云计算 之 Docker--Docker 应用实战案例--基于 registry 搭建私有仓库

前言

本环境是基于 Centos 7.8 系统构建Docker-19.03.13环境
具体构建，请参考 构建Docker-19.03.13

docker 仓库，可以分为，私有仓库和公有仓库，但是，对于企业而言，考虑到网络传输质量、流量带宽的开销以及数据安全存储的需求，往往使用公司内部自己搭建的私有仓库，作为docker的镜像存放的仓库，接下来，我们介绍，基于registry搭建私有仓库

---

分类

• Sponsor Registry：第三方的registry，供客户和docker社区使用；
• mirror Registry：第三方的registry，只让客户使用；如docker cn和阿里云的镜像加速器；
• vendor Registry：服务商的registry，由发布docker镜像的供应商提供的registry；如红帽提供的专有的，收费提供；
• private Registry：通过设有防火墙和额外的安全层的私有实体提供的registry；自建的registry，在本地搭建registry，节省带宽

环境准备

• 2台部署有docker的Linux主机，具体配置，参考构建Docker-19.03.13 章节
• 2台主机名分别：servera.wan.host 、serverb.wan.host，
  其中servera 是镜像源仓库Server，serverb是镜像源Client
• 配置有hosts域名解析

一、搭建基于http协议的私有仓库

servera

拉取registry镜像

[root@servera ~]# docker pull registry
[root@servera ~]# docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
registry            latest              2d4f4b5309b1        4 months ago        26.2MB

运行 registry

[root@servera ~]# docker run -d --name registry_server -p 5000:5000 -v /data/registry:/var/lib/registry registry
a14df3d75467f1fffda6b2c5197cd2c98f3bd73f7c0a21170a77f24995779968

[root@servera ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
a14df3d75467        registry            "/entrypoint.sh /etc…"   9 seconds ago       Up 8 seconds        0.0.0.0:5000->5000/tcp   registry_server

[root@servera ~]# netstat -lnutp | grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      44473/docker-proxy 

serverb

修改docker服务配置文件，将servera添加到docker安全仓库列表

[root@serverb ~]# vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"],
  "insecure-registries": ["servera:5000"]
}
[root@serverb ~]# systemctl restart docker

打标签，提前准备一个需要上传的镜像

[root@serverb ~]# docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
busybox             latest              f0b02e9d092d        3 weeks ago         1.23MB
[root@serverb ~]# docker tag busybox:latest servera.wan.host:5000/busybox:v1
[root@serverb ~]# docker image ls
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
busybox                         latest              f0b02e9d092d        3 weeks ago         1.23MB
servera.wan.host:5000/busybox   v1                  f0b02e9d092d        3 weeks ago         1.23MB

上传镜像

[root@serverb ~]# docker push servera.wan.host:5000/busybox:v1 
The push refers to repository [servera.wan.host:5000/busybox]
d2421964bad1: Pushed 
v1: digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc size: 527

servera查看镜像

[root@servera ~]# ll /data/registry/docker/registry/v2/repositories/
total 0
drwxr-xr-x 5 root root 55 Nov  6 17:02 busybox

测试–serverb

删除本地镜像，拉取，镜像，并运行

[root@serverb ~]# docker rmi busybox:latest servera.wan.host:5000/busybox:v1 
Untagged: busybox:latest
Untagged: busybox@sha256:a9286defaba7b3a519d585ba0e37d0b2cbee74ebfe590960b0b1d6a5e97d1e1d
Untagged: servera.wan.host:5000/busybox:v1
Untagged: servera.wan.host:5000/busybox@sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Deleted: sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
Deleted: sha256:d2421964bad195c959ba147ad21626ccddc73a4f2638664ad1c07bd9df48a675

[root@serverb ~]# docker pull servera.wan.host:5000/busybox:v1
v1: Pulling from busybox
9758c28807f2: Pull complete 
Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Status: Downloaded newer image for servera.wan.host:5000/busybox:v1
servera.wan.host:5000/busybox:v1
[root@serverb ~]# docker run --rm -it --name busybox_test servera.wan.host:5000/busybox:v1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # exit

