker.reg.com>> /etc/hosts
[root@linux-node1 ~]#

2、既然使用https,那么我们需要生成证书,本文讲解的是使用openssl自签名证书,当然也可以使用诸如Let’s Encrypt 等工具生成证书,首先在node2机器上生成key:

[root@linux-node2 ~]# mkdir -p ~/certs
[root@linux-node2 ~]# cd certs/
[root@linux-node2 certs]# openssl genrsa -out docker.reg.com.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
[root@linux-node2 certs]# 
        生成密钥
[root@linux-node2 certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.reg.com.key -x509 -days 365 -out docker.reg.com.crt
Generating a 4096 bit RSA private key
........................................................................................................++
..............++
writing new private key to docker.reg.com.key
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN           #你的国家
State or Province Name (full name) []:BJ       # 省份
Locality Name (eg, city) [Default City]:BJ     #城市
Organization Name (eg, company) [Default Company Ltd]:it      #组织名称
Organizational Unit Name (eg, section) []:it                  #组织单元名称
Common Name (eg, your name or your servers hostname) []:docker.reg.com      #域名
Email Address []:abcd@163.com          #邮箱
[root@linux-node2 certs]# 
[root@linux-node2 certs]# ls
docker.reg.com.crt  docker.reg.com.key
[root@linux-node2 certs]# 
这样自制签名就制作完成了

        4、 由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker的根证书中,Docker在CentOS 7中,证书存放路径是/etc/docker/certs.d/域名:

node2端:
[root@linux-node2 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com
[root@linux-node2 ~]# cp ~/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/
[root@linux-node2 ~]# 

node1端:将生成的证书现在到根证书路径
[root@linux-node1 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com
[root@linux-node1 ~]# scp root@192.168.56.12:/root/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/
The authenticity of host 192.168.56.12 (192.168.56.12) cant be established.
ECDSA key fingerprint is d7:ed:3d:79:50:c5:da:99:13:be:13:65:fe:5a:ec:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.168.56.12 (ECDSA) to the list of known hosts.
root@192.168.56.12s password: 
docker.reg.com.crt                                                                                                         100% 2057     2.0KB/s   00:00    
[root@linux-node1 ~]# ll /etc/docker/certs.d/docker.reg.com/
total 4
-rw-r--r-- 1 root root 2057 Aug 28 10:58 docker.reg.com.crt
[root@linux-node1 ~]# 

重启node1和node2的 Docker
[root@linux-node1 ~]# systemctl restart docker
[root@linux-node1 ~]# 
[root@linux-node2 ~]# systemctl restart docker
[root@linux-node2 ~]#

5、在node2上启动私有仓库
首先切换到家目录,这一步不能少,原因下面的-v挂载了证书,如果不切换,将会引领不到证书

cd ~

6、启动docker私有仓库

1、创建Docker私有仓库目录
[root@linux-node2 ~]# mkdir /opt/docker-image -p
2、启动docker私有仓库
[root@linux-node2 ~]# docker run -d -p 443:5000 --restart=always --name registry2   -v `pwd`/certs:/certs -v /opt/docker-image:/var/lib/registry  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key  registry:2
Unable to find image registry:2 locally
2: Pulling from library/registry
4064ffdc82fe: Pull complete 
c12c92d1c5a2: Pull complete 
4fbc9b6835cc: Pull complete 
765973b0f65f: Pull complete 
3968771a7c3a: Pull complete 
Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa832943c8ad8f7da2ddad6355b3c8
Status: Downloaded newer image for registry:2
f5808ac5c389e81ac91458fa8160605b738b5aadd3f1b202ae5bb951b104b38b
[root@linux-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
f5808ac5c389        registry:2          "/entrypoint.sh /etc…"   32 seconds ago      Up 31 seconds       0.0.0.0:443->5000/tcp   registry
[root@linux-node2 ~]#
其中,之所以挂载/opt/docker-image目录,是为了防止私有仓库容器被删除,私有仓库中的镜像也会丢失

7、在Docker开发机上pull镜像以及上传到私有库

[root@linux-node1 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
be8881be8156: Pull complete 
32d9726baeef: Pull complete 
87e5e6f71297: Pull complete 
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
[root@linux-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c82521676580        4 weeks ago         109MB
[root@linux-node1 ~]# 
[root@linux-node1 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx                  latest              c82521676580        4 weeks ago         109MB
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
[root@linux-node1 ~]# 
[root@linux-node1 ~]# docker tag nginx docker.reg.com/nginx:1
[root@linux-node1 ~]# docker push docker.reg.com/nginx:1
The push refers to repository [docker.reg.com/nginx]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
1: digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189 size: 948
说明已经push成功
[root@linux-node1 ~]#

