docker仓库
docker仓库的作用是方便我们共享镜像的使用,我们可以将资源分享到官方平台上供其他技术者一起使用,对于私密的东西,我们就可以建立似有仓库去存放,只对公司内部人员开放
docker的官方仓库
docker官网:https://hub.docker.com
在官网里注册账号,登陆进去
注册好可以通过进行登陆操作,点击Create a Repositorty建立储存库
建立储存库,写一个name名称,然后点击下方建立
上传镜像
建立好储存库之后我们如何去上传我们自己制作的镜像呢
登陆的方式我们可以使用命令行去进行操作
[root@server1 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: howei #账号
Password: #密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded #登陆成功
成功登陆之后,首先要对上传的镜像进行打标签,这里使用busybox做实验,因为它很小上传比较快
打标签的规则,除了官方的镜像以外的命名方式都是:用户名/镜像名:标签
[root@server1 ~]# docker tag busybox:latest howei/busybox:latest #前一个busybox:latest是当前docker里的镜像,howei/busybox:latest是我的用户名/镜像名:标签
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
howei/busybox latest 59788edf1f3e 20 months ago 1.15MB
推送到docker hub上
[root@server1 ~]# docker push howei/busybox:latest
#使用这个命令去推送镜像到所属的账号的库里,因为docker hub的服务器并不在国内所以上传会出现连接超时,上传很慢的现象
[root@server1 ~]# docker pull howei/busybox:latest #从库里取出镜像
并且也可以直接查询docker hub里分享的镜像资源
[root@server1 ~]# docker search busybox
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
busybox 官方镜像就只有镜像名 Busybox base image. 1906 [OK]
progrium/busybox 71 [OK]
radial/busyboxplus Full-chain, Internet enabled, busybox made f… 30 [OK]
docker私有仓库
建立似有仓库第一访问起来肯定是快的多,第二安全,不向docker hub那样完全的开源,所以我们需要自己构建储存库来存放镜像。
构建的方式使用registry,官方构建镜像也是使用它。
镜像加速器
首先我们需要使用镜像加速器对我们访问镜像加速,这里使用阿里云镜像加速就可以
搜索阿里云进行加速进入,选择控制台,然后进行账号登陆
登陆之后,在左侧的工具栏里,选择容器镜像服务
再到左侧选择镜像加速器,里面会有配置的方式,根据提示去作就可以了
[root@server1 ~]# mkdir -p /etc/docker
[root@server1 ~]# tee /etc/docker/daemon.json <<-'EOF'
> {
> "registry-mirrors": ["https://7yik1f5v.mirror.aliyuncs.com"]
> }
> EOF
{
"registry-mirrors": ["https://7yik1f5v.mirror.aliyuncs.com"]
}
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker
配置完成后我们再去获取镜像测试速度
[root@server1 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
afb6ec6fdc1c: Pull complete
b90c53a0b692: Pull complete
11fa52a0fdc0: Pull complete
Digest: sha256:6fff55753e3b34e36e24e37039ee9eae1fe38a6420d8ae16ef37c92d1eb26699
Status: Downloaded newer image for nginx:latest
#获取到之后可以直接使用docker images查看到
构建registry
后去registry我们也是通过docker pull获取
[root@server1 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
486039affc0a: Pull complete
ba51a3b098e6: Pull complete
8bb4c43d6c8e: Pull complete
6f5f453e5f2d: Pull complete
42bc10b72f42: Pull complete
Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7
Status: Downloaded newer image for registry:latest
查看一下registry 的构建历史
[root@server1 ~]# docker history registry:latest
IMAGE CREATED CREATED BY SIZE COMMENT
708bc6af7e5e 4 months ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B
<missing> 4 months ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B
<missing> 4 months ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B
<missing> 4 months ago /bin/sh -c #(nop) EXPOSE 5000 #这里有指定打开的端口 0B
<missing> 4 months ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] #这里指定容器里的挂载目录 0B
<missing> 4 months ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B
<missing> 4 months ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB
<missing> 4 months ago /bin/sh -c set -ex && apk add --no-cache… 1.28MB
