Docker私有仓库registry
1、docker私有仓库的搭建与使用
docker不仅有一个中央仓库,同时也允许我们搭建自己的私有仓库,如果读者对maven有了解,将很容易理解私有仓库的优势:
1、节省带宽,镜像无需从中央仓库下载,只需要从私有仓库中下载即可
2、对于私有仓库中已经有的镜像,提升了下载速度
3、便于内部镜像的统一管理
2、下面我们来讲解一下如何搭建、使用私有仓库:
1、准备两台安装有docker的Centos7的机器,主机规划如下:
主机 IP 角色
node1 192.168.56.11 docker开发机
node2 192.168.56.12 docker私有仓库
3、安装、使用私有仓库
1、使用域名搭建https的私有仓库
1、首先修改两台机器的hosts,配置192.168.56.12到 docker.reg.com的映射,如果内部有 DNS,则不需要这样配置
echo '192.168.56.12 docker.reg.com'>> /etc/hosts
操作方法:[root@linux-node2 ~]# echo '192.168.11.12 docker.reg.com'>> /etc/hosts [root@linux-node2 ~]# [root@linux-node1 ~]# echo '192.168.11.12 docker.reg.com'>> /etc/hosts [root@linux-node1 ~]#2、既然使用https,那么我们需要生成证书,本文讲解的是使用openssl自签名证书,当然也可以使用诸如Let’s Encrypt 等工具生成证书,首先在node2机器上生成key:
[root@linux-node2 ~]# mkdir -p ~/certs [root@linux-node2 ~]# cd certs/ [root@linux-node2 certs]# openssl genrsa -out docker.reg.com.key 2048 Generating RSA private key, 2048 bit long modulus .........+++ ......................................................................................................................................................................+++ e is 65537 (0x10001) [root@linux-node2 certs]# 生成密钥 [root@linux-node2 certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.reg.com.key -x509 -days 365 -out docker.reg.com.crt Generating a 4096 bit RSA private key ........................................................................................................++ ..............++ writing new private key to 'docker.reg.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #你的国家 State or Province Name (full name) []:BJ # 省份 Locality Name (eg, city) [Default City]:BJ #城市 Organization Name (eg, company) [Default Company Ltd]:it #组织名称 Organizational Unit Name (eg, section) []:it #组织单元名称 Common Name (eg, your name or your server's hostname) []:docker.reg.com #域名 Email Address []:abcd@163.com #邮箱 [root@linux-node2 certs]# [root@linux-node2 certs]# ls docker.reg.com.crt docker.reg.com.key [root@linux-node2 certs]# 这样自制签名就制作完成了
4、 由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker的根证书中,Docker在CentOS 7中,证书存放路径是/etc/docker/certs.d/域名:
node2端: [root@linux-node2 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com [root@linux-node2 ~]# cp ~/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/ [root@linux-node2 ~]# node1端:将生成的证书现在到根证书路径 [root@linux-node1 ~]# mkdir -p /etc/docker/certs.d/docker.reg.com [root@linux-node1 ~]# scp root@192.168.56.12:/root/certs/docker.reg.com.crt /etc/docker/certs.d/docker.reg.com/ The authenticity of host '192.168.56.12 (192.168.56.12)' can't be established. ECDSA key fingerprint is d7:ed:3d:79:50:c5:da:99:13:be:13:65:fe:5a:ec:a6. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.12' (ECDSA) to the list of known hosts. root@192.168.56.12's password: docker.reg.com.crt 100% 2057 2.0KB/s 00:00 [root@linux-node1 ~]# ll /etc/docker/certs.d/docker.reg.com/ total 4 -rw-r--r-- 1 root root 2057 Aug 28 10:58 docker.reg.com.crt [root@linux-node1 ~]# 重启node1和node2的 Docker [root@linux-node1 ~]# systemctl restart docker [root@linux-node1 ~]# [root@linux-node2 ~]# systemctl restart docker [root@linux-node2 ~]#
5、在node2上启动私有仓库
首先切换到家目录,这一步不能少,原因下面的-v挂载了证书,如果不切换,将会引领不到证书
cd ~
6、启动docker私有仓库
1、创建Docker私有仓库目录 [root@linux-node2 ~]# mkdir /opt/docker-image -p 2、启动docker私有仓库 [root@linux-node2 ~]# docker run -d -p 443:5000 --restart=always --name registry2 -v `pwd`/certs:/certs -v /opt/docker-image:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key registry:2 Unable to find image 'registry:2' locally 2: Pulling from library/registry 4064ffdc82fe: Pull complete c12c92d1c5a2: Pull complete 4fbc9b6835cc: Pull complete 765973b0f65f: Pull complete 3968771a7c3a: Pull complete Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa832943c8ad8f7da2ddad6355b3c8 Status: Downloaded newer image for registry:2 f5808ac5c389e81ac91458fa8160605b738b5aadd3f1b202ae5bb951b104b38b [root@linux-node2 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f5808ac5c389 registry:2 "/entrypoint.sh /etc…" 32 seconds ago Up 31 seconds 0.0.0.0:443->5000/tcp registry [root@linux-node2 ~]#
其中,之所以挂载/opt/docker-image目录,是为了防止私有仓库容器被删除,私有仓库中的镜像也会丢失
7、在Docker开发机上pull镜像以及上传到私有库
