Docker 镜像及Docker仓库配置 [四]
Docker 镜像及Docker仓库配置 [四]
Docker 时间:2016年11月8日15:45:20
一、Docker 镜像介绍
Docker镜像构建分为两种,一种是手动构建,另一种是Dockerfile(自动构建)
Docker镜像手动构建案例:
我们基于centos镜像进行构建,制作nginx镜像
[root@linux-node1 ~]# docker run --name abcdocker -it centos[root@026ae321431d /]# yum install wget -y[root@026ae321431d /]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo[root@026ae321431d /]# yum install nginx -y
我们需要修改nginx配置文件,让他运行在前台
[root@026ae321431d /]# vi /etc/nginx/nginx.conf...daemon off;...
修改完之后我们退出
[root@linux-node1 ~]# docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES026ae321431d centos "/bin/bash" 8 minutes ago Exited (0) 4 seconds ago abcdocker
我们修改完之后需要commit
[root@linux-node1 ~]# docker commit -m "My Nginx" 026ae321431d abcdocker/abcdocker:v1sha256:d1da04e088afa5bc005fbef9c75c6c4d4432df2f8fdda2ca16543638ec3682f4[root@linux-node1 ~]# docker p_w_picpathsREPOSITORY TAG IMAGE ID CREATED SIZEabcdocker/abcdocker v1 d1da04e088af 4 minutes ago 386.5 MBdocker.io/nginx latest e43d811ce2f4 34 hours ago 181.4 MBdocker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MB#注释-m 描述容器ID第一个abcdocker是仓库的名称第二个abcdocker是镜像的名称v1 标签,如果是最后一个版本我们可以打latest
我们现在启动制作好的nginx镜像
[root@linux-node1 ~]# docker run --name nginxv1 -d -p 81:80 abcdocker/abcdocker:v1 nginx 2827b5ff95363d4597928a1e094b4c267178350a6c23a075bda90fabff1c671e我们要写镜像全称,带上标签
提示:后面的nginx不是镜像的nginx,而是服务的名称
我们可以查看访问日志
[root@linux-node1 ~]# ./docker_in.sh nginxv1[root@2827b5ff9536 /]# tail -f /var/log/nginx/access.log 192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET / HTTP/1.1" 200 3700 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /nginx-logo.png HTTP/1.1" 200 368 "http://192.168.56.11:81/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /poweredby.png HTTP/1.1" 200 2811 "http://192.168.56.11:81/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /favicon.ico HTTP/1.1" 404 3650 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"192.168.56.1 - - [23/Oct/2016:09:09:49 +0000] "GET /favicon.ico HTTP/1.1" 404 3650 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
以上就是手动构建nginx镜像
Dockerfile是由一行命令和语句组成的
Dockerfile构建步骤:
[root@linux-node1 ~]# mkdir /dockerfile[root@linux-node1 ~]# cd /dockerfile[root@linux-node1 dockerfile]#[root@linux-node1 dockerfile]# mkdir nginx[root@linux-node1 dockerfile]# cd nginx/[root@linux-node1 nginx]#我们要在nginx目录上自动化创建一个nginx镜像
注意:D需要大写,当我们构建dockerfile的时候,docker默认会在我们当前目录读取一个名为Dockerfile的文件。这时候的D必须大写
[root@linux-node1 nginx]# cat Dockerfile# This Dockerfile# My Name is YuHongCong# Base p_w_picpathFROM centos# MaintainerMAINTAINER abcdocker xxx@gmail.com#CommandsRUN rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpmRUN yum install -y nginx && yum clean allRUN echo "daemon off;" >>/etc/nginx/nginx.confADD index.html /usr/share/nginx/html/index.htmlEXPOSE 80CMD ["nginx"]
#井号代表注释 #Base p_w_picpath 除了注释的第一行,必须是FROM,意思就是我们需要告诉dockerfile基础镜像是什么 #Maintainer 维护信息 #Commands 命令 #ADD index.html 这个文件需要我们在当前目录下有才可以,我们配置我们可以准备好,然后使用ADD命令进行添加或修改 EXPOSE 对外端口号 CMD [“nginx”] 它要启动的命令是nginx (就算是nginx服务)
关于Dokcerfile文章:http://www.abcdocker.com/abcdocker/1724
我们写好dockerfile还需要一个index.html
[root@linux-node1 nginx]# echo www.abcdocker.com >index.html[root@linux-node1 nginx]# lltotal 8-rw-r--r-- 1 root root 368 Oct 23 18:04 Dockerfile-rw-r--r-- 1 root root 18 Oct 23 18:06 index.html
提示:.代表构建的位置,我们是当前目录,我们使用docker build进行构建
[root@linux-node1 nginx]# docker build -t mynginx:v2 .
