一.私有仓库的搭建及镜像的下载
1.将registry镜像导入docker
[root@server1 ~]# ls
certs docker registry.tar ubuntu.tar
[root@server1 ~]# docker load -i registry.tar
917c0fc99b35: Loading layer 130.9MB/130.9MB
5f70bf18a086: Loading layer 1.024kB/1.024kB
e6107e74315e: Loading layer 20.71MB/20.71MB
5deabacb4c9b: Loading layer 20.66MB/20.66MB
32d89efca72a: Loading layer 3.584kB/3.584kB
Loaded image: registry:2.3.1
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2.3.1 83139345d017 3 years ago 166MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
注意:这里也可以直接从官方拉取
docker search registry
docker pull registry
2.运行docker Registry容器
[root@server1 ~]# docker ps -a ##查看docker所以容器(开启的和未开启的)
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e85017a74f1a ubuntu "/bin/bash" 27 minutes ago Exited (0) 23 minutes ago vm2
edb4ef9b0bcf ubuntu "/bin/bash" 38 minutes ago Exited (0) 28 minutes ago vm1
清除已有容器
[root@server1 ~]# docker rm vm1
vm1
[root@server1 ~]# docker rm vm2
vm2
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:latest
##-v是做挂接,如果路径不存在,那么会自动生成,将本机的目录挂载到容器的目录上
##由于这里的registry不是最新版,会从官方拉取最新版
3.检查是否成功开启Docker Registry容器
[root@server1 ~]# docker ps
[root@server1 ~]# netstat -antlp
二.上传镜像到本地仓库中
1.更改ubuntu镜像的标签,并上传至搭建的私人仓库中,然后查看
[root@server1 ~]# docker tag ubuntu:latest localhost:5000/ubuntu
[root@server1 ~]# docker images localhost:5000/ubuntu
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
###上传镜像到私有仓库中(通过localhost:5000端口进行对应上传)
[root@server1 registry]# docker push localhost:5000/ubuntu
The push refers to repository [localhost:5000/ubuntu]
5f70bf18a086: Pushed
11083b444c90: Pushed
9468150a390c: Pushed
56abdd66ba31: Pushed
latest: digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984 size: 1151
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
registry 2.3.1 83139345d017 3 years ago 166MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
注意:本地镜像在命名时需要加上仓库的ip和端口
2.下载tree并查看docker的树状图
[root@server1 ~]# yum install tree -y
#查看私有仓库下的数状图
[root@server1 ~]# cd /opt/registry/
[root@server1 registry]# ls
[root@server1 registry]# tree docker/
3.在私有仓库中下载镜像
删除除registry
4.从之前创建的私有仓库下载获取
[root@server1 ~]# docker pull localhost:5000/ubuntu
[root@server1 ~]# docker images
5.更改镜像标签
三.docker搭建本地免密仓库,私有仓库registry加密访问控制
配置私有仓库registry加密访问控制证书
1.在certs目录下创建certs证书并生成服务器私钥
[root@server1 ~]# cd /tmp
[root@server1 tmp]# ls
[root@server1 tmp]# mkdir docker
[root@server1 tmp]# cd docker/
[root@server1 docker]# mkdir certs
[root@server1 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
..........................................................................................................................++
................................................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaaxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
2.更改解析,访问
[root@server1 docker]# ls certs/
westos.org.crt westos.org.key ##生成证书
[root@server1 docker]#
[root@server1 docker]# vim /etc/hosts
[root@server1 docker]# ping westos.org
PING server1 (172.25.31.1) 56(84) bytes of data.