[root@linux-node1 ~]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx be8881be8156: Pull complete 32d9726baeef: Pull complete 87e5e6f71297: Pull complete Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424 Status: Downloaded newer image for nginx:latest [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c82521676580 4 weeks ago 109MB [root@linux-node1 ~]# [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c82521676580 4 weeks ago 109MB docker.reg.com/nginx 1 c82521676580 4 weeks ago 109MB [root@linux-node1 ~]# [root@linux-node1 ~]# docker tag nginx docker.reg.com/nginx:1 [root@linux-node1 ~]# docker push docker.reg.com/nginx:1 The push refers to repository [docker.reg.com/nginx] 08d25fa0442e: Pushed a8c4aeeaa045: Pushed cdb3f9544e4c: Pushed 1: digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189 size: 948 说明已经push成功 [root@linux-node1 ~]#
8、在Docker开发机上删除本地docker删除本地镜像缓存,从私有库pull镜像
[root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c82521676580 4 weeks ago 109MB docker.reg.com/nginx 1 c82521676580 4 weeks ago 109MB 删除本机缓存 [root@linux-node1 ~]# docker rmi docker.reg.com/nginx:1 Untagged: docker.reg.com/nginx:1 Untagged: docker.reg.com/nginx@sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189 [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest c82521676580 4 weeks ago 109MB [root@linux-node1 ~]# docker rmi nginx Untagged: nginx:latest Untagged: nginx@sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424 Deleted: sha256:c82521676580c4850bb8f0d72e47390a50d60c8ffe44d623ce57be521bca9869 Deleted: sha256:2c1f65d17acf8759019a5eb86cc20fb8f8a7e84d2b541b795c1579c4f202a458 Deleted: sha256:8f222b457ca67d7e68c3a8101d6509ab89d1aad6d399bf5b3c93494bbf876407 Deleted: sha256:cdb3f9544e4c61d45da1ea44f7d92386639a052c620d1550376f22f5b46981af [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE [root@linux-node1 ~]# docker pull docker.reg.com/nginx:1 1: Pulling from nginx be8881be8156: Pull complete 32d9726baeef: Pull complete 87e5e6f71297: Pull complete Digest: sha256:4ffd9758ea9ea360fd87d0cee7a2d1cf9dba630bb57ca36b3108dcd3708dc189 Status: Downloaded newer image for docker.reg.com/nginx:1 [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.reg.com/nginx 1 c82521676580 4 weeks ago 109MB [root@linux-node1 ~]#
9、Docker配置登录认证
在很多场景下,我们需要用户登录后才能访问私有仓库,那么我们可以如下操作:
建立在上文升成证书,同时重启docker服务的前提下,我们讲解下如何配置:1、为防止端口冲突,我们首先要停止或删除之前已经启动好的私有仓库:
[root@linux-node2 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 91c0b79e5aa1 registry:2 "/entrypoint.sh /etc…" 3 hours ago Up 3 hours 0.0.0.0:443->5000/tcp registry2 [root@linux-node2 ~]# docker kill 91c0b79e5aa1 91c0b79e5aa1 [root@linux-node2 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@linux-node2 ~]#
2、在node2机器上安装httpd-tools:
[root@linux-node2 ~]# yum -y install httpd-tools3、在node2机器上创建密码文件,并添加用户user1,密码user1:
[root@linux-node2 ~]# cd ~ [root@linux-node2 ~]# mkdir auth [root@linux-node2 ~]# htpasswd -Bbn user1 user1 > auth/htpasswd
4、在node2机器上切换到~ 目录,并启动私有仓库
[root@linux-node2 ~]#docker run -d -p 443:5000 --restart=always --name registry3 \-v `pwd`/certs:/certs \-v /opt/docker-image:/var/lib/registry \-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.reg.com.crt \-e REGISTRY_HTTP_TLS_KEY=/certs/docker.reg.com.key \-v `pwd`/auth:/auth -e "REGISTRY_AUTH=htpasswd" \-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
5、在Docker开发机重新push镜像到私有库
[root@linux-node1 ~]# docker tag tomcat docker.reg.com/tomcat:2 [root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE tomcat latest 690cb3b9c7d1 5 days ago 463MB docker.reg.com/tomcat 2 690cb3b9c7d1 5 days ago 463MB docker.reg.com/tomcat latest 690cb3b9c7d1 5 days ago 463MB docker.reg.com/nginx 1 c82521676580 4 weeks ago 109MB [root@linux-node1 ~]# docker push docker.reg.com/tomcat:2 The push refers to repository [docker.reg.com/tomcat] ce40a8407fb4: Preparing 44c236f0f89c: Preparing 968b9f959aa6: Preparing 44ffe8811308: Preparing a158c36dcac9: Preparing b6ffe8dd0a7c: Preparing 1dccf0da88f3: Preparing d2070b14033b: Preparing 63dcf81c7ca7: Preparing ce6466f43b11: Preparing 719d45669b35: Preparing 3b10514a95be: Preparing no basic auth credentials 提示不是被认证的 [root@linux-node1 ~]# 说明需要认证。 我们登陆一下,执行: [root@linux-node1 ~]# docker login docker.reg.com #登录私有库 Username: user1 Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #登录成功 [root@linux-node1 ~]# docker push docker.reg.com/tomcat:2 The push refers to repository [docker.reg.com/tomcat] ce40a8407fb4: Layer already exists 44c236f0f89c: Layer already exists 968b9f959aa6: Layer already exists 44ffe8811308: Layer already exists a158c36dcac9: Layer already exists b6ffe8dd0a7c: Layer already exists 1dccf0da88f3: Layer already exists d2070b14033b: Layer already exists 63dcf81c7ca7: Layer already exists ce6466f43b11: Layer already exists 719d45669b35: Layer already exists 3b10514a95be: Layer already exists 2: digest: sha256:037e17517ca8a656a2657beeeb4f2f15e6e20db8b12634c0dc2a2afd5e7ca89a size: 2836 [root@linux-node1 ~]#
