文章目录
- 官方docker hub:https://hub.docker.com/
- Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器 (Register)来保存多个仓库,每个仓库又可以包含多个具备不同 tag的镜像。
- Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
- registry 是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过 Index Auth service的Token的方式进行认证。
1.Docker hub
[root@server11 ~]# docker rmi 4bb46517cac3
[root@server11 ~]# docker images
[root@server11 ~]# docker search registry
[root@server11 ~]# docker pull registry#下载registry镜像
[root@server11 ~]# docker history registry:latest #查看端口
[root@server11 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry #运行容器。-d打入后台;-p端口映射;-v手工指定数据卷挂载点,宿主机路径:容器路径
0966e368a427b2eb1bd30f49b356ebf386e38dec06bcca28098b489064f67ffd
[root@server11 ~]# docker ps
[root@server11 ~]# ll -d /opt/registry/
[root@server11 ~]# yum install tree -y
[root@server11 ~]# tree /opt/registry/
[root@server11 ~]# docker tag webserver:v4 localhost:5000/webserver:latest #tag给镜像打标签
[root@server11 ~]# docker images
[root@server11 ~]# docker push localhost:5000/webserver#上传镜像到本地仓库
[root@server11 ~]# tree /opt/registry/
[root@server11 ~]# curl localhost:5000/v2/_catalog
{"repositories":["webserver"]}
Registry工作原理,一次docker pull 或 push背后发生的事情
docker index服务主要提供镜像索引以及用户认证的功能。
当pull一个镜像的时候:
- docker client去docker index服务上检索和做认证
- docker index查找镜像所在的registry的地址和临时的token给 docker客户端
- docker客户端再从registry A(真正存储库里)下载镜像
- 在下载过程中 registry会去index校验客户端token的合法性
- index告诉 registry客户端token的合法性
- registry A再把真正的镜像数据返还给docker客户端
2.搭建私有仓库
1)安装,解决速度和依赖性:阿里云-》容器-》docker
新建server12,作docker
[root@server12 ~]# cd /etc/yum.repos.d/
[root@server11 yum.repos.d]# ls
dvd.repo redhat.repo
[root@server11 yum.repos.d]# vim docker.repo
[root@server11 yum.repos.d]# cat docker.repo
[docker]
name=docker-ce
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/
gpgcheck=0
[root@server11 yum.repos.d]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@server11 yum.repos.d]# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
[root@server11 yum.repos.d]# vim CentOS-Base.repo
:%s/$releasever/7/g
[root@server11 yum.repos.d]# yum clean all
[root@server11 yum.repos.d]# yum install -y docker-ce
[root@server11 yum.repos.d]# systemctl start docker
[root@server11 yum.repos.d]# systemctl enable docker
[root@server11 yum.repos.d]# docker info#查看仓库是否开启
[root@server12 ~]# cd /etc/docker/
[root@server12 docker]# ls
key.json
[root@server12 docker]# vim daemon.json
[root@server12 docker]# cat daemon.json
{
"insecure-registries": ["192.168.100.241:5000"]##指向主机
}
[root@server12 docker]# systemctl reload docker
[root@server12 docker]# docker pull 192.168.100.241:5000/webserver
[root@server12 docker]# docker tag 192.168.100.241:5000/webserver:latest webserver
[root@server12 docker]# docker run -d webserver
136737e8dc86497c5da69b5a3f6c20d7f9c858f77db541f48264a68d1ed5d734
[root@server12 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
136737e8dc86 webserver "nginx -g 'daemon of…" 20 seconds ago Up 18 seconds 80/tcp, 443/tcp sharp_carson
2)加密
%加密和认证
仓库官方文档:https://docs.docker.com/registry/insecure/
创建自签名证书:
[root@server11 ~]# mkdir -p certs
[root@server11 ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server11 ~]# docker stop registry
[root@server11 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server11 ~]# docker rm registry
registry
[root@server11 ~]# ll /opt/registry/
total 0
drwxr-xr-x 3 root root 22 Jan 24 17:57 docker
[root@server11 ~]# docker rm -f registry #如果做错了加密就删掉容器和密码
registry
[root@server11 ~]# cd certs/
[root@server11 certs]# ls
westos.org.crt westos.org.key
[root@server11 certs]# rm -fr *
[root@server11 certs]# cd
#加密
