一、Docker 镜像介绍
Docker镜像构建分为两种,一种是手动构建
,另一种是Dockerfile(自动构建
)
Docker镜像手动构建案例:
我们基于centos
镜像进行构建,制作nginx
镜像
[root@linux-node1 ~]# docker run --name abcdocker -it centos
[root@026ae321431d /]# yum install wget -y
[root@026ae321431d /]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@026ae321431d /]# yum install nginx -y
我们需要修改nginx
配置文件,让他运行在前台
[root@026ae321431d /]# vi /etc/nginx/nginx.conf
...
daemon off;
...
修改完之后我们退出
[root@linux-node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
026ae321431d centos "/bin/bash" 8 minutes ago Exited (0) 4 seconds ago abcdocker
我们修改完之后需要commit
[root@linux-node1 ~]# docker commit -m "My Nginx" 026ae321431d abcdocker/abcdocker:v1
sha256:d1da04e088afa5bc005fbef9c75c6c4d4432df2f8fdda2ca16543638ec3682f4
[root@linux-node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
abcdocker/abcdocker v1 d1da04e088af 4 minutes ago 386.5 MB
docker.io/nginx latest e43d811ce2f4 34 hours ago 181.4 MB
docker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MB
#注释
-m 描述
容器ID
第一个abcdocker是仓库的名称
第二个abcdocker是镜像的名称
v1 标签,如果是最后一个版本我们可以打latest
我们现在启动制作好的nginx
镜像
[root@linux-node1 ~]# docker run --name nginxv1 -d -p 81:80 abcdocker/abcdocker:v1 nginx
2827b5ff95363d4597928a1e094b4c267178350a6c23a075bda90fabff1c671e
我们要写镜像全称,带上标签
提示:后面的nginx不是镜像的nginx,而是服务的名称
我们可以查看访问日志
[root@linux-node1 ~]# ./docker_in.sh nginxv1
[root@2827b5ff9536 /]# tail -f /var/log/nginx/access.log
192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://192.168.56.11:81/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /poweredby.png HTTP/1.1" 200 2811 "http://192.168.56.11:81/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /favicon.ico HTTP/1.1" 404 3650 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /favicon.ico HTTP/1.1" 404 3650 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
以上就是手动构建nginx镜像
Dockerfile是由一行命令
和语句
组成的
Dockerfile构建步骤:
[root@linux-node1 ~]# mkdir /dockerfile
[root@linux-node1 ~]# cd /dockerfile
[root@linux-node1 dockerfile]#
[root@linux-node1 dockerfile]# mkdir nginx
[root@linux-node1 dockerfile]# cd nginx/
[root@linux-node1 nginx]#
我们要在nginx目录上自动化创建一个nginx镜像
注意:D需要大写,当我们构建dockerfile的时候,docker默认会在我们当前目录读取一个名为Dockerfile的文件。这时候的D必须大写
[root@linux-node1 nginx]# cat Dockerfile
# This Dockerfile
# My Name is YuHongCong
# Base image
FROM centos
# Maintainer
MAINTAINER abcdocker xxx@gmail.com
#Commands
RUN rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm
RUN yum install -y nginx && yum clean all
RUN echo "daemon off;" >>/etc/nginx/nginx.conf
ADD index.html /usr/share/nginx/html/index.html
EXPOSE 80
CMD ["nginx"]
#井号代表注释
#Base image 除了注释的第一行,必须是FROM,意思就是我们需要告诉dockerfile基础镜像是什么
#Maintainer 维护信息
#Commands 命令
#ADD index.html 这个文件需要我们在当前目录下有才可以,我们配置我们可以准备好,然后使用ADD命令进行添加或修改
EXPOSE 对外端口号
CMD [“nginx”] 它要启动的命令是nginx (就算是nginx服务)
关于Dokcerfile文章:http://www.abcdocker.com/abcdocker/1724
我们写好dockerfile还需要一个index.html
[root@linux-node1 nginx]# echo www.abcdocker.com >index.html
[root@linux-node1 nginx]# ll
total 8
-rw-r--r-- 1 root root 368 Oct 23 18:04 Dockerfile
-rw-r--r-- 1 root root 18 Oct 23 18:06 index.html
提示:.代表构建的位置,我们是当前目录,我们使用docker build
进行构建
[root@linux-node1 nginx]# docker build -t mynginx:v2 .