8、在Docker开发机上删除本地docker删除本地镜像缓存,从私有库pull镜像

[root@linux-node1 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
nginx                  latest              c82521676580        4 weeks ago         109MB
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
删除本机缓存
[root@linux-node1 ~]# docker rmi docker.reg.com/nginx:1
Untagged: docker.reg.com/nginx:1
Untagged: docker.reg.com/nginx@sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189
[root@linux-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              c82521676580        4 weeks ago         109MB
[root@linux-node1 ~]# docker rmi nginx
Untagged: nginx:latest
Untagged: nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Deleted: sha256:c82521676580c4850bb8f0d72e47390a50d60c8ffe44d623ce57be521bca9869
Deleted: sha256:2c1f65d17acf8759019a5eb86cc20fb8f8a7e84d2b541b795c1579c4f202a458
Deleted: sha256:8f222b457ca67d7e68c3a8101d6509ab89d1aad6d399bf5b3c93494bbf876407
Deleted: sha256:cdb3f9544e4c61d45da1ea44f7d92386639a052c620d1550376f22f5b46981af
[root@linux-node1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@linux-node1 ~]# docker pull docker.reg.com/nginx:1
1: Pulling from nginx
be8881be8156: Pull complete 
32d9726baeef: Pull complete 
87e5e6f71297: Pull complete 
Digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189
Status: Downloaded newer image for docker.reg.com/nginx:1
[root@linux-node1 ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
docker.reg.com/nginx   1                   c82521676580        4 weeks ago         109MB
[root@linux-node1 ~]#

9、Docker配置登录认证

在很多场景下,我们需要用户登录后才能访问私有仓库,那么我们可以如下操作:
建立在上文升成证书,同时重启docker服务的前提下,我们讲解下如何配置:

1、为防止端口冲突,我们首先要停止或删除之前已经启动好的私有仓库:

[root@linux-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                   NAMES
91c0b79e5aa1        registry:2          "/entrypoint.sh /etc…"   3 hours ago         Up 3 hours          0.0.0.0:443->5000/tcp   registry2
[root@linux-node2 ~]# docker kill 91c0b79e5aa1
91c0b79e5aa1
[root@linux-node2 ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@linux-node2 ~]#

2、在node2机器上安装httpd-tools:

[root@linux-node2 ~]# yum -y install httpd-tools

3、在node2机器上创建密码文件,并添加用户user1,密码user1:

[root@linux-node2 ~]# cd ~
[root@linux-node2 ~]# mkdir auth
[root@linux-node2 ~]# htpasswd -Bbn user1 user1 > auth/htpasswd

4、在node2机器上切换到~ 目录,并启动私有仓库

[root@linux-node2 ~]#docker run -d -p 443:5000 --restart=always --name registry3 \
  -v `pwd`/certs:/certs \
  -v /opt/docker-image:/var/lib/registry  \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key  \
  -v `pwd`/auth:/auth  -e "REGISTRY_AUTH=htpasswd"  \ 
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2

5、在Docker开发机重新push镜像到私有库

[root@linux-node1 ~]# docker tag tomcat docker.reg.com/tomcat:2
[root@linux-node1 ~]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
tomcat                  latest              690cb3b9c7d1        5 days ago          463MB
docker.reg.com/tomcat   2                   690cb3b9c7d1        5 days ago          463MB
docker.reg.com/tomcat   latest              690cb3b9c7d1        5 days ago          463MB
docker.reg.com/nginx    1                   c82521676580        4 weeks ago         109MB
[root@linux-node1 ~]# docker push docker.reg.com/tomcat:2
The push refers to repository [docker.reg.com/tomcat]
ce40a8407fb4: Preparing 
44c236f0f89c: Preparing 
968b9f959aa6: Preparing 
44ffe8811308: Preparing 
a158c36dcac9: Preparing 
b6ffe8dd0a7c: Preparing 
1dccf0da88f3: Preparing 
d2070b14033b: Preparing 
63dcf81c7ca7: Preparing 
ce6466f43b11: Preparing 
719d45669b35: Preparing 
3b10514a95be: Preparing 
no basic auth credentials          提示不是被认证的
[root@linux-node1 ~]# 
说明需要认证。

我们登陆一下,执行:
[root@linux-node1 ~]# docker login docker.reg.com         #登录私有库
Username: user1
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded          #登录成功
[root@linux-node1 ~]# docker push docker.reg.com/tomcat:2
The push refers to repository [docker.reg.com/tomcat]
ce40a8407fb4: Layer already exists 
44c236f0f89c: Layer already exists 
968b9f959aa6: Layer already exists 
44ffe8811308: Layer already exists 
a158c36dcac9: Layer already exists 
b6ffe8dd0a7c: Layer already exists 
1dccf0da88f3: Layer already exists 
d2070b14033b: Layer already exists 
63dcf81c7ca7: Layer already exists 
ce6466f43b11: Layer already exists 
719d45669b35: Layer already exists 
3b10514a95be: Layer already exists 
2: digest: sha256:037e17517ca8a656a2657beeeb4f2f15e6e20db8b12634c0dc2a2afd5e7ca89a size: 2836
[root@linux-node1 ~]#

Docker私有仓库registry

标签:好的   open   cond   密码   ring   仓库   mon   ref   信任   

原文地址:https://www.cnblogs.com/alber/p/9549192.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!