搭建私有仓库

服务器名称	ip地址	功能
docker_house	192.168.10.146	Docker私有仓库
docker	192.168.10.145	客户机

拉取镜像

[root@docker_house ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete 
0d96da54f60b: Pull complete 
5b27040df4a2: Pull complete 
e2ead8259a04: Pull complete 
3790aef225b9: Pull complete 
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest

运行仓库容器

[root@docker_house ~]# docker run -it -d -p 5000:5000 \
--restart=always \
--name registry registry

6d7f3bb7350cec3dd3b3b4eae9419b0f5e28d607d18b5ca4bef1d9e3f058feeb

--restart=always 容器停止自动重启

#下载镜像
[root@docker_house ~]# docker pull  busybox
Using default tag: latest
latest: Pulling from library/busybox
5cc84ad355aa: Pull complete 
Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
#修改tag到私有仓库
[root@docker_house ~]# docker tag busybox 192.168.10.146:5000/busybox:latest
#尝试推送,发现默认https不通
[root@docker_house ~]# docker push 192.168.10.146:5000/busybox:latest
The push refers to repository [192.168.10.146:5000/busybox]
Get "https://192.168.10.146:5000/v2/": http: server gave HTTP response to HTTPS client

尝试推送,发现默认是https不通,修改docker启动参数,使用https

[root@docker_house ~]# cat /usr/lib/systemd/system/docker.service 
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service time-set.target
Wants=network-online.target containerd.service
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Older systemd versions default to a LimitNOFILE of 1024:1024, which is insufficient for many
# applications including dockerd itself and will be inherited. Raise the hard limit, while
# preserving the soft limit for select(2).
LimitNOFILE=1024:524288

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity

# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes

# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500

[Install]
WantedBy=multi-user.target

在ExecStart=/usr/bin/dockerd 后添加 --insecure-registry 仓库IP地址:5000

例如:ExecStart=/usr/bin/dockerd --insecure-registry 192.168.10.146:5000 -H fd:// --containerd=/run/containerd/containerd.sock

[root@docker_house ~]# vi /usr/lib/systemd/system/docker.service 
[root@docker_house ~]# systemctl daemon-reload 
[root@docker_house ~]# systemctl restart docker

再尝试推送

[root@docker_house ~]# docker push 192.168.10.146:5000/busybox:latest
The push refers to repository [192.168.10.146:5000/busybox]
01fd6df81c8e: Pushed 
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527

推送成功

使用curl查看镜像存在
[root@docker_house ~]# curl -X GET http://192.168.10.146:5000/v2/_catalog
{"repositories":["busybox"]}
#删除本地镜像
[root@docker_house ~]# docker rmi busybox
Untagged: busybox:latest
Untagged: busybox@sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
[root@docker_house ~]# docker rmi 192.168.10.146:5000/busybox镜像
Untagged: 192.168.10.146:5000/busybox:latest
Untagged: 192.168.10.146:5000/busybox@sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Deleted: sha256:beae173ccac6ad749f76713cf4440fe3d21d1043fe616dfbe30775815d1d0f6a
Deleted: sha256:01fd6df81c8ec7dd24bbbd72342671f41813f992999a3471b9d9cbc44ad88374
#查看发现,本地已经删除了busybox镜像
[root@docker_house ~]# docker images
REPOSITORY    TAG       IMAGE ID       CREATED         SIZE
hello-world   latest    d2c94e258dcb   10 months ago   13.3kB
registry      latest    b8604a3fe854   2 years ago     26.2MB
centos        latest    5d0da3dc9764   2 years ago     231MB

#尝试从私有仓库拉取
[root@docker_house ~]# docker pull 192.168.10.146:5000/busybox:latest
latest: Pulling from busybox
5cc84ad355aa: Pull complete 
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for 192.168.10.146:5000/busybox:latest
192.168.10.146:5000/busybox:latest
#拉取成功
[root@docker_house ~]# docker images
REPOSITORY                    TAG       IMAGE ID       CREATED         SIZE
hello-world                   latest    d2c94e258dcb   10 months ago   13.3kB
192.168.10.146:5000/busybox   latest    beae173ccac6   2 years ago     1.24MB
registry                      latest    b8604a3fe854   2 years ago     26.2MB
centos                        latest    5d0da3dc9764   2 years ago     231MB