构建完成后我们就知道我们配置的都是那些
[root@linux-node1 nginx]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mynginx v2 0d327c3d5058 8 minutes ago 281.6 MB
abcdocker/abcdocker v1 d1da04e088af About an hour ago 386.5 MB
docker.io/nginx latest e43d811ce2f4 35 hours ago 181.4 MB
docker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MB
启动镜像
[root@linux-node1 nginx]# docker run --name mynginxtest -d -p 82:80 mynginx:v2
71ca33f5032c57342eff85f948c0273f0818218c5e3ccf6c7368d5e5da123520
#mynginx:v2是docker images查看到的镜像名称
Dockerfile参数解释
FROM 指定基础镜像
MAINTAINER 指定维护者信息
RUN 在命令前面加上RUN
ADD COPY文件,会自动解压
WORKDIR 设置当前工作目录,类似于cd
VOLUME 设置卷,挂载主机目录
EXPOSE 指定对外的端口
CMD 指定容器启动后要干的事情
Dockerfile文章:http://www.abcdocker.com/abcdocker/1724
二、Docker仓库
Docker的仓库是DockerHub
,类似于github
,github有一个开源的软件叫gitlab
。Docker也有一个开源软件docker registry
我们先查看镜像,找到registry
[root@linux-node1 ~]# docker search docker
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED
docker.io docker.io/jenkins Official Jenkins Docker image 2146 [OK]
docker.io docker.io/alpine A minimal Docker image based on Alpine Lin... 1556 [OK]
docker.io docker.io/registry Containerized docker registry 1161 [OK]
docker.io docker.io/swarm Swarm: a Docker-native clustering system. 529 [OK]
docker.io docker.io/fedora Official Docker builds of Fedora 446 [OK]
docker.io docker.io/docker Docker in Docker! 311 [OK]
docker.io docker.io/konradkleine/docker-registry-frontend Browse and modify your Docker registry in ... 121 [OK]
docker.io docker.io/oddrationale/docker-shadowsocks shadowsocks Docker image 121 [OK]
docker.io docker.io/docker-dev Docker is an open source project to pack, ... 58 [OK]
docker.io docker.io/hyper/docker-registry-web Web UI, authentication service and event r... 55 [OK]
docker.io docker.io/datadog/docker-dd-agent Docker container for the Datadog Agent. 42 [OK]
docker.io docker.io/francescou/docker-compose-ui web interface for Docker Compose 32 [OK]
docker.io docker.io/nodered/node-red-docker Node-RED Docker images. 32 [OK]
docker.io docker.io/spotify/docker-gc Garbage collection of Docker containers an... 26 [OK]
docker.io docker.io/devalx/docker-teamspeak3 Docker Container with Teamspeak 3. Contain... 19 [OK]
docker.io docker.io/grahamdumpleton/mod-wsgi-docker Docker images for Apache/mod_wsgi. 19 [OK]
docker.io docker.io/dockercore/docker 15 [OK]
docker.io docker.io/docker/docker-bench-security Docker Bench checks for dozens of common b... 12 [OK]
docker.io docker.io/laurentmalvert/docker-boinc A dockerized BOINC client 7 [OK]
docker.io docker.io/rubinius/docker Docker images for Rubinius and other parts... 4 [OK]
docker.io docker.io/docker/migrator Tool to migrate Docker images from a v1 re... 3 [OK]
docker.io docker.io/fabric8/jenkins-docker Fabric8 Jenkins Docker Image 3 [OK]
docker.io docker.io/jakubsacha/symfony-docker Docker image tailed to run symfony applica... 2 [OK]
docker.io docker.io/cgal/testsuite-docker Docker images for the CGAL testsuite 1 [OK]
docker.io docker.io/jfisbein/docker-images Various Docker build files for creating Do... 1 [OK]
我们可以通过docker pull 来下载一个
[root@linux-node1 ~]# docker pull registry
查看镜像
[root@linux-node1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mynginx v2 0d327c3d5058 26 hours ago 281.6 MB
abcdocker/abcdocker v1 d1da04e088af 27 hours ago 386.5 MB
docker.io/nginx latest e43d811ce2f4 2 days ago 181.4 MB
docker.io/registry latest c9bd19d022f6 5 days ago 33.27 MB
docker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MB
docker.io/vmware/admiral latest 4e798983bb2a 6 weeks ago 506.4 MB
默认占用5000
端口,我们查看是否存在5000端口
[root@linux-node1 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19995/mysqld
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 21574/epmd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 21557/beam
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1372/master
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 21557/beam
tcp6 0 0 :::81 :::* LISTEN 119979/docker-proxy
tcp6 0 0 :::4369 :::* LISTEN 21574/epmd
tcp6 0 0 :::82 :::* LISTEN 122045/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1094/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1372/master
tcp6 0 0 :::8282 :::* LISTEN 7571/docker-proxy