[root@server11 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server11 ~]# vim /etc/hosts
192.168.100.241 server11 reg.westos.org
[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server11 ~]# docker ps
[root@server11 ~]# docker images
[root@server11 ~]# docker tag yakexi007/game2048:latest reg.westos.org/game2048:latest
[root@server11 ~]# docker push reg.westos.org/game2048:latest
[root@server11 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server11 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt #拷贝证书到docker主机
[root@server11 ~]# ll /etc/docker/certs.d/reg.westos.org/ca.crt
-rw-r--r-- 1 root root 2102 Jan 24 19:11 /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server11 ~]# docker push reg.westos.org/game2048:latest#测试上传镜像
[root@server12 docker]# pwd
/etc/docker
[root@server12 docker]# rm -fr daemon.json
[root@server12 docker]# systemctl reload docker
[root@server12 docker]# vim /etc/hosts
192.168.100.241 server11 reg.westos.org
[root@server12 docker]# vim /etc/hosts
[root@server12 docker]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server11 ~]# scp /etc/docker/certs.d/reg.westos.org/ca.crt server12://etc/docker/certs.d/reg.westos.org/
[root@server12 docker]# cd /etc/docker/certs.d/reg.westos.org/
[root@server12 reg.westos.org]# ls
ca.crt
[root@server12 ~]# docker pull reg.westos.org/game2048
3)认证
#创建认证目录·
[root@server11 ~]# curl -k https://192.168.100.241/v2/_catalog
{"repositories":["game2048","webserver"]}
[root@server11 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 Jan 24 17:57 /opt/registry/
[root@server11 ~]# mkdir auth
[root@server11 ~]# yum provides */htpasswd
[root@server11 ~]# yum install httpd-tools -y
[root@server11 ~]# htpasswd -B -c auth/htpasswd wxh#-c指定目录,-B创建用户
[root@server11 ~]# htpasswd -B auth/htpasswd admin#第二次不用-c
[root@server11 ~]# docker rm -f registry
registry
#重新创建registry
[root@server11 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
[root@server11 ~]# docker tag ubuntu:latest reg.westos.org/ubuntu:latest
[root@server11 ~]# docker push reg.westos.org/ubuntu:latest
login登陆
[root@server11 ~]# docker login reg.westos.org
Username: wxh
Password:
[root@server11 ~]# cat /root/.docker/config.json
{
"auths": {
"reg.westos.org": {
"auth": "d3hoOndlc3Rvcw=="
}
}
[root@server11 ~]#docker push reg.westos.org/ubuntu:latest
[root@server12 ~]# docker login reg.westos.org
Username: admin
Password: Westos123
[root@server12 ~]# docker pull reg.westos.org/ubuntu:latest
3.docker-compose.同时管理多个
1)创建 harbor仓库
%harbor: https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
[root@server11 ~]# ls
99-sysctl.conf auth base-debian10.tar certs cowtransfer.zip docker harbor rhel7.tar
[root@server11 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server11 ~]# cd harbor/
[root@server11 harbor]# ls
[root@server11 harbor]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server11 ~]# chmod +x /usr/local/bin/docker-compose
[root@server11 ~]# docker-compose
[root@server11 ~]# docker rm -f registry
[root@server11 ~]# cp -r certs/ /
[root@server11 ~]# cd /certs/
[root@server11 certs]# ls
westos.org.crt westos.org.key
[root@server11 ~]# cd harbor/
[root@server11 harbor]# vim harbor.yml
hostname: reg.westos.org
certificate: /certs/westos.org.crt
private_key: /certs/westos.org.key
harbor_admin_password: westos
#harbor_admin_password: Harbor12345
[root@server11 harbor]# ./install.sh
[root@server11 harbor]# docker-compose ps
[root@server11 harbor]# netstat -antlp|grep :80
[root@server11 harbor]# netstat -antlp|grep :443
#网页:192.168.100.241/harbor 用户:Admin,密码westos—》登陆
服务里可以看到仓库library
[root@server11 harbor]# docker logout reg.westos.org
