一、什么是Docker 仓库?
仓库是集中存放镜像文件的场所。有时候会把仓库和仓库注册服务器(Registry)混为一谈,并不严格区分。实际上,仓库注册服务器上往往存放着多个仓库,每个仓库中又包含了多个镜像,每个镜像有不同的标签(tag)。
仓库分为公开仓库(Public)和私有仓库(Private)两种形式。最大的公开仓库是 Docker
Hub,存放了数量庞大的镜像供用户下载。 国内的公开仓库包括 Docker Pool等,可以提供大陆用户更稳定快速的访问。
当然,用户也可以在本地网络内创建一个私有仓库。当用户创建了自己的镜像之后就可以使用 push
命令将它上传到公有或者私有仓库,这样下次在另外一台机器上使用这个镜像时候,只需要从仓库上 pull 下来就可以了。
二、 私有仓库registry的优势
有时候使用Docker Hub这样的公共仓库可能不方便,这种情况下用户可以使用registry创建一个本地仓库供私人使用,
这点跟Maven的管理类似。 使用私有仓库有许多优点:
1)节省网络带宽,针对于每个镜像不用每个人都去中央仓库上面去下载,只需要从私有仓库中下载即可;
2)提供镜像资源利用,针对于公司内部使用的镜像,推送到本地的私有仓库中,以供公司内部相关人员使用。 目前Docker
Registry已经升级到了v2,最新版的Docker已不再支持v1。Registry
v2使用Go语言编写,在性能和安全性上做了很多优化,重新设计了镜像的存储格式。如果需要安装registry
v2,只需下载registry:2.2即可。 Docker官方提供的工具docker-registry可以用于构建私有的镜像仓库。
实验环境
su1 | 172.25.34.8 |
---|---|
su2 | 172.25.34.9 |
docker 官方已经把仓库封装为镜像,直接通过启动容器就可以部署完成仓库
[root@su1 dockerwork]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The Docker Registry 2.0 implementation for s… 2742 [OK]
distribution/registry WARNING: NOT the registry official image!!! … 58 [OK]
stefanscherer/registry-windows Containerized docker registry for Windows Se… 27
budry/registry-arm Docker registry build for Raspberry PI 2 and… 18
deis/registry Docker image registry for the Deis open sour… 12
sixeyed/registry Docker Registry 2.6.0 running on Windows - N… 8
anoxis/registry-cli You can list and delete tags from your priva… 8 [OK]
vmware/registry 5
pallet/registry-swift Add swift storage support to the official do… 4 [OK]
allingeek/registry A specialization of registry:2 configured fo… 4 [OK]
jc21/registry-ui A nice web interface for managing your Docke… 4
goharbor/registry-photon 2
ibmcom/registry Docker Image for IBM Cloud private-CE (Commu… 1
conjurinc/registry-oauth-server Docker registry authn/authz server backed by… 1
metadata/registry Metadata Registry is a tool which helps you … 1 [OK]
webhippie/registry Docker images for Docker Registry 1 [OK]
kontena/registry Kontena Registry 0
concourse/registry-image-resource 0
upmcenterprises/registry-creds 0
gisjedi/registry-proxy Reverse proxy of registry mirror image gisje… 0
dwpdigital/registry-image-resource Concourse resource type 0
convox/registry 0
lorieri/registry-ceph Ceph Rados Gateway (and any other S3 compati… 0
zoined/registry Private Docker registry based on registry:2 0
ghmlee/registrybot registrybot 0 [OK]
You have new mail in /var/spool/mail/root
[root@su1 dockerwork]# docker pull registry ##拉取
Using default tag: latest
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:latest
[root@su1 dockerwork]# docker history registry ##这是一个仓库服务端口是5000
IMAGE CREATED CREATED BY SIZE COMMENT
f32a97de94e1 8 months ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B
<missing> 8 months ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B
<missing> 8 months ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B
<missing> 8 months ago /bin/sh -c #(nop) EXPOSE 5000 0B
<missing> 8 months ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B
<missing> 8 months ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B
<missing> 8 months ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB
<missing> 8 months ago /bin/sh -c set -ex && apk add --no-cache… 1.29MB
<missing> 8 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 8 months ago /bin/sh -c #(nop) ADD file:38bc6b51693b13d84… 4.41MB
[root@su1 dockerwork]# netstat -antuple ##宿主机上的5000端口也被打开
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 17774 1016/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 18569 1290/master
tcp 0 0 172.25.34.8:22 172.25.34.250:46300 ESTABLISHED 0 20651 1341/sshd: root@pts
tcp 0 0 172.25.34.8:43080 172.25.34.250:80 TIME_WAIT 0 0 -
