什么是docker仓库
- docker仓库是用来保存镜像的位置,docker提供一个注册服务器(register)来保存多个仓库,每个仓库又可以包含多个具备不同的tag的镜像
- docker运行中使用的默认仓库是docker Hub 公共仓库,docker hub:是docker公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库
使用公共Registry
保存和分发镜像的最直接的方法就是使用DockerHub
1.在docker hub上注册一个帐号
2.登陆
[root@server1 docker]# docker login -u dangdangwestos
Password: #密码:dangdang
Login Succeeded
这个警告的意思是 密码这样存储会有安全问题
[root@docker ~]# docker login -u dangdangwestos
Password:
**WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store**
做过一个认证后就把认证信息放在文件中.docker/config.json
[root@docker ~]# cat .docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "ZGFuZ2Rhbmd3ZXN0b3M6NjQ1MTkzMjM2"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
}
3.修改镜像的名字 使之与Docker Hub帐号匹配
docker hub
为了区分不同用户的镜像名 镜像的名字中要包含用户名 完整格式为[username]/xxx:tag
我们可以通过以下命令搜寻docker官方仓库中的镜像
可以清楚的看到 除了官方镜像外 其余镜像均要按照官方的要求更改镜像的标签
不同的人可以上传不同的镜像
[root@server3 ~]# docker search busybox
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
busybox Busybox base image. 1658 [OK]
progrium/busybox 70 [OK]
radial/busyboxplus Full-chain, Internet enabled, busybox made f… 24 [OK]
arm32v7/busybox Busybox base image. 7
yauritux/busybox-curl Busybox with CURL 5
armhf/busybox Busybox base image. 5
arm64v8/busybox Busybox base image. 3
aarch64/busybox Busybox base image. 2
[root@docker ~]# docker search dangdangwestos #搜索自己的
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
dangdangwestos/rhel7-up 0
dangdangwestos/busybox 0
dangdangwestos/rhel7-addifconfig 0
dangdangwestos/httpd 0
4.改标签
上传镜像之前记得更改标签
[root@server3 ~]# docker tag busybox:latest dangdangwestos/busybox:latest
5.上传镜像
[root@server3 ~]# docker push dangdangwestos/busybox
dangdangwestos/busybox dangdangwestos/busybox:latest
[root@server3 ~]# docker push dangdangwestos/busybox:latest
The push refers to repository [docker.io/dangdangwestos/busybox]
0d315111b484: Mounted from library/busybox
latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527
6.拉取镜像
会先检索本地的镜像 如果存在则不会被拉取
[root@server3 ~]# docker pull dangdangwestos/busybox:latest
latest: Pulling from dangdangwestos/busybox
Digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649
Status: Image is up to date for dangdangwestos/busybox:latest
Registary工作原理
一次docker pull或 push背后发生的事情
index服务器主要提供镜像索引以及用户认证的功能,当下载一个镜像的时候,首先回去index服务器上做认证,然后查找镜像所在的registry的地址并回给docker客户端,docker客户端再从registry下载镜像,在下载的过程中registry会去index校验客户端token的合法性,不同镜像可以保存在不同哦的registry服务上,其检索信息都放在index服务器上
3. index:负责并维护有关账户,镜像的校验以及公共命名空间的信息(并不会存放真正的镜像层)
web UI
元数据存储
认证服务
符号化
4. registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证
5. registry client:docker充当registry客户端来维护推送和拉取,以及客户端的授权
场景讲解
Docker Client —> index ----> registry
A:用户要获取并下载镜像
B:用户要推送镜像到registry中(index会创建镜
镜像加速–可以使用阿里云
搭建私有仓库(搭建本地Registry)
搭建私有仓库的原因
docker hub虽然方便 但还是有些限制,比如:
1.需要连接internet,下载和上传速度慢
2.上传到docker hub的镜像任何人都能访问
3.因安全原因很多组织不允许将镜像放到外网
解决方案就是搭建本地的registry
docker已经将registry开源了,同时在docker hub上也有官方的镜像registry
搭建的步骤
[root@server3 ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The Docker Registry 2.0 implementation for s… 2655 [OK]
拉取镜像
[root@server3 ~]# docker pull registry #拉取最新版
Using default tag: latest
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:latest
查看
[root@server3 ~]# docker images
registry latest f32a97de94e1 5 months ago 25.8MB
[root@server3 ~]# docker history registry
IMAGE CREATED CREATED BY SIZE COMMENT
f32a97de94e1 5 months ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B
<missing> 5 months ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B
<missing> 5 months ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B
<missing> 5 months ago /bin/sh -c #(nop) EXPOSE 5000 0B
<missing> 5 months ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B
<missing> 5 months ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B
<missing> 5 months ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB
<missing> 5 months ago /bin/sh -c set -ex && apk add --no-cache… 1.27MB
<missing> 5 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 5 months ago /bin/sh -c #(nop) ADD file:38bc6b51693b13d84… 4.41MB
运行 映射到本机的5000端口
[root@server3 ~]# docker run -d --name registry -p 5000:5000 registry #端口映射到本机 便于外部访问
4579de1e48406e35648ade8a29f3dc38855d3ad84edca050c099d7b6a744c9c5
查看容器的信息 可以看到与本地文件系统发生的关联
[root@server3 ~]# docker inspect 4579de1e48406e35648ade8a29f3dc38855d3ad84edca050c099d7b6a744c9c5
"Mounts": [
{
"Type": "volume",
"Name": "37e8aed215b0812c9ca3f3b6018a52bec0029844a2cd7dd4a505a6772fbc7e52",
"Source": "/var/lib/docker/volumes/37e8aed215b0812c9ca3f3b6018a52bec0029844a2cd7dd4a505a6772fbc7e52/_data",
"Destination": "/var/lib/registry",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
[root@server3 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4579de1e4840 registry "/entrypoint.sh /etc…" 54 seconds ago Up 53 seconds 0.0.0.0:5000->5000/tcp registry
[root@server3 ~]# netstat -antlpe
tcp6 0 0 :::5000 :::*
默认上传到docker hub中去
修改标签 使其上传的时候明白要往哪里去</font。
[root@server3 ~]# docker tag nginx:v1 localhost:5000/nginx:v1
查看上传成功
[root@server3 ~]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
7d1f91d2183b: Pushed
44e042b8c4f1: Pushed
4ee9ed108b64: Pushed
faa0d2dbf883: Pushed
a5e52a0ea4d4: Pushed
38ab3572be9b: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v1: digest: sha256:1f42e2af016eae42bf2db8dc0d4a522b4f44c88ef2e786bcd160886bc0fc1242 size: 2000
[root@server3 image]# cd /var/lib/docker/volumes/37e8aed215b0812c9ca3f3b6018a52bec0029844a2cd7dd4a505a6772fbc7e52/_data
[root@server3 _data]# ls
docker
[root@server3 _data]# cd docker/
[root@server3 _data]# tree .