[root@server11 harbor]# cat ~/.docker/config.json#logout相当于删除本文件的内容
[root@server11 harbor]# docker login reg.westos.org
Username: admin
Password: Harbor12345
[root@server11 harbor]# docker tag busybox:latest reg.westos.org/library/busybox:latest
[root@server11 harbor]# docker push reg.westos.org/library/busybox:latest
[root@server11 harbor]#
#网页刷新可以看到上传的
[root@server12 ~]# cd /etc/docker/
[root@server12 docker]# ls
[root@server12 docker]# vim daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]
}
[root@server12 docker]# systemctl reload docker
[root@server12 docker]# docker pull busybox
[root@server11 ~]# cd /etc/docker
[root@server11 docker]# docker tag reg.westos.org/game2048:latest reg.westos.org/library/game2048:latest
[root@server11 harbor]# docker push reg.westos.org/library/game2048:latest
2)网页新建用户westos
- 项目-》westos-》成员-》维护人员
- 项目-》westos-》成员-》访客
维护人员能上传,访客不能上传,只能拉取
[root@server11 harbor]# docker login reg.westos.org
Username: wxh
Password: Westos123
[root@server11 harbor]# docker tag reg.westos.org/ubuntu:latest reg.westos.org/westos/ubuntu:latest
[root@server11 harbor]# docker push reg.westos.org/westos/ubuntu:latest#维护人员能上传
[root@server12 docker]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server12 docker]# docker login reg.westos.org
Username: demo#访客人员
Password:
Login Succeeded
[root@server12 docker]# docker images
[root@server12 docker]# docker tag webserver:latest reg.westos.org/westos/webserver:latest
[root@server12 docker]# docker push reg.westos.org/westos/webserver:latest#访客不能上传,但可以拉取
The push refers to repository [reg.westos.org/westos/webserver]
denied: requested access to the resource is denied
[root@server12 docker]# docker rmi 192.168.100.241:5000/webserver:latest
[root@server12 docker]# docker rmi reg.westos.org/ubuntu:latest
[root@server12 docker]# docker pull reg.westos.org/westos/ubuntu
3)镜像签名tag
[root@server11 harbor]# docker-compose down
[root@server11 harbor]# ./prepare #清理
[root@server11 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server11 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server11 harbor]# docker login reg.westos.org
Username: admin
Password: Harbor12345
[root@server11 harbor]# docker tag reg.westos.org/game2048:latest reg.westos.org/library/game2048:latest
[root@server11 harbor]# docker push reg.westos.org/library/game2048:latest
网页扫描
%勾选自动扫描,在上传时会自动扫描
[root@server11 harbor]# docker images webserver
REPOSITORY TAG IMAGE ID CREATED SIZE
webserver v4 fcc5b816e63d 21 hours ago 31.7MB
[root@server11 harbor]# docker tag webserver:v4 reg.westos.org/library/webserver:latest
[root@server11 harbor]# docker push reg.westos.org/library/webserver:latest
- 手动扫描
* 自动扫描
启动内容信任
[root@server11 harbor]# export DOCKER_CONTENT_TRUST=1##启动内容信任
[root@server11 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server11 harbor]#
[root@server12 ~]# docker images
[root@server12 ~]# docker rmi reg.westos.org/westos/ubuntu
[root@server12 ~]# docker pull reg.westos.org/westos/ubuntu
#%网页勾选内容信任,再上传的时候会被拒绝
[root@server12 ~]# docker pull reg.westos.org/westos/ubuntu#拒绝
[root@server11 ~]# cd .docker/
[root@server11 .docker]# ls
config.json trust
[root@server11 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server11 .docker]# cp /certs/westos.org.crt tls/reg.westos.org:4443/ca.crt
[root@server11 ~]# docker push reg.westos.org/westos/game2048:latest
[root@server11 ~]# docker tag nginx:latest reg.westos.org/westos/game2048:v1
[root@server11 ~]# docker push reg.westos.org/westos/game2048:v1
#只变更版本号v1,旧址需要输入仓库密码
#沟掉内容信任
[root@server11 ~]# export DOCKER_CONTENT_TRUST=0#=0取消签名认证
[root@server11 ~]# cd harbor/harbor/
[root@server11 harbor]# docker-compose down