tcp 0 0 172.25.34.8:22 172.25.34.250:46326 ESTABLISHED 0 86834 3461/sshd: root@pts
tcp6 0 0 :::5000 :::* LISTEN 0 125405 9145/docker-proxy
[root@su1 dockerwork]# docker run -d --name registry -p 5000:5000 registry
99ea949f5dcffb64db2cf0b85d6df12a4597d06fd184165b80deb812e6be435c
[root@su1 dockerwork]# docker inspect registry ##这个容器会在宿主机上映射一个目录,上传的镜像都会在这个目录里面
"Mounts": [
{
"Type": "volume",
"Name": "622f1d2e06a756877409e3d6b5806e51819a2c1cc9b5d5d72ec34681b49fd8e5",
"Source": "/var/lib/docker/volumes/622f1d2e06a756877409e3d6b5806e51819a2c1cc9b5d5d72ec34681b49fd8e5/_data",
"Destination": "/var/lib/registry",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
[root@su1 dockerwork]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
99ea949f5dcf registry "/entrypoint.sh /etc…" 3 minutes ago Up 3 minutes 0.0.0.0:5000->5000/tcp registry
上传镜像到私有仓库
[root@su1 dockerwork]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 94a423e12a25 2 hours ago 144MB
ubuntu latest 775349758637 2 days ago 64.2MB
busybox latest 020584afccce 3 days ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
[root@su1 dockerwork]# docker tag nginx:v1 localhost:5000/nginx:v1
[root@su1 dockerwork]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 94a423e12a25 2 hours ago 144MB
localhost:5000/nginx v1 94a423e12a25 2 hours ago 144MB
ubuntu latest 775349758637 2 days ago 64.2MB
busybox latest 020584afccce 3 days ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
[root@su1 dockerwork]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
f7dda6e83ddc: Pushed
18af9eb19b5f: Pushed
v1: digest: sha256:e13a2663ad7f230b2712af8f927e25ac2672104a5b77656d8f95beb306c3995e
在目录之中查看上传成功
[root@su1 dockerwork]# cd /var/lib/docker/volumes/622f1d2e06a756877409e3d6b5806e51819a2c1cc9b5d5d72ec34681b49fd8e5/_data
[root@su1 _data]# ls
docker
[root@su1 _data]# cd docker/
[root@su1 docker]# ls
registry
[root@su1 docker]# cd registry/
[root@su1 registry]# ls
v2 ##上传的版本
[root@su1 registry]# cd v2/
[root@su1 v2]# ls
blobs repositories
[root@su1 v2]# cd repositories/
[root@su1 repositories]# ls
nginx
[root@su1 repositories]# cd nginx/
[root@su1 nginx]# ls
_layers _manifests _uploads
.对本地仓库添加加密认证
官网:https://docs.docker.com/registry/insecure/
[root@su1 ~]# systemctl start docker
先删除之前的本地仓库
[root@su1 ~]# docker ps -a
99ea949f5dcf registry "/entrypoint.sh /etc…" 5 days ago Exited (255) 7 seconds ago 0.0.0.0:5000->5000/tcp registry
[root@su1 ~]# docker rm registry
创建目录生成证书和密钥
[root@su1 ~]# mkdir -p certs
[root@su1 ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
........................................................................................................................................................................................++
...............................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org ##所维护的域名
Email Address []:root@westos.org
You have new mail in /var/spool/mail/root
[root@su1 ~]# cd certs/
[root@su1 certs]# ls
westos.org.crt westos.org.key
[root@su1 certs]# cd /etc/docker
[root@su1 docker]# ls
daemon.json key.json
[root@su1 docker]# mkdir certs.d
[root@su1 docker]# cd certs.d/
[root@su1 certs.d]# mkdir westos.org
[root@su1 certs.d]# cd westos.org/
[root@su1 westos.org]# cp /root/certs/westos.org.crt ca.crt ##将生成的证书拷贝到配置文件中(https是通过访问浏览器得到证书)
[root@su1 westos.org]# ls
ca.crt
生成本地仓库用户信息
[root@su1 westos.org]# cd
[root@su1 ~]# mkdir auth
[root@su1 ~]# docker run \
> --entrypoint htpasswd \
> registry -Bbn testuser testpassword > auth/htpasswd
[root@su1 ~]# docker run --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
[root@su1 ~]# cd auth/
[root@su1 auth]# ls
htpasswd
[root@su1 auth]# cat htpasswd
testuser:$2y$05$mYIvV4X6hsVX7BVVrS/kH.ql2F.N4ypOs2KhgdCBzO9pK5SmL6E.y
