(二):docker registry2 搭建

1.环境描述

[root@localhost docker.registry:5000]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost docker.registry:5000]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost docker.registry:5000]# docker version
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
 Go version:      go1.9.4
 Git commit:      94f4240/1.13.1
 Built:           Fri May 18 15:44:33 2018
 OS/Arch:         linux/amd64
 Experimental:    false

2.搭建方式

  1. 无需验证的镜像中心
  2. https鉴权的镜像中心
  3. 用户名密码登录的镜像中心

3.搭建步骤:

3.1 无需验证的镜像中心

拉取镜像:

docker pull registry:2.6.2

不需要验证的启动:

docker run -d -p 5000:5000  --name registry2-noauth --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
--restart=always docker重启容器自启动

客户端配置免https

  1. 修改 /etc/docker/daemon.json
[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146:5000"] }' > /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146:5000"] }
  1. 重载docker
root@localhost ~]# service docker restart

如果不配置,客户端使用时候会报错:
Error response from daemon: Get https:// 172.16.1.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client


使用:

  • tag镜像并上传

使用docker tag将一个镜像标记,格式如下:
172.16.1.146:5000/registry:2.6.2,其中172.16.1.146是本地仓库地址,5000为仓库端口,registry是镜像标签, 2.6.2是版本号
这里的172.16.1.146可以是本地的ip也可以是域名,如:www.xxx.net

[root@gitlab conf]# docker tag docker.io/registry:2.6.2  172.16.1.146:5000/registry:2.6.2

当标记完成后,本地的images中会存放一个和标记名称一样的镜像,我们将这个镜像上传即可

  • 上传镜像到镜像中心
[root@localhost local]# docker push 172.16.1.146:5000/registry:2.6.2
The push refers to a repository [172.16.1.146:5000/registry]
9113493eaae1: Pushed 
621c2399d41a: Pushed 
59e80739ed3f: Pushed 
febf19f93653: Pushed 
e53f74215d12: Pushed 
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364
  • 判断镜像是否存在

api
- 列出所有存储库

GET http://127.0.0.1:5000/v2/_catalog
{
  ● repositories: 
[
      ○ "mongo",
      ○ "registry"
]
}
  • 列出镜像所有tags
GET http://127.0.0.1:5000/v2/registry/tags/list
{
  ● name: "registry",
  ● tags: 
[
      ○ "2.6.2",
      ○ "2.6.3"
]
}

registry是镜像的名称,可以看出来镜像已经上传成功。

  • 从私有镜像中心拉取镜像
[root@localhost local]# docker pull 172.16.1.146:5000/registry:2.6.2
Trying to pull repository 172.16.1.146:5000/registry ... 
2.6.2: Pulling from 172.16.1.146:5000/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146:5000/registry:2.6.2

3.2 https鉴权的镜像中心:

注意:客户端不需要配置免https
  • 创建key
mkdir -p /usr/local/docker/registry/certs/
cd /usr/local/docker/registry/certs/
openssl genrsa -out docker.registry.key 2048
  • 创建crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
部分信息填写示例如下:
[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.............................++
writing new private key to 'docker.registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Anhui
Locality Name (eg, city) [Default City]:Hefei
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:docker.registry
Email Address []:xxx@xxx.com
  • 查看证书失效时间。
[root@localhost docker.registry:5000]# openssl x509 -in docker.registry.crt -noout -dates
notBefore=Jul  5 06:58:36 2018 GMT
notAfter=Jul  5 06:58:36 2019 GMT
  • 加入docker信任

由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker 的根证书中,Docker在CentOS 7中,证书存放路径是 :

mkdir -p /etc/docker/certs.d/docker.registry:5000
cp /usr/local/docker/registry/certs/docker.registry.crt /etc/docker/certs.d/docker.registry:5000/
docker.registry:5000为实际访问域名和端口
  • 启动
docker run -d -p 5000:5000 --name registry2-sslauth    -v /usr/local/docker/registry/certs/:/certs/  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.registry.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.registry.key -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
  • 验证:
docker tag docker.io/registry:2.6.2  docker.registry:5000/registry:2.6.2
docker push docker.registry:5000/registry:2.6.2
docker rmi  docker.registry:5000/registry:2.6.2
docker pull docker.registry:5000/registry:2.6.2
其他类似,api操作,需要使用https。

3.3 用户名密码登录的镜像中心

  • > 生成用户名:密码
mkdir -p /usr/local/docker/registry/auth
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin 1qaz\!QAZ  >> /usr/local/docker/registry/auth/htpasswd

上面这条命令是为admin用户名生成密码为1qaz!QAZ的一条用户信息,存在/usr/local/docker/registry/auth/htpasswd文件里面,文件中存的密码是被加密过的。

  • > 启动:
docker run -d -p 5000:5000 --name registry2-httpauth  --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -e "REGISTRY_AUTH=htpasswd"  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
  • http登录:
docker login 172.16.1.146:5000
同样需要配置客户端免https,其他类似,api操作,需要输入用户名、密码。
阅读更多
想对作者说点什么?

博主推荐

换一批

没有更多推荐了,返回首页