<missing> 4 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 4 months ago /bin/sh -c #(nop) ADD file:e38375b009a2e2c9b… 4.41MB
所以在运行是就要建立端口映射,运行后查看本机的5000端口是否打开
[root@server1 ~]# docker run -d -p 5000:5000 --name registry registry
[root@server1 ~]# netstat -ntlp
tcp6 0 0 :::5000 :::* LISTEN 10470/docker-proxy
上传镜像到registry里
[root@server1 ~]# docker tag nginx:latest localhost:5000/nginx:latest #打标签
[root@server1 ~]# docker push localhost:5000/nginx #上传镜像
The push refers to repository [localhost:5000/nginx]
6c7de695ede3: Pushed
2f4accd375d9: Pushed
ffc9b21953f4: Pushed
lastest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
6c7de695ede3: Layer already exists
2f4accd375d9: Layer already exists
ffc9b21953f4: Layer already exists
latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
上传成功通过访问端口就可以看到
[root@server1 ~]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
#也可以在本地挂载的目录中查看,volumes后的字符串是运行registry生成的数据储存编号
[root@server1 ~]# ls /var/lib/docker/volumes/fab78f6655bf6463c339fc0ce77989afd28577f630893168309a590caee5840b/_data/docker/registry/v2/repositories/nginx
这时候仓库搭建完成,但是现在命令行操作不方便,而且如果远程连接时,必须要走 tls 加密,不然用户名密码是名文,不安全
配置registry 加密
https://docs.docker.com/registry/insecure
操作方法可以参考此连接里的介绍
首先创建证书
[root@server1 ~]# mkdir -p certs #创ian目录
[root@server1 ~]# openssl req \ #生成加密证书
> -newkey rsa:4096 -nodes -sha256 -keyout certs/test.com.key \
> -x509 -days 365 -out certs/test.com.crt
Generating a 4096 bit RSA private key
......................................................................................................................................................................................................................................................++
.......................................................++
writing new private key to 'certs/test.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHAANXI
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:test.com
Email Address []:root@test.com
[root@server1 ~]# ls certs/ #生成的证书和key存放在certs目录里
test.com.crt test.com.key
需要重载 registry
[root@server1 ~]# docker rm -f registry
激活TLS加密
[root@server1 ~]# docker run -d \
> --restart=always \ #容器开机自启
> --name registry \
> -v "$(pwd)"/certs:/certs \ #指定数据目录
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ #-e 表示编辑容器运行的参数,指定端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.com.crt \ #指定证书
> -e REGISTRY_HTTP_TLS_KEY=/certs/test.com.key \ #指定密码
> -p 443:443 \ #映射端口
> registry #容器名称
复制证书到/etc/docker/certs.d/test.com ,这里的test.com就是建立证书是创建的域名
[root@server1 ~]# mkdir -p /etc/docker/certs.d/test.com
[root@server1 ~]# cp certs/test.com.crt /etc/docker/certs.d/test.com/ca.crt
配置域名的解析,默认是以域名方式通信,所以需要在/etc/hosts里添加解析,
然后我们就可以打标签上传镜像了
[root@server1 ~]# docker tag nginx:latest test.com/nginx:latest #打标签的用户名使用证书里设定的域名
[root@server1 ~]# docker images
test.com/nginx latest 9beeba249f3e 2 weeks ago 127MB
[root@server1 ~]# docker push test.com/nginx #上传镜像
The push refers to repository [test.com/nginx]
6c7de695ede3: Pushed
2f4accd375d9: Pushed
ffc9b21953f4: Pushed
latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
docker 仓库添加用户认证功能
参考的配置方式:https://docs.docker.com/registry/deploying/#get-a-certificate