使用TLS证书

(1)使用openssl生成私人证书文件

#一般情况下，证书只支持域名访问，要使其支持IP地址访问，需要修改配置文件openssl.cnf。
#在redhat7系统中，openssl.cnf文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分，添加subjectAltName选项：
[ v3_ca ]
subjectAltName = DNS:registry.mstg.top

[root@docker_house ~]# mkdir -p /opt/docker/registry/certs

[root@docker_house ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/docker/registry/certs/domain.key -x509 -days 365 -out /opt/docker/registry/certs/domain.crt
Generating a 4096 bit RSA private key
..........................................................................++
......................................++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#国家
Country Name (2 letter code) [XX]:cn
#省
State or Province Name (full name) []:bj
#市
Locality Name (eg, city) [Default City]:bj
#公司名
Organization Name (eg, company) [Default Company Ltd]:mstg
#部门
Organizational Unit Name (eg, section) []:mstg
#证书名称
Common Name (eg, your name or your server's hostname) []:registry.mstg.top
#邮箱
Email Address []:[email protected]

(2)创建带有TLS证书仓库容器

docker run -it -d \
-p 5000:5000 \
-v /opt/docker/registry/certs/:/certs/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
--restart=always \
--name registry-TLS registry

(3)在使用的Docker客户端设置域名解析,创建域名相同的目录

[root@docker_house ~]# cat /etc/hosts
192.168.10.146 registry.mstg.top

[root@docker ~]# cat /etc/hosts
192.168.10.146 registry.mstg.top

#创建域名相同的目录
[root@docker ~]# mkdir /etc/docker/certs.d
[root@docker ~]# cd /etc/docker/certs.d/
[root@docker certs.d]# mkdir registry.mstg.top:5000

（4）将证书damain.crt复制到要使用仓库的Docker宿主机，并放到/etc/docker/certs.d/registry.mstg.top:5000/目录下，示例代码如下：

[root@docker_house ~]# scp -r -p /opt/docker/registry/certs/domain.crt  192.168.10.145:/etc/docker/certs.d/registry.mstg.top:5000/ca.crt
The authenticity of host '192.168.10.145 (192.168.10.145)' can't be established.
ECDSA key fingerprint is SHA256:sDUmHE3tdNw/nMSv7faEmKXZeHy9srU01VOj77sAKQE.
ECDSA key fingerprint is MD5:07:f2:2e:90:62:64:b2:70:3a:1f:8b:f2:df:f6:81:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.145' (ECDSA) to the list of known hosts.
[email protected]'s password: 
domain.crt                                                                            100% 2082   826.8KB/s   00:00  
#客户机
[root@docker registry.mstg.top:5000]# pwd
/etc/docker/certs.d/registry.mstg.top:5000
[root@docker registry.mstg.top:5000]# ls
ca.crt

（5）docker_house是仓库的宿主机，下面使用Docker推送镜像到私有仓库，示例代码如下：

docker tag busybox:latest registry.mstg.top:5000/busybox:latest

以上示例成功将Docker中的镜像推送至私有仓库，并通过-k选项关闭了对证书的验证。

基本身份验证

创建用户密码文件

mkdir /opt/docker/registry/auth
htpasswd -Bb /opt/docker/registry/auth/htpasswd testuser testpassword

设置用户名：testuser 密码：testpassword

如果命令没有，尝试安装

yum -y install httpd
#如果出现找不到httpd包，可尝试以下命令
yum --disableexcludes=all install -y httpd

创建仓库容器

docker run -d \
-p 5000:5000 \
-v /opt/docker/registry/auth/:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  \
-v /opt/docker/registry/certs/:/certs/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
--restart=always \
--name registry-TLS registry

客户机推送镜像

[root@docker ~]# docker push registry.mstg.top:5000/busybox:latest
The push refers to repository [registry.mstg.top:5000/busybox]
01fd6df81c8e: Preparing 
no basic auth credentials

发现推送失败，原因是没有身份验证凭证

通过用户名密码登录

[root@docker ~]# docker login registry.mstg.top:5000
Username: testuser      
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@docker ~]# docker push registry.mstg.top:5000/busybox:latest
The push refers to repository [registry.mstg.top:5000/busybox]
01fd6df81c8e: Pushed 
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527