Docker本地仓库

创建本地仓库

Docker 官方已经把仓库封装为镜像,直接通过启动容器就可以部署完成仓库

[root@server1 ~]# docker load -i registry2.tar
[root@server1 ~]# docker images registry
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
[root@server1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
2a5ededc0ac0        registry:2          "/entrypoint.sh /etc…"   7 seconds ago       Up 5 seconds        0.0.0.0:5000->5000/tcp   registry

上传本地镜像到本地仓库

[root@server1 ~]# docker tag ubuntu:v1 localhost:5000/ubuntu				##重命名，使上传的时候传到本地仓库而不是默认仓库

[root@server1 ~]# docker images localhost:5000/ubuntu
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
localhost:5000/ubuntu   latest              aa00ef2f4ef4        36 hours ago        188MB

[root@server1 ~]# docker push localhost:5000/ubuntu						##上传
The push refers to repository [localhost:5000/ubuntu]
d6eec047ed97: Pushed 
5f70bf18a086: Pushed 
11083b444c90: Pushed 
9468150a390c: Pushed 
56abdd66ba31: Pushed 
latest: digest: sha256:a5a2cfc712a616319f3e71e716f534c373b8cef1a8ec864cc15c2176ae17d507 size: 1358

查看

[root@server1 ~]# cd /opt/registry/
[root@server1 registry]# ls
docker
[root@server1 v2]# yum install -y tree
[root@server1 registry]# tree docker

从本地仓库下载镜像

[root@server1 ~]# docker rmi -f ubuntu:v1
[root@server1 ~]# docker rmi -f localhost:5000/ubuntu
[root@server1 ~]# docker pull localhost:5000/ubuntu
[root@server1 ~]# docker tag localhost:5000/ubuntu ubuntu:v1
[root@server1 ~]# docker rmi localhost:5000/ubuntu
[root@server1 ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
ubuntu              v1                  aa00ef2f4ef4        37 hours ago        188MB
registry            2                   f32a97de94e1        2 months ago        25.8MB
game2048            latest              19299002fdbe        2 years ago         55.5MB
ubuntu              latest              07c86167cdc4        3 years ago         188MB
rhel7               latest              0a3eb3fde7fd        4 years ago         140MB

加密上传

1.创建服务端key以及证书

[root@server1 ~]# cd /tmp/docker/
[root@server1 docker]# mkdir -p certs
[root@server1 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/dzh.org.key -x509 -days 365 -out certs/dzh.org.crt
[root@server1 docker]# cd certs/
[root@server1 certs]# ls
dzh.org.crt  dzh.org.key

2.添加本地解析

[root@server1 certs]# vim /etc/hosts
172.25.68.1 server1 dzh.org

3.创建仓库

[root@server1 docker]# docker rm -f registry
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dzh.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dzh.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry:2

[root@server1 dzh.org]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
4ae71b182aef        registry:2          "/entrypoint.sh /etc…"   11 minutes ago      Up 11 minutes       0.0.0.0:443->443/tcp, 5000/tcp   registry

4.创建证书存放目录，并复制证书

[root@server1 docker]# cd /etc/docker/
[root@server1 docker]# ls
key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir dzh.org
[root@server1 certs.d]# cd dzh.org/
[root@server1 dzh.org]# cp /tmp/docker/certs/dzh.org.crt ca.crt

5.导入一个镜像并上传到私有仓库

[root@server1 dzh.org]# docker tag game2048:latest dzh.org/game2048
[root@server1 dzh.org]# docker push dzh.org/game2048

6.查看

[root@server1 dzh.org]# cd /opt/registry/
[root@server1 registry]# tree docker/

测试：
server2

[root@server2 docker]# systemctl start docker
[root@server2 docker]# cd /etc/docker
[root@server2 docker]# mkdir certs.d
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# mkdir dzh.org

[root@server2 certs.d]# vim /etc/hosts
172.25.68.1 server1 dzh.org

[root@server2 certs.d]# docker pull dzh.org/game2048
Using default tag: latest
Error response from daemon: Get https://dzh.org/v2/: x509: certificate signed by unknown authority  ##没有证书下载不了

server1将证书传给server2

[root@server1 ~]# cd /etc/docker/certs.d/dzh.org/
[root@server1 dzh.org]# ls
ca.crt
[root@server1 dzh.org]# scp ca.crt server2:/etc/docker/certs.d/dzh.org/
The authenticity of host 'server2 (172.25.68.2)' can't be established.
ECDSA key fingerprint is 22:48:a0:a7:b9:8f:b5:0c:31:fe:e9:9d:6c:59:61:d7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2' (ECDSA) to the list of known hosts.
root@server2's password: 
ca.crt 

server2

[root@server2 certs.d]# docker pull dzh.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for dzh.org/game2048:latest

[root@server2 certs.d]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
dzh.org/game2048    latest              19299002fdbe        2 years ago         55.5MB

设置用户认证

控制registry的使用权限，使其只有在登录用户名和密码之后才能使用

1.设置用户密码并查看

[root@server1 dzh.org]# cd /tmp/docker/
[root@server1 docker]# mkdir auth
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:2 -Bbn dzh redhat > auth/htpasswd
[root@server1 docker]# cat auth/htpasswd 
dzh:$2y$05$Ll6rx9QTt355NVo.ZBb7OOMFyLbOSyvUfsm0h6/SYT95sisekSgDm

2.创建仓库

[root@server1 docker]# docker rm -f registry
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/dzh.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/dzh.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v /tmp/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
[root@server1 docker]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
aea2930811bf        registry:2          "/entrypoint.sh /etc…"   5 seconds ago       Up 4 seconds        0.0.0.0:443->443/tcp, 5000/tcp   registry

3.登录库，并输入用户名和密码

[root@server1 docker]# docker login dzh.org
Username: dzh
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded


#在文件config.json 中可以看到记录的认证（认证一次，永久保存）
[root@server1 docker]# cat /root/.docker/config.json
{
	"auths": {
		"dzh.org": {
			"auth": "ZHpoOnJlZGhhdA=="
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.06.1-ce (linux)"
	}
}

4.可以上传

[root@server1 docker]# docker tag ubuntu:v1 dzh.org/ubuntu
[root@server1 docker]# docker push dzh.org/ubuntu
The push refers to repository [dzh.org/ubuntu]
d6eec047ed97: Layer already exists 
5f70bf18a086: Layer already exists 
11083b444c90: Layer already exists 
9468150a390c: Layer already exists 
56abdd66ba31: Layer already exists 
latest: digest: sha256:a5a2cfc712a616319f3e71e716f534c373b8cef1a8ec864cc15c2176ae17d507 size: 1358

5.退出登陆后不能上传（一直显示在准备中）

[root@server1 docker]# docker logout dzh.org
Removing login credentials for dzh.org
[root@server1 docker]# docker push dzh.org/ubuntu
The push refers to repository [dzh.org/ubuntu]
d6eec047ed97: Preparing 
5f70bf18a086: Preparing 
11083b444c90: Preparing 
9468150a390c: Preparing 
56abdd66ba31: Preparing 
no basic auth credentials