64 bytes from server1 (172.25.31.1): icmp_seq=1 ttl=64 time=0.035 ms
3.删除之前搭建的registry
[root@server1 docker]# docker rm -f registry
registry
4.启动容器并查看容器的状态以及端口号
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v /tmp/docker/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> registry:latest
1f31372fa4aa43dba1e3f062581fdd93c09782e23891ce3efff8bd43c176a311
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1f31372fa4aa registry:latest "/entrypoint.sh /etc…" 8 seconds ago Up 7 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 docker]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 837/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 891/master
tcp 0 0 172.25.31.1:22 172.25.31.250:40700 ESTABLISHED 2327/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 837/sshd
tcp6 0 0 ::1:25 :::* LISTEN 891/master
tcp6 0 0 :::443 :::* LISTEN 16508/docker-proxy
参数说明
-v 挂载的不是仓库的目录,而是本机的certs
-d:后台静默运行容器。
–restart:设置容器重启策略。
–name:命名容器。
-v:挂载信息
-e表示编辑,改变其内部的端口号(动态变更改变配置文件中的选项)
-e REGISTRY_HTTP_ADDR:设置仓库主机地址格式。
#指定证书,可以在容器内直接调用
-e REGISTRY_HTTP_TLS_CERTIFICATE:设置环境变量告诉容器证书的位置。
-e REGISTRY_HTTP_TLS_KEY:设置环境变量告诉容器私钥的位置。
-p:将容器的 443 端口映射到Host主机的 443 端口
5.将certs证书放到新建的docker数据目录中
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir westos.org
[root@server1 certs.d]# cd westos.org/
[root@server1 westos.org]# cp /tmp/docker/certs/westos.org.crt ca.crt
[root@server1 westos.org]# ls
ca.crt
6.导入镜像,并查看
[root@server1 westos.org]# docker load -i /root/game2048.tar
011b303988d2: Loading layer 5.05MB/5.05MB
36e9226e74f8: Loading layer 51.46MB/51.46MB
192e9fad2abc: Loading layer 3.584kB/3.584kB
6d7504772167: Loading layer 4.608kB/4.608kB
88fca8ae768a: Loading layer 629.8kB/629.8kB
Loaded image: game2048:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
7.修改标签名,并上传
[root@server1 ~]# docker tag game2048:latest westos.org/game2048
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
[root@server1 ~]# docker push westos.org/game2048
The push refers to repository [westos.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
注意:镜像前的名称要与证书的域名一致
在客户端(server2)测试:
server2:
1.安装docker,并启动
将server1的/root/docker ,传给server2并安装
yum install *.rpm
systemctl start docker
2.创建放置证书的目录
[root@server2 docker]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# mkdir certs.d/westos.org -p
[root@server2 docker]# ls
certs.d key.json
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# cd westos.org/
[root@server2 westos.org]# ls
[root@server2 westos.org]# scp server1:/etc/docker/certs.d/westos.org/ca.crt .
The authenticity of host 'server1 (172.25.31.1)' can't be established.
ECDSA key fingerprint is 6e:87:8f:88:b9:6e:22:9c:66:5e:05:0a:ab:c2:52:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,172.25.31.1' (ECDSA) to the list of known hosts.
root@server1's password:
ca.crt 100% 2094 2.0KB/s 00:00
[root@server2 westos.org]# ls
ca.crt
3.添加server1解析
[root@server2 westos.org]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.31.250 foundation31.ilt.example.com
172.25.31.1 server1 westos.org
172.25.31.2 server2
172.25.31.3 server3
172.25.31.4 server4
172.25.31.5 server5
172.25.31.6 server6
172.25.31.7 server7
172.25.31.8 server8
4.在server2端可以下载镜像,说明私有仓库加密创建成功
[root@server2 westos.org]# docker pull westos.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for westos.org/game2048:latest
[root@server2 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
通过基本身份验证实现私有仓库registry加密访问控制
1.创建一个auth目录用来存放docker用户的密码
[root@server1 ~]# cd /tmp/docker/
[root@server1 docker]# ls
certs
[root@server1 docker]# mkdir auth
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:latest -Bbn user1 westos >auth/htpasswd
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:latest -Bbn user2 redhat >>auth/htpasswd ##这里用的是追加(不会覆盖之前内容)
2.将之前创建的仓库registry删除,防止冲突
[root@server1 docker]# docker rm -f registry
[root@server1 docker]# docker images
3.启动容器,查看镜像
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v /tmp/docker/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> -v /tmp/docker/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> registry:latest
7e820dd26deec22a85b0532e6679884a7480a93621b1215348c73cdd913a947a
[root@server1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
测试:
1.修改ubuntu镜像的标签名,并查看镜像
2.尝试上传ubuntu,发现上传失败
[root@server1 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Preparing
11083b444c90: Preparing
9468150a390c: Preparing
56abdd66ba31: Preparing
no basic auth credentials
3.登陆后,再上传
[root@server1 docker]# docker login westos.org
Username: user1
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Layer already exists
11083b444c90: Layer already exists
9468150a390c: Layer already exists
56abdd66ba31: Layer already exists
latest: digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984 size: 1151
4.查看记录用户密码的文件/root/.docker/config.json,发现会自动生成密码,说明下次下载镜像不用再登陆 .
[root@server1 docker]# cat /root/.docker/config.json
{
"auths": {
"westos.org": {
"auth": "dXNlcjE6d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
}
5.server2只有登陆后才可以下载和上传私有仓库里镜像
[root@server2 westos.org]# docker login westos.org
Username: user2
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 westos.org]# docker pull westos.org/ubuntu
Using default tag: latest
latest: Pulling from ubuntu
257507fcd746: Pull complete
cd03f9b52ed8: Pull complete
493709ab45b5: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984
Status: Downloaded newer image for westos.org/ubuntu:latest
[root@server2 westos.org]# docker logout westos.org
Removing login credentials for westos.org
[root@server2 westos.org]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Preparing
11083b444c90: Preparing
9468150a390c: Preparing
56abdd66ba31: Preparing
no basic auth credentials
版权声明:本文为weixin_44889616原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。