admin:$2y$05$exoQHfXLOuSYZ470u1wnvOWHNCtGvdVzO2t6NFYMzGzxJFM0n54RW
用镜像启动容器(该容器就是本地仓库)
[root@su1 auth]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
a070ee58c5e8492b8a36994e3a93ea05194a90f3638d2cd32254c6a591cbbfbb
[root@su1 auth]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a070ee58c5e8 registry "/entrypoint.sh /etc…" 14 seconds ago Restarting (1) 3 seconds ago registry
[root@su1 ~]# netstat -antuple | grep 443
tcp6 0 0 :::443 :::* LISTEN 0 71518 7355/docker-proxy
编辑域名解析
[root@su1 auth]# vi /etc/hosts
172.25.34.8 su1 westos.org
登陆本地仓库并上传镜像
[root@su1 auth]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 94a423e12a25 5 days ago 144MB
[root@su1 auth]# docker tag nginx:v1 westos.org/nginx:v1
[root@su1 auth]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 94a423e12a25 5 days ago 144MB
westos.org/nginx v1 94a423e12a25 5 days ago 144MB
[root@su1 ~]# docker login westos.org ##需要认证信息
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@su1 ~]# docker push westos.org/nginx:v1
The push refers to repository [westos.org/nginx]
f7dda6e83ddc: Pushed
18af9eb19b5f: Pushed
v1: digest: sha256:e13a2663ad7f230b2712af8f927e25ac2672104a5b77656d8f95beb306c3995e size: 740
查看是否上传成功
[root@su1 ~]# docker inspect registry
"Mounts": [
{
"Type": "volume",
"Name": "4bc78f1d6a9946ff70bb7bd79204a47979ccf649ca69407988c2a1557c4d11c8",
"Source": "/var/lib/docker/volumes/4bc78f1d6a9946ff70bb7bd79204a47979ccf649ca69407988c2a1557c4d11c8/_data",
"Destination": "/var/lib/registry",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
[root@su1 certs]# cd /var/lib/docker/volumes/4bc78f1d6a9946ff70bb7bd79204a47979ccf649ca69407988c2a1557c4d11c8/_data
[root@su1 _data]# ls
docker
[root@su1 _data]# cd docker/
[root@su1 docker]# ls
registry
[root@su1 docker]# cd registry/
[root@su1 registry]# ls
v2
[root@su1 registry]# cd v2/
[root@su1 v2]# ls
blobs repositories
[root@su1 v2]# cd repositories/
[root@su1 repositories]# ls
nginx
[root@su1 repositories]# cd nginx/
[root@su1 nginx]# ls
_layers _manifests _uploads
[root@su1 ~]# docker logout westos.org
[root@su1 ~]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
f7dda6e83ddc: Preparing
18af9eb19b5f: Preparing
no basic auth credentials
从其他客户机上给本地仓库上传镜像
客户机上要有docker,给客户机上安装
[root@su2 docker包]# ls
containerd.io-1.2.5-3.1.el7.x86_64.rpm
container-selinux-2.21-1.el7.noarch.rpm
docker-ce-18.09.6-3.el7.x86_64.rpm
docker-ce-cli-18.09.6-3.el7.x86_64.rpm
[root@su2 docker包]# systemctl start docker
将生成的证书传给客户机
[root@su1 auth]# scp -r /etc/docker/certs.d root@172.25.34.9:/etc/dockerroot@172.25.34.9's password:
ca.crt 100% 2098 1.5MB/s 00:00
htpasswd 100% 67 60.8KB/s 00:00
[root@su2 docker包]# cd /etc/docker/
[root@su2 docker]# cd certs.d/westos.org/
[root@su2 westos.org]# ls
ca.crt
编辑域名解析
[root@su2 westos.org]# vi /etc/hosts
172.25.34.8 su2 westos.org
登陆并上传镜像
[root@su2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@su2 ~]# docker load -i rhel7.tar
e1f5733f050b: Loading layer 147.1MB/147.1MB
[root@su2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
[root@su2 ~]# docker tag rhel7:latest westos.org/rhel7:v1
[root@su2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
westos.org/rhel7 v1 0a3eb3fde7fd 5 years ago 140MB
[root@su2 ~]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@su2 ~]# docker push westos.org/rhel7:v1
The push refers to repository [westos.org/rhel7]
18af9eb19b5f: Pushed
v1: digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b size: 528
给本地仓库添加web界面
(1)docker官方给的仓库web界面镜像
[root@su1 ~]# docker pull hyper/docker-registry-web # 可以先search一下
[root@su1 ~]# ls
anaconda-ks.cfg certs game2048.tar rhel7.tar
auth docker包 Python-3.6.4.tgz
[root@su1 ~]# ls -a