[root@server3 docker]# ls
registry
[root@server3 docker]# cd registry/
[root@server3 registry]# ls
v2
[root@server3 registry]#
私有仓库的加密
以上操作有安全问题(没有认证)和使用的问题(localhost 如果不是本机就使用不了localhost)
官方文档
https://docs.docker.com/registry/insecure/
[root@server3 ~]# mkdir -p certs
# 使用一个自签名证书
[root@server3 ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
..............................................................................................................................................................................................................++
................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:Westos
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
删除之前运行的registry容器
[root@server3 ~]# docker rm -f registry
registry
[root@server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
怎么样进行部署
https://docs.docker.com/registry/deploying/#get-a-certificate
注意此处:REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry 不是:/root/…
[root@server3 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
3ebba5226703e6a15df3301ebc12207a213f939fb92af861c7f64c6ca2fd107b
docker运行的相关参数
docker run -d :启动容器并打入后台
--restart=always --name registry #容器自启动(docker引擎启动的同时会启动容器)
-v "$(pwd)"/certs:/certs #本地的certs目录挂接到容器的certs目录
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 #-e 编辑 监听本机443的加密端口
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt #证书
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key #私钥
-p 443:443 registry
开启了443端口
[root@server3 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 649/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 852/master
tcp 0 0 172.25.0.3:22 172.25.0.250:54274 ESTABLISHED 2062/sshd: root@pts
tcp 0 0 172.25.0.3:22 172.25.0.250:56174 ESTABLISHED 5189/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 649/sshd
tcp6 0 0 ::1:25 :::* LISTEN 852/master
tcp6 0 0 :::443 :::* LISTEN 7421/docker-proxy
注意:此时 docker的server端已经跑起来了 那么们的本地要去做Tls连接的话也是需要加密证书的
因为我们所使用的域名是westos.org 所以主机名要有解析
[root@server3 ~]# ping westos.org
PING server3 (172.25.0.3) 56(84) bytes of data.
64 bytes from server3 (172.25.0.3): icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from server3 (172.25.0.3): icmp_seq=2 ttl=64 time=0.027 ms
[root@server3 ~]# cd /etc/docker/
[root@server3 docker]# ls
daemon.json key.json
[root@server3 docker]# mkdir certs.d
[root@server3 docker]# cd certs.d/
[root@server3 certs.d]# mkdir westos.org
[root@server3 certs.d]# cd westos.org/
[root@server3 westos.org]# ls
[root@server3 westos.org]# cp /root/certs/westos.org.crt ca.crt
[root@server3 westos.org]# ls
ca.crt
[root@server3 westos.org]# docker tag nginx:v3 westos.org/nginx:v3
[root@server3 westos.org]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
7eb94711c590: Pushed
cdb9e6fdd1dd: Pushed
ac047a8a6c70: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v3: digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5 size: 1366
添加客户端的push认证
在之前的443更改 不用官网的5000
[root@server3 ~]# mkdir auth
[root@server3 ~]# docker run --rm entrypoint htpasswd registry -Bbn admin westos >auth/htpasswd
admin 用户名 ,westos 密码 多个用户名可追加
docker run --rm entrypoint htpasswd registry -Bbn redhat redhat >>auth/htpasswd
之前的registry要删除
[root@docker ~]# docker rm -f registry
registry
在加密的基础上做认证 ,一定是先加密再认证 要不是不安全的
[root@server3 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
2fb465d2f79e4a547a72e8014fe80c25cfc0321948ac83da45532f166c29fe80
[root@server3 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2fb465d2f79e registry "/entrypoint.sh /etc…" 5 seconds ago Up 5 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server3 ~]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server3 ~]# docker logout westos.org #退出登陆
Removing login credentials for westos.org
push提示报错
[root@server3 ~]# docker push westos.org/nginx
westos.org/nginx westos.org/nginx:v3
The push refers to repository [westos.org/rhel7]
18af9eb19b5f: Preparing
no basic auth credentials
westos.org/nginx westos.org/nginx:v3
[root@server3 ~]# docker login westos.org
[root@server3 ~]# docker push westos.org/nginx:v3
The push refers to repository [westos.org/nginx]
7eb94711c590: Preparing
cdb9e6fdd1dd: Preparing
ac047a8a6c70: Preparing
e16686814e10: Preparing
18af9eb19b5f: Preparing
no basic auth credentials #提示我们没有认证
[root@server3 ~]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server3 ~]# docker push westos.org/nginx:v3
The push refers to repository [westos.org/nginx]
7eb94711c590: Pushed
cdb9e6fdd1dd: Pushed
ac047a8a6c70: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v3: digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5 size: 1366