二、搭建基于https协议的私有仓库

主机名、hosts协议，已经配置，此处不在演示

servera

仓库 server 生成公私秘钥

[root@servera mnt]# mkdir -p /opt/certs
[root@servera mnt]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout /opt/certs/domain.key \
> -x509 -days 36500 -out /opt/certs/domain.crt
Generating a 4096 bit RSA private key
..............++
...........................................................................++
writing new private key to '/opt/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHAN`XI   
Locality Name (eg, city) [Default City]:XI`AN
Organization Name (eg, company) [Default Company Ltd]:SCHOLL
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:servera.wan.host
Email Address []:wan@123.com

[root@servera mnt]# ll /opt/certs/
total 8
-rw-r--r-- 1 root root 2098 Nov  6 17:12 domain.crt
-rw-r--r-- 1 root root 3268 Nov  6 17:12 domain.key

启动docker registry

镜像数据存储到本地：/mnt/registry
仓库公私钥文件存储到本地：/opt/certs

[root@servera mnt]# docker run -d \
>   --restart=always \
>   --name registry \
>   -v /opt/certs:/certs \
>   -v /mnt/registry:/var/lib/registry \
>   -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
>   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
>   -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
>   -p 443:443 \
>   registry
4503a20f9b1f4cf3bdad8fbaf4cff417765ef3fee624f0fb40503c6ede422d10

[root@servera mnt]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
4503a20f9b1f        registry            "/entrypoint.sh /etc…"   2 minutes ago       Up 2 minutes        0.0.0.0:443->443/tcp, 5000/tcp   registry
7d6eaa8aac44        registry            "/entrypoint.sh /etc…"   15 minutes ago      Up 15 minutes       0.0.0.0:5000->5000/tcp           registry_server
[root@servera mnt]# 

serverb

拷贝证书文件到serverb

[root@serverb ~]# mkdir /etc/docker/certs.d/servera.wan.host -p
[root@serverb ~]# scp servera:/opt/certs/domain.crt /etc/docker/certs.d/servera.wan.host/ca.crt
The authenticity of host 'servera (192.168.5.11)' can't be established.
ECDSA key fingerprint is SHA256:8KoAXpPVTPc8T4wS2TQoTrAcVmbrZUqiI0UQ4L56zCQ.
ECDSA key fingerprint is MD5:48:a8:5d:58:f3:a7:c6:9b:b8:11:1a:1c:09:a8:55:04.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'servera,192.168.5.11' (ECDSA) to the list of known hosts.
root@servera's password: 
domain.crt                                                                  100% 2098     2.3MB/s   00:00    
[root@serverb ~]# ll /etc/docker/certs.d/servera.wan.host/
total 8
-rw-r--r--. 1 root root 2098 Nov  6 17:21 ca.crt

打标签，提前准备一个需要上传的镜像
注：docker registry 默认为https 此处可以省略443端口

[root@serverb ~]# docker tag busybox:latest servera.wan.host/busybox:v0.1
[root@serverb ~]# docker image ls
REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
busybox                         latest              f0b02e9d092d        3 weeks ago         1.23MB
servera.wan.host/busybox        v0.1                f0b02e9d092d        3 weeks ago         1.23MB
servera.wan.host:5000/busybox   v1                  f0b02e9d092d        3 weeks ago         1.23MB

上传镜像

[root@serverb ~]# docker push servera.wan.host/busybox:v0.1
The push refers to repository [servera.wan.host/busybox]
d2421964bad1: Pushed 
v0.1: digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc size: 527

servera查看镜像

[root@servera ~]# ll /mnt/registry/docker/registry/v2/repositories/
total 0
drwxr-xr-x 5 root root 55 Nov  6 17:24 busybox