构建完成后我们就知道我们配置的都是那些
[root@linux-node1 nginx]# docker p_w_picpaths REPOSITORY TAG IMAGE ID CREATED SIZEmynginx v2 0d327c3d5058 8 minutes ago 281.6 MBabcdocker/abcdocker v1 d1da04e088af About an hour ago 386.5 MBdocker.io/nginx latest e43d811ce2f4 35 hours ago 181.4 MBdocker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MB
启动镜像
[root@linux-node1 nginx]# docker run --name mynginxtest -d -p 82:80 mynginx:v271ca33f5032c57342eff85f948c0273f0818218c5e3ccf6c7368d5e5da123520#mynginx:v2是docker p_w_picpaths查看到的镜像名称
Dockerfile参数解释
FROM 指定基础镜像MAINTAINER 指定维护者信息RUN 在命令前面加上RUNADD COPY文件,会自动解压WORKDIR 设置当前工作目录,类似于cdVOLUME 设置卷,挂载主机目录EXPOSE 指定对外的端口CMD 指定容器启动后要干的事情
Dockerfile文章:http://www.abcdocker.com/abcdocker/1724
二、Docker仓库
Docker的仓库是DockerHub,类似于github,github有一个开源的软件叫gitlab。Docker也有一个开源软件docker registry
我们先查看镜像,找到registry
[root@linux-node1 ~]# docker search dockerINDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATEDdocker.io docker.io/jenkins Official Jenkins Docker p_w_picpath 2146 [OK] docker.io docker.io/alpine A minimal Docker p_w_picpath based on Alpine Lin... 1556 [OK] docker.io docker.io/registry Containerized docker registry 1161 [OK] docker.io docker.io/swarm Swarm: a Docker-native clustering system. 529 [OK] docker.io docker.io/fedora Official Docker builds of Fedora 446 [OK] docker.io docker.io/docker Docker in Docker! 311 [OK] docker.io docker.io/konradkleine/docker-registry-frontend Browse and modify your Docker registry in ... 121 [OK]docker.io docker.io/oddrationale/docker-shadowsocks shadowsocks Docker p_w_picpath 121 [OK]docker.io docker.io/docker-dev Docker is an open source project to pack, ... 58 [OK] docker.io docker.io/hyper/docker-registry-web Web UI, authentication service and event r... 55 [OK]docker.io docker.io/datadog/docker-dd-agent Docker container for the Datadog Agent. 42 [OK]docker.io docker.io/francescou/docker-compose-ui web interface for Docker Compose 32 [OK]docker.io docker.io/nodered/node-red-docker Node-RED Docker p_w_picpaths. 32 [OK]docker.io docker.io/spotify/docker-gc Garbage collection of Docker containers an... 26 [OK]docker.io docker.io/devalx/docker-teamspeak3 Docker Container with Teamspeak 3. Contain... 19 [OK]docker.io docker.io/grahamdumpleton/mod-wsgi-docker Docker p_w_picpaths for Apache/mod_wsgi. 19 [OK]docker.io docker.io/dockercore/docker 15 [OK]docker.io docker.io/docker/docker-bench-security Docker Bench checks for dozens of common b... 12 [OK]docker.io docker.io/laurentmalvert/docker-boinc A dockerized BOINC client 7 [OK]docker.io docker.io/rubinius/docker Docker p_w_picpaths for Rubinius and other parts... 4 [OK]docker.io docker.io/docker/migrator Tool to migrate Docker p_w_picpaths from a v1 re... 3 [OK]docker.io docker.io/fabric8/jenkins-docker Fabric8 Jenkins Docker Image 3 [OK]docker.io docker.io/jakubsacha/symfony-docker Docker p_w_picpath tailed to run symfony applica... 2 [OK]docker.io docker.io/cgal/testsuite-docker Docker p_w_picpaths for the CGAL testsuite 1 [OK]docker.io docker.io/jfisbein/docker-p_w_picpaths Various Docker build files for creating Do... 1 [OK]
我们可以通过docker pull 来下载一个
[root@linux-node1 ~]# docker pull registry
查看镜像
[root@linux-node1 ~]# docker p_w_picpaths REPOSITORY TAG IMAGE ID CREATED SIZEmynginx v2 0d327c3d5058 26 hours ago 281.6 MBabcdocker/abcdocker v1 d1da04e088af 27 hours ago 386.5 MBdocker.io/nginx latest e43d811ce2f4 2 days ago 181.4 MBdocker.io/registry latest c9bd19d022f6 5 days ago 33.27 MBdocker.io/centos latest 980e0e4c79ec 6 weeks ago 196.7 MBdocker.io/vmware/admiral latest 4e798983bb2a 6 weeks ago 506.4 MB
默认占用5000端口,我们查看是否存在5000端口
[root@linux-node1 ~]# netstat -lntupActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19995/mysqld tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 21574/epmd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 21557/beam tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1372/master tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 21557/beam tcp6 0 0 :::81 :::* LISTEN 119979/docker-proxy tcp6 0 0 :::4369 :::* LISTEN 21574/epmd tcp6 0 0 :::82 :::* LISTEN 122045/docker-proxy tcp6 0 0 :::22 :::* LISTEN 1094/sshd tcp6 0 0 ::1:25 :::* LISTEN 1372/master tcp6 0 0 :::8282 :::* LISTEN 7571/docker-proxy tcp6 0 0 :::5672 :::* LISTEN 21557/beam udