搭建私有仓库
| 服务器名称 | ip地址 | 功能 |
|---|---|---|
| docker_house | 192.168.10.146 | Docker私有仓库 |
| docker | 192.168.10.145 | 客户机 |
拉取镜像
[root@docker_house ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete
0d96da54f60b: Pull complete
5b27040df4a2: Pull complete
e2ead8259a04: Pull complete
3790aef225b9: Pull complete
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest运行仓库容器
[root@docker_house ~]# docker run -it -d -p 5000:5000 \
--restart=always \
--name registry registry
6d7f3bb7350cec3dd3b3b4eae9419b0f5e28d607d18b5ca4bef1d9e3f058feeb--restart=always 容器停止自动重启
#下载镜像
[root@docker_house ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
5cc84ad355aa: Pull complete
Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
#修改tag到私有仓库
[root@docker_house ~]# docker tag busybox 192.168.10.146:5000/busybox:latest
#尝试推送,发现默认https不通
[root@docker_house ~]# docker push 192.168.10.146:5000/busybox:latest
The push refers to repository [192.168.10.146:5000/busybox]
Get "https://192.168.10.146:5000/v2/": http: server gave HTTP response to HTTPS client尝试推送,发现默认是https不通,修改docker启动参数,使用https
[root@docker_house ~]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service time-set.target
Wants=network-online.target containerd.service
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutStartSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Older systemd versions default to a LimitNOFILE of 1024:1024, which is insufficient for many
# applications including dockerd itself and will be inherited. Raise the hard limit, while
# preserving the soft limit for select(2).
LimitNOFILE=1024:524288
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
OOMScoreAdjust=-500
[Install]
WantedBy=multi-user.target在ExecStart=/usr/bin/dockerd 后添加 --insecure-registry 仓库IP地址:5000
例如:ExecStart=/usr/bin/dockerd --insecure-registry 192.168.10.146:5000 -H fd:// --containerd=/run/containerd/containerd.sock
[root@docker_house ~]# vi /usr/lib/systemd/system/docker.service
[root@docker_house ~]# systemctl daemon-reload
[root@docker_house ~]# systemctl restart docker再尝试推送
[root@docker_house ~]# docker push 192.168.10.146:5000/busybox:latest
The push refers to repository [192.168.10.146:5000/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527推送成功
使用curl查看镜像存在
[root@docker_house ~]# curl -X GET http://192.168.10.146:5000/v2/_catalog
{"repositories":["busybox"]}
#删除本地镜像
[root@docker_house ~]# docker rmi busybox
Untagged: busybox:latest
Untagged: busybox@sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
[root@docker_house ~]# docker rmi 192.168.10.146:5000/busybox镜像
Untagged: 192.168.10.146:5000/busybox:latest
Untagged: 192.168.10.146:5000/busybox@sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Deleted: sha256:beae173ccac6ad749f76713cf4440fe3d21d1043fe616dfbe30775815d1d0f6a
Deleted: sha256:01fd6df81c8ec7dd24bbbd72342671f41813f992999a3471b9d9cbc44ad88374
#查看发现,本地已经删除了busybox镜像
[root@docker_house ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest d2c94e258dcb 10 months ago 13.3kB
registry latest b8604a3fe854 2 years ago 26.2MB
centos latest 5d0da3dc9764 2 years ago 231MB
#尝试从私有仓库拉取
[root@docker_house ~]# docker pull 192.168.10.146:5000/busybox:latest
latest: Pulling from busybox
5cc84ad355aa: Pull complete
Digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee
Status: Downloaded newer image for 192.168.10.146:5000/busybox:latest
192.168.10.146:5000/busybox:latest
#拉取成功
[root@docker_house ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest d2c94e258dcb 10 months ago 13.3kB
192.168.10.146:5000/busybox latest beae173ccac6 2 years ago 1.24MB