测试–serverb

删除本地镜像，拉取，镜像，并运行

[root@serverb ~]# docker rmi servera.wan.host/busybox:v0.1 servera.wan.host:5000/busybox:v1 busybox:latest

[root@serverb ~]# docker pull servera.wan.host/busybox:v0.1
v0.1: Pulling from busybox
9758c28807f2: Pull complete 
Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Status: Downloaded newer image for servera.wan.host/busybox:v0.1
servera.wan.host/busybox:v0.1
[root@serverb ~]# docker image ls
REPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE
servera.wan.host/busybox   v0.1                f0b02e9d092d        3 weeks ago         1.23MB
[root@serverb ~]# docker run --rm -d --name buxybox_test servera.wan.host/busybox:v0.1 /bin/sh
729e88416b9d8371619ef0c11f2963d462b10d18360c53c8000bd400b7bb437b
[root@serverb ~]# docker run --rm -it --name buxybox_test servera.wan.host/busybox:v0.1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # exit

三、使用 UI 界面管理docker仓库

拉取并运行 registry-web

[root@servera ~]# docker run -d -p 8080:8080 --name registry-web \
> --link registry \
> -e REGISTRY_URL=https://registry/v2 \
> -e REGISTRY_TRUST_ANY_SSL=true  \
> -e REGISTRY_NAME=localhost \
> hyper/docker-registry-web
Unable to find image 'hyper/docker-registry-web:latest' locally
latest: Pulling from hyper/docker-registry-web
04c996abc244: Pull complete 
d394d3da86fe: Pull complete 
bac77aae22d4: Pull complete 
b48b86b78e97: Pull complete 
09b3dd842bf5: Pull complete 
69f4c5394729: Pull complete 
b012980650e9: Pull complete 
7c7921c6fda1: Pull complete 
e20331c175ea: Pull complete 
40d5e82892a5: Pull complete 
a414fa9c865a: Pull complete 
0304ae3409f3: Pull complete 
13effc1a664f: Pull complete 
e5628d0e6f8c: Pull complete 
0b0e130a3a52: Pull complete 
d0c73ab65cd2: Pull complete 
240c0b145309: Pull complete 
f1fd6f874e5e: Pull complete 
40b5e021928e: Pull complete 
88a8c7267fbc: Pull complete 
f9371a03010e: Pull complete 
Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae
Status: Downloaded newer image for hyper/docker-registry-web:latest
6959b212f3244f185b8606c91884795b4c916f0af3edef98c479b259995f024

浏览器登录：
http://192.168.5.11:8080/

拷贝公钥

[root@servera ~]#  mkdir /etc/docker/certs.d/servera.wan.host -p
[root@servera ~]# cp /opt/certs/domain.crt /etc/docker/certs.d/servera.wan.host/ca.crt

尝试打包，上传镜像

[root@servera ~]# docker push servera.wan.host/docker-registry-web:v1 
The push refers to repository [servera.wan.host/docker-registry-web]
8779b4998d0c: Pushed 
9eb22ef427e2: Pushed 
64d1c65ea33e: Pushed 
d6c3b0e63834: Pushed 
1315f14832fa: Pushed 
d16096ccf0bb: Pushed 
463a4bd8f8c1: Pushed 
be44224e76b9: Pushed 
d96a8038b794: Pushed 
f469fc28e82e: Pushed 
8418a42306ef: Pushed 
03457c5158e2: Pushed 
7ef05f1204ee: Pushed 
f7049feabf0b: Pushed 
5ee52271b8b7: Pushed 
8b1153b14d3a: Pushed 
367b9c52c931: Pushed 
3567b2f05514: Pushed 
292a66992f77: Pushed 
641fcd2417bc: Pushed 
78ff13900d61: Pushed 
v1: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695

浏览器查看：

进一步查看docker-registry-web镜像

查看docker-registry-web镜像的分层信息

---

Tips：servera、serverb 务必保持时间同步，所以在实践前，必须校准当前系统的时间