直接从官网上拉取镜像不太方便,有时候主机由于安全等方面的考虑,不能直接使用外网。这时候需要搭建本地私有仓库,将以已经处理好的镜像存放在仓库中。
并且registry已经开源,打包成一个镜像,直接拉取,然后运行容器即即可,剩下的就是进行设置加密认证以及设置存储等。
私有仓库的搭建
下载registry镜像
[root@toto6 images]# docker pull registery:2
[root@toto6 images]# docker images registry
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 4 months ago 25.8MB=
运行此容器
[root@toto6 images]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
##创建并运行容器,设置数据卷,并做端口映射
查看容器运行运行情况以及映射端口开启情况:
[root@toto6 images]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bc3bcd6346f4 registry:2 "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:5000->5000/tcp registry
[root@toto6 images]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 656/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 778/master
tcp 0 0 172.25.13.160:22 172.25.13.250:57074 ESTABLISHED 2036/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 656/sshd
tcp6 0 0 ::1:25 :::* LISTEN 778/master
tcp6 0 0 :::5000 :::* LISTEN 19841/docker-proxy
上传镜像到本地仓库
再上传镜像的时候,一般会默认上传到docker hub官方仓库,现在需要上传到本地自己创建的仓库,需要指定上传的地址以及端口。如果使用ip默认使用tls加密,目前没有设置,所有直接指定到本机的端口。
需要对本地需要进行上传的镜像进行修改标签:
[root@toto6 images]# docker tag nginx:latest localhost:5000/nginx
[root@toto6 images]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v4 cb475e8f4412 4 hours ago 23.7MB
nginx latest f68d6e55e065 11 days ago 109MB
localhost:5000/nginx latest f68d6e55e065 11 days ago 109MB
registry 2 f32a97de94e1 4 months ago 25.8MB
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
gcr.io/distroless/base latest 9a255d5fe262 49 years ago 16.8MB
上传修改过标签的镜像到本地仓库:
[root@toto6 images]# docker push localhost:5000/nginx # 上传
The push refers to repository [localhost:5000/nginx]
d2f0b6dea592: Pushed
197c666de9dd: Pushed
cf5b3c6798f7: Pushed
latest: digest: sha256:00be67d6ba53d5318cd91c57771530f5251cfbe028b7be2c4b70526f988cfc9f size: 948
[root@toto6 images]# curl localhost:5000/v2/_catalog # 核实是否上传成功
{"repositories":["nginx"]}
查看其数据卷挂载点
运行容器的时候,设置了数据卷,可以子阿宿主机查看上传的结果:
[root@toto6 images]# cd /opt/registry/
[root@toto6 registry]# ls
docker
[root@toto6 registry]# cd docker/
[root@toto6 docker]# ls
registry
[root@toto6 docker]# cd registry/
[root@toto6 registry]# ls
v2
[root@toto6 registry]# cd v2/
[root@toto6 v2]# ls
blobs repositories
[root@toto6 v2]# cd repositories/
[root@toto6 repositories]# ls
nginx
此时创建的私有仓库远程主机无法使用,并且不够安全,此时则可以采用私有仓库加证书加密的方式来创建私有仓库
私有仓库的TLS加密
以上仓库使用明文的方式,并且没有认证。存在较大的安全隐患,下面介绍使用TLS加密以及用户认证。
为docker仓库添加证书加密功能
docker远程主机访问私有仓库,默认必须使用TLS加密
1 生成证书
[root@toto6 ~]# mkdir -p certs
[root@toto6 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/toto.com.key -x509 -days 365 -out certs/toto.com.crt
Generating a 4096 bit RSA private key
........................................................................................................++
.......................................................................++
writing new private key to 'certs/toto.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:toto.com
Email Address []:root@toto.com
[root@toto6 ~]# ls certs/
toto.com.crt toto.com.key # 成功生成证书
2、重新启动registry容器:
需要先删除之前开启的容器“
[root@toto6 ~]# docker rm -f registry
registry
重新加密开启容器:
root@toto6 ~]# docker run -d \ ##-d:打入后台
> --restart=always \ > --name registry \
> -v "$(pwd)"/certs:/certs \
> ##-v:手动指定数据卷的挂载 \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ ##-e:编辑registry的参数;监听443端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/toto.com.crt \ ##使用证书为生成的证书
> -e REGISTRY_HTTP_TLS_KEY=/certs/toto,com.key \ ##使用的私钥
> -p 443:443 \ ##端口映射
> registry:2 ##仓库名
查看容器运行情况以及端口开启情况:
[root@toto6 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d3063593b314 registry:2 "/entrypoint.sh /etc…" 33 seconds ago Up 31 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@toto6 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 656/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 778/master