创建认证用户
[root@server1 ~]# mkdir auth #建立用户信息的储存目录
[root@server1 ~]# docker run --entrypoint htpasswd registry:2 -Bbn admin redhat > auth/htpasswd #创建用户信息
Unable to find image 'registry:2' locally
2: Pulling from library/registry
Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7
Status: Downloaded newer image for registry:2
[root@server1 ~]# cat auth/htpasswd #创建后生成指定的admin用户
admin:$2y$05$969bYSmky5MCuwyGg6shBuL4QYCzrRHM6xVypyldXhRtnpgWeQoQm
[root@server1 ~]# docker rm -f registry #使用完成后删除registry这个镜像进程
增加认证用户
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn test1 redhat >> auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$969bYSmky5MCuwyGg6shBuL4QYCzrRHM6xVypyldXhRtnpgWeQoQm
test1:$2y$05$X/jBjfpOjpD9KfCGMp/.FeHVRY7DC58JRwVrjHrR3tV4tjk47Zr.O
开启使用基本身份验证启动注册表。
[root@server1 ~]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/test.com.crt \ #证书的位置
> -e REGISTRY_HTTP_TLS_KEY=/certs/test.com.key \ #key的位置
> -p 443:443 \
> -v "$(pwd)"/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> registry
开启之后就可以测试去的登陆
[root@server1 ~]# docker login test.com #登陆test.com
Username: admin #认证的用户名
Password: #密码
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded #登陆成功
后续的镜像上传和下载就都需要登陆认证用户后才可以进行,
如果不进行登陆,就无法使用
[root@server1 ~]# docker logout test.com #登出test.com
Removing login credentials for test.com
[root@server1 ~]# docker push test.com/nginx #测试上传镜像
The push refers to repository [test.com/nginx]
6c7de695ede3: Preparing
2f4accd375d9: Preparing
ffc9b21953f4: Preparing
no basic auth credentials #没有基本身份验证凭据
登陆之后就可以正常上传了
[root@server1 ~]# docker login test.com
Username: admin
Password:
Login Succeeded
[root@server1 ~]# docker push test.com/nginx
The push refers to repository [test.com/nginx]
6c7de695ede3: Pushed
2f4accd375d9: Pushed
ffc9b21953f4: Pushed
latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
远程主机连接仓库
因为我们搭建的docker仓库一般都是供公司内部的人去使用,但他们都不可能使用你的电脑,所以需要配置远程访问仓库的方式
开启一台server2主机,首先去配置安装docker
containerd.io-1.2.5-3.1.el7.x86_64.rpm
docker-ce-18.09.6-3.el7.x86_64.rpm
container-selinux-2.21-1.el7.noarch.rpm
docker-ce-cli-18.09.6-3.el7.x86_64.rpm
配置解析
[root@server2 ~]# vim /etc/hosts
172.25.254.1 server1 test.com
把证书发送给 server2,必须有证书才能登录,注意复制时需要将certs.d这个目录也复制过去
[root@server1 ~]# scp -r /etc/docker/certs.d server2:/etc/docker/
root@server2's password:
ca.crt 100% 2078 1.8MB/s 00:00
开启docker服务,登陆docker仓库
[root@server2 ~]# systemctl start docker.service
[root@server2 ~]# docker login test.com #登陆
Username: admin
Password:
Login Succeeded
[root@server2 ~]# docker pull test.com/nginx #获取镜像
Using default tag: latest
latest: Pulling from nginx
afb6ec6fdc1c: Pull complete
b90c53a0b692: Pull complete
11fa52a0fdc0: Pull complete
Digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b
Status: Downloaded newer image for test.com/nginx:latest
[root@server2 ~]# docker images #查看镜像获取到了
REPOSITORY TAG IMAGE ID CREATED SIZE
test.com/nginx latest 9beeba249f3e 2 weeks ago 127MB
测试运行
[root@server2 ~]# docker run -d --name nginx -p 80:80 test.com/nginx #运行镜像
[root@server2 ~]# curl localhost #访问本机网页
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>