registry latest b8604a3fe854 2 years ago 26.2MB
centos latest 5d0da3dc9764 2 years ago 231MB使用TLS证书
(1)使用openssl生成私人证书文件
#一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
#在redhat7系统中,openssl.cnf文件所在位置是/etc/pki/tls/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ]
subjectAltName = DNS:registry.mstg.top[root@docker_house ~]# mkdir -p /opt/docker/registry/certs
[root@docker_house ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/docker/registry/certs/domain.key -x509 -days 365 -out /opt/docker/registry/certs/domain.crt
Generating a 4096 bit RSA private key
..........................................................................++
......................................++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#国家
Country Name (2 letter code) [XX]:cn
#省
State or Province Name (full name) []:bj
#市
Locality Name (eg, city) [Default City]:bj
#公司名
Organization Name (eg, company) [Default Company Ltd]:mstg
#部门
Organizational Unit Name (eg, section) []:mstg
#证书名称
Common Name (eg, your name or your server's hostname) []:registry.mstg.top
#邮箱
Email Address []:[email protected](2)创建带有TLS证书仓库容器
docker run -it -d \
-p 5000:5000 \
-v /opt/docker/registry/certs/:/certs/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
--restart=always \
--name registry-TLS registry(3)在使用的Docker客户端设置域名解析,创建域名相同的目录
[root@docker_house ~]# cat /etc/hosts
192.168.10.146 registry.mstg.top
[root@docker ~]# cat /etc/hosts
192.168.10.146 registry.mstg.top
#创建域名相同的目录
[root@docker ~]# mkdir /etc/docker/certs.d
[root@docker ~]# cd /etc/docker/certs.d/
[root@docker certs.d]# mkdir registry.mstg.top:5000(4)将证书damain.crt复制到要使用仓库的Docker宿主机,并放到/etc/docker/certs.d/registry.mstg.top:5000/目录下,示例代码如下:
[root@docker_house ~]# scp -r -p /opt/docker/registry/certs/domain.crt 192.168.10.145:/etc/docker/certs.d/registry.mstg.top:5000/ca.crt
The authenticity of host '192.168.10.145 (192.168.10.145)' can't be established.
ECDSA key fingerprint is SHA256:sDUmHE3tdNw/nMSv7faEmKXZeHy9srU01VOj77sAKQE.
ECDSA key fingerprint is MD5:07:f2:2e:90:62:64:b2:70:3a:1f:8b:f2:df:f6:81:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.145' (ECDSA) to the list of known hosts.
[email protected]'s password:
domain.crt 100% 2082 826.8KB/s 00:00
#客户机
[root@docker registry.mstg.top:5000]# pwd
/etc/docker/certs.d/registry.mstg.top:5000
[root@docker registry.mstg.top:5000]# ls
ca.crt(5)docker_house是仓库的宿主机,下面使用Docker推送镜像到私有仓库,示例代码如下:
docker tag busybox:latest registry.mstg.top:5000/busybox:latest以上示例成功将Docker中的镜像推送至私有仓库,并通过-k选项关闭了对证书的验证。
基本身份验证
创建用户密码文件
mkdir /opt/docker/registry/auth
htpasswd -Bb /opt/docker/registry/auth/htpasswd testuser testpassword设置用户名:testuser 密码:testpassword
如果命令没有,尝试安装
yum -y install httpd
#如果出现找不到httpd包,可尝试以下命令
yum --disableexcludes=all install -y httpd创建仓库容器
docker run -d \
-p 5000:5000 \
-v /opt/docker/registry/auth/:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /opt/docker/registry/certs/:/certs/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
--restart=always \
--name registry-TLS registry客户机推送镜像
[root@docker ~]# docker push registry.mstg.top:5000/busybox:latest
The push refers to repository [registry.mstg.top:5000/busybox]
01fd6df81c8e: Preparing
no basic auth credentials发现推送失败,原因是没有身份验证凭证
通过用户名密码登录
[root@docker ~]# docker login registry.mstg.top:5000
Username: testuser
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker ~]# docker push registry.mstg.top:5000/busybox:latest
The push refers to repository [registry.mstg.top:5000/busybox]
01fd6df81c8e: Pushed
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527
Comments NOTHING