tcp6 0 0 :::5672 :::* LISTEN 21557/beam
udp 0 0 0.0.0.0:123 0.0.0.0:* 19389/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 19389/chronyd
udp6 0 0 ::1:323 :::* 19389/chronyd
我们开始运行容器
[root@linux-node1 ~]# docker run -d -p 5000:5000 registry
aa6b8ce82d5ab3539e7c6aa8bca23215f18f1215ccb8ca48100e525ba769d964
提示:docker比较老的版本运行起来就可以运行,1.7之后都不可以
我们新打一个标签
[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abc/mynginx:latest
#我们将以前的abcdocker打一个标签到5000端口
因为Docker从1.3.X之后默认docker registry使用的是https,所以当用docker pull命令下载远程镜像时,如果远程docker registry是非https的时候就会报上面的错误。
[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abc/mynginx:latest
[root@linux-node1 ~]# docker push 192.168.56.11:5000/abc/mynginx:latest
The push refers to a repository [192.168.56.11:5000/abc/mynginx]
unable to ping registry endpoint https://192.168.56.11:5000/v0/
v2 ping attempt failed with error: Get https://192.168.56.11:5000/v2/: http: server gave HTTP response to HTTPS client
v1 ping attempt failed with error: Get https://192.168.56.11:5000/v1/_ping: http: server gave HTTP response to HTTPS client
提示:解决方法有2种,一种是去沃通或腾讯申请免费ssl,或者我们本地修改配置文件
解决Https问题
安装nginx,制作https
[root@linux-node1 ~]# yum install nginx -y
[root@linux-node1 ~]# vim /etc/nginx/nginx.conf
…
include /etc/nginx/conf.d/*.conf;
…
因为在配置文件中已经指定了目录,只有放在/etc/nginx/conf.d/*下面才会识别到
配置如下:
[root@linux-node1 conf.d]# cat docker.conf
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name registry.abcdocker.com
ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "Docker";
auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
[root@linux-node1 conf.d]#
我们需要生成一个证书,大家可以申请一个沃通或者腾讯的免费ssl
以下如果有沃通的免费ssl就不需要设置
我们先设置一个根密钥,生产上直接使用沃通的免费ssl配置就可以了
---------------此步在生产可以不使用--------------------
[root@linux-node1 ~]# cd /etc/pki/CA/
[root@linux-node1 CA]# touch ./{serial,index.txt}
[root@linux-node1 CA]# echo "00" >serial
[root@linux-node1 CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
............+++
e is 65537 (0x10001)
[root@linux-node1 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:输入CN
State or Province Name (full name) []: 输入BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:abcdocker
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:registry.abcdocker.com
Email Address []:cyh@abcdocker.com
以上步骤是生成一个根证书
我们现在需要生产一个nginx的证书(生产可以直接使用运营商颁发的证书,不需要生成)
[root@linux-node1 CA]# cd /etc/ssl/
[root@linux-node1 ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
.........................................+++
e is 65537 (0x10001)
[root@linux-node1 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:abcdocker
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:registry.abcdocker.com
Email Address []:cyh@abcdocker.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#最后2个直接回车
签发证书
[root@linux-node1 ssl]# openssl ca -in nginx.csr -days 365 -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Oct 24 14:04:16 2016 GMT
Not After : Oct 24 14:04:16 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = abcdocker
organizationalUnitName = docker
commonName = registry.abcdocker.com
emailAddress = cyh@abcdocker.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
29:04:19:D9:1A:C1:8C:1C:11:38:FF:75:85:1F:B2:BD:E1:1C:79:5C
X509v3 Authority Key Identifier:
keyid:70:D7:95:49:C3:40:05:43:43:D4:07:AE:4D:AB:F2:D6:40:28:63:8D
Certificate is to be certified until Oct 24 14:04:16 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n] y
CERTIFICATION CANCELED
因为我们设置的是自签证书,要让系统允许
[root@linux-node1 ~]# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
我们创建一个用来验证的账号密码
[root@linux-node1 ~]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd abcdocker
New password:
Re-type new password:
Adding password for user abcdocker
#这个路径要跟nginx配置文件中的路径对应上
[root@linux-node1 ~]# systemctl start nginx
查看是否有443端口
[root@linux-node1 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19995/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14408/nginx: master
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 21574/epmd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 21557/beam
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1372/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14408/nginx: master