tcp 0 0 172.25.13.160:22 172.25.13.250:59964 ESTABLISHED 20132/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 656/sshd
tcp6 0 0 ::1:25 :::* LISTEN 778/master
tcp6 0 0 :::443 :::* LISTEN 21555/docker-proxy
到次registry服务端的TLS加密已经设置好了,但是diocker客户端需要连接这个仓库,也就需要相同的证书才能进行访问。
docker客户端的设置。
设置docker客户端的证书
[root@toto6 ~]# mkdir -p /etc/docker/certs.d/toto.com # 创建该目录,名称和证书域名一致
[root@toto6 ~]# cd /etc/docker/certs.d/toto.com
[root@toto6 toto.com]# cp /root/certs/toto.com.crt ca.crt # 将生成的证书拷贝到该目录中ca.crt
[root@toto6 toto.com]# ls
ca.crt
证书域名解析的更改
[root@toto6 toto.com]# vim /etc/hosts
172.25.13.160 toto6 toto.com
3 验证部署是否成功
修改本地镜像标签为固定格式:域名/进行名称
[root@toto6 toto.com]# docker tag nginx:v4 toto.com/nginx
上传镜像:
[root@toto6 toto.com]# docker push toto.com/nginx
The push refers to repository [toto.com/nginx]
49cb414524e0: Pushed
668afdbd4462: Pushed
latest: digest: sha256:a3e3cbec11f49a4fdebedf975fadbe6dc8cd9e26835fc3018353d7d7f3bdf93b size: 739
Docker仓库添加用户认证功能
1 、创建用户密码文件:
[root@toto6 ~]# mkdir auth
[root@toto6 ~]# docker run --rm --entrypoint htpasswd registry:2 \
-Bbn toto redhat > auth/htpasswd #茶ungjian用户密码文件:用户toto密码redhat
[root@toto6 ~]# cat auth/htpasswd
toto:$2y$05$.kWgrZDcKIpyNUv3xQuALOgu.LtOocYSc0eb896nkR6BwS2g9bzQm
2 由于创建密码文件已经开启了一个容器,需要先删除该容器
[root@toto6 ~]# docker rmi registry
registry
3 再次运行容器同时添加用户认证功能。
root@toto6 ~]# docker run -d \ ##-d:打入后台
> --restart=always \ > --name registry \
> -v "$(pwd)"/certs:/certs \
> ##-v:手动指定数据卷的挂载 \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ ##-e:编辑registry的参数;监听443端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/toto.com.crt \ ##使用证书为生成的证书
> -e REGISTRY_HTTP_TLS_KEY=/certs/toto,com.key \ ##使用的私钥
> -p 443:443 \ ##端口映射
> -v "$(pwd)"/auth:/auth \ ##挂载认证目录
> -e "REGISTRY_AUTH=htpasswd" \ ##认证方式
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ ##认证文件路径
> registry:2 ##仓库名
4 、查看容器以及端口开启情况:
[root@toto6 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17a21a99d6a6 registry:2 "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@toto6 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 656/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 778/master
tcp 0 0 172.25.13.160:22 172.25.13.250:59964 ESTABLISHED 20132/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 656/sshd
tcp6 0 0 ::1:25 :::* LISTEN 778/master
tcp6 0 0 :::443 :::* LISTEN 22096/docker-proxy
到次用户认证功能设置成功
测试:
1 、再没有认证的情况下无法上传。
[root@toto6 ~]# docker tag busybox:latest toto.com/busybox
[root@toto6 ~]# docker push toto.com/busybox
The push refers to repository [toto.com/busybox]
8a788232037e: Preparing
no basic auth credentials
2 、进行认证登陆
[root@toto6 ~]# docker login toto.com
Username: toto
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@toto6 ~]# docker push toto.com/busybox
The push refers to repository [toto.com/busybox]
8a788232037e: Pushed
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
3 登陆成功后会产生认证文件
/root/.docker/config.json #记录用户登陆信息
远程客户端进行连接
上面的所有设置,服务和客户还在同一台主机上,现在说明远程主机。
仓库服务:172.25.13.160
客户端:172.25.13.250
客户端设置:
1 、设置证书,证书需要可服务端的证书一致
[root@foundation13 ~]# mkdir /etc/docker/certs.d/toto.com
mkdir: cannot create directory ‘/etc/docker/certs.d/toto.com’: No such file or directory
[root@foundation13 ~]# mkdir -p /etc/docker/certs.d/toto.com
[root@foundation13 ~]# scp toto6:/etc/docker/certs.d/toto.com/ca.crt /etc/docker/certs.d/toto.com
root@toto6's password:
ca.crt 100% 2090 2.0KB/s 00:00
创建证书目录,并将服务端使用的证书拷贝过来,(必须是这个,用别的没有用)
2 设置域名解析:证书上的域名必须进行解析
172.25.13.160 toto6 toto.com
3 远程主机登陆,拉取上传镜像
[root@foundation13 ~]# docker login toto.com
Username: toto
Password:
Login Succeeded
[root@foundation13 ~]# docker pull toto.com/busybox
Using default tag: latest
latest: Pulling from busybox
90e01955edcd: Pull complete
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for toto.com/busybox:latest
[root@foundation13 ~]# docker images toto.com/busybox
REPOSITORY TAG IMAGE ID CREATED SIZE
toto.com/busybox latest 59788edf1f3e 9 months ago 1.15MB