. .bash_history certs game2048.tar .rnd
.. .bash_logout .cshrc .pki .ssh
anaconda-ks.cfg .bash_profile .docker Python-3.6.4.tgz .tcshrc
auth .bashrc docker包 rhel7.tar
[root@su1 ~]# cat .docker/config.json
{
"auths": {
"westos.org": {
"auth": "YWRtaW46d2VzdG9z" #查看之前的认证信息
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
}
[root@su1 ~]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" -e REGISTRY_NAME=westos.org:443 hyper/docker-registry-web #v2:是一个版本
在浏览器测试:http://172.25.34.8:8080/
(2)docker-compose的部署
下载docker-compose,授予执行权限
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
[root@su1 ~]# cd /usr/local/bin/
[root@su1 bin]# ls
docker-compose
[root@su1 bin]# ll
total 15792
-rw-r--r--. 1 root root 16168192 11月 9 01:13 docker-compose
[root@su1 bin]# chmod +x docker-compose
Harbor的搭建
[root@su1 ~]# tar zxf harbor-online-installer-v1.8.2.tgz
[root@su1 ~]# cd harbor/
[root@su1 harbor]# ls
harbor.yml install.sh LICENSE prepare
[root@su1 harbor]# vi harbor.yml
5 hostname: westos.org
13 https:
14 # # https port for harbor, default is 443
15 port: 443
16 # # The path of cert and key files for nginx
17 certificate: /root/certs/westos.org.crt
18 private_key: /root/certs/westos.org.key
27 harbor_admin_password: westos
28
29 # Harbor DB configuration
30 database:
31 # The password for the root user of Harbor DB. Change this be fore any production use.
32 password: westos
[root@su1 harbor]# ./prepare # 更新配置文件
[root@su1 harbor]# ./install.sh # 安装并启动
如果有这个报错信息就按照提示解决
ERROR: for registry Cannot create container for service registry: Conflict. The container name "/registry" is already in use by container "2f3db96ded2924d608cf8362cf96a6745a84f0149d1b7c4298973212776d7118". You have to remove (or rename) that container to be able to reuse that name.
ERROR: Encountered errors while bringing up the project.
[root@su1 harbor]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f1f0ee22dba2 goharbor/harbor-db:v1.8.2 "/entrypoint.sh post…" 19 seconds ago Up 11 seconds (health: starting) 5432/tcp harbor-db
32132caa22d1 goharbor/harbor-registryctl:v1.8.2 "/harbor/start.sh" 19 seconds ago Up 11 seconds (health: starting) registryctl
0f21143cf77d goharbor/redis-photon:v1.8.2 "docker-entrypoint.s…" 19 seconds ago Up 13 seconds 6379/tcp redis
040c0e39f6b9 goharbor/harbor-log:v1.8.2 "/bin/sh -c /usr/loc…" 22 seconds ago Up 18 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log
2f3db96ded29 registry "/entrypoint.sh /etc…" 4 hours ago Up 2 hours 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@su1 harbor]# docker rm -f 2f3db96ded29
2f3db96ded29
解决报错之后要在安装一遍
[root@su1 harbor]# ./install.sh
出现这些说明安装成功
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://westos.org.
For more details, please visit https://github.com/goharbor/harbor .
查看容器状态
[root@su1 harbor]# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------
harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp
harbor-log /bin/sh -c Up (healthy) 127.0.0.1:1514->10514/t
/usr/local/bin/ ... cp
redis docker-entrypoint.sh Up 6379/tcp
redis ...
registryctl /harbor/start.sh Up (healthy)
真机作解析
[root@foundation34 Desktop]# vi /etc/hosts
172.25.34.8 westos.org
浏览器中访问https://westos.org/
给仓库上传镜像
[root@su1 harbor]# docker login westos.org
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
# 这里一定要注意的是:tag的修改 必须加项目名称 而这个项目名称可以自己在网页中创建
[root@su1 harbor]# docker tag nginx:v1 westos.org/library/ningx:latest
[root@su1 harbor]# docker push westos.org/library/ningx:latest
The push refers to repository [westos.org/library/ningx]
f7dda6e83ddc: Pushed
18af9eb19b5f: Pushed
latest: digest: sha256:e13a2663ad7f230b2712af8f927e25ac2672104a5b77656d8f95beb306c3995e size: 740
查看上传成功