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 21557/beam
tcp6 0 0 :::80 :::* LISTEN 14408/nginx: master
tcp6 0 0 :::81 :::* LISTEN 119979/docker-proxy
tcp6 0 0 :::4369 :::* LISTEN 21574/epmd
tcp6 0 0 :::82 :::* LISTEN 122045/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1094/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1372/master
tcp6 0 0 :::8282 :::* LISTEN 7571/docker-proxy
tcp6 0 0 :::5000 :::* LISTEN 12308/docker-proxy
tcp6 0 0 :::5672 :::* LISTEN 21557/beam
udp 0 0 0.0.0.0:123 0.0.0.0:* 19389/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 19389/chronyd
udp6 0 0 ::1:323 :::* 19389/chronyd
我们还需要做一个绑定,设置host解析
[root@linux-node1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.11 linux-node1.abcdocker.com registry.abcdocker.com
192.168.56.12 linux-node2.abcdocker.com
修改配置文件
[root@linux-node1 ~]# vim /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --insecure-registry 192.168.56.11:5000'
测试
[root@linux-node1 ~]# docker push 192.168.56.11:5000/abcdocker/abcnginx:latest
The push refers to a repository [192.168.56.11:5000/abcdocker/abcnginx]
f69e85c4fed0: Pushed
0aeb287b1ba9: Pushed
latest: digest: sha256:516a0527d14f5f657a984c19c3e1a4cc90fff99cf065d5b1e56740fe5d8f0796 size: 719
小结:制作好nginx—ssl 后,docker基本上只需要三步
1、修改/etc/sysconfig/docker 配置文件,设置域名
2、构建镜像
[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abcdocker/abc:latest
3、上传到仓库中
[root@linux-node1 ~]# docker push 192.168.56.11:5000/abcdocker/abc:latest
提示:如果使用的是域名此处的IP地址就是域名的地址
连接
首先我们修改配置文件,因为不是https
,所以要修改配置文件,跟服务端修改的一样
设置hosts解析
然后我们使用docker pull
即可
[root@linux-node2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@linux-node2 ~]# docker pull 192.168.56.11:5000/abcdocker/abc:latest
Trying to pull repository 192.168.56.11:5000/abcdocker/abc ...
latest: Pulling from 192.168.56.11:5000/abcdocker/abc
8d30e94188e7: Pull complete
9cc6fcb823f4: Pull complete
Digest: sha256:516a0527d14f5f657a984c19c3e1a4cc90fff99cf065d5b1e56740fe5d8f0796
Status: Downloaded newer image for 192.168.56.11:5000/abcdocker/abc:latest
查看是否存在
[root@linux-node2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.56.11:5000/abcdocker/abc latest d1da04e088af 44 minutes ago 386.5 MB
创建容器
[root@linux-node2 ~]# docker run -d -it --name nginx1 -d -p 81:80 192.168.56.11:5000/abcdocker/abc
5086eafe42a7c82c8c1b2adaeaa223766348c7ec349c407d57868add9cd7a77e
[root@linux-node2 ~]# sh docker.sh nginx1
[root@5086eafe42a7 /]# ls
anaconda-post.log bin dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
案例:按照我们上面的方法,制作一个nginx镜像并上传到docker仓库中,并运行容器启动nginx服务
[root@linux-node2 ~]# docker run -d --name nginx -p 192.168.56.12:87:80 192.168.56.11:5000/abc
477a9eda45b0262d2c914539698efc0eedc580d123fd25188c9c1f3205bfd445
[root@linux-node2 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd
tcp 0 0 192.168.56.12:87 0.0.0.0:* LISTEN 25508/docker-proxy
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1373/master
tcp6 0 0 :::22 :::* LISTEN 1094/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1373/master
Docker仓库含义
我们制作好镜像后,默认存放在本地,只可以我们本机使用,其他服务器无法使用,这时候就需要我们一个docker仓库,其他服务器使用的时候只需要进行pull下来即可
Docker默认提供了一个仓库叫docker registry
Docker registry需要使用https进行验证
官方手册 https://docs.docker.com/registry/
Docker registry私有仓库搭建基本几步流程(采用nginx+认证的方式)
1. 申请免费的ssl证书 https://buy.wosiqn.com/free
2. 设置nginx ssl证书
3. 设置验证
4. proxy_pass 5000
5. docker run -d -p 5000:5000 –name registry registry:2
docker registry
可能比较low,我们还可以使用harbor是由VMware写的一款针对企业级的开源软件
下载链接:https://github.com/vmware/harbor
中文文档:http://vmware.github.io/harbor/index_cn.html
Harbor简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。
镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。
图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。
AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。
审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。
国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言会添加进来。
RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。
部署简单 - docker-compose和离线安装。
VMware 一共有3个开源项目
https://github.com/vmware/vic-product
admiral Docker web
管理界面
https://github.com/vmware/admiral
但是adminiral和harbor虽然都是VMware的开源软件,但是admiral没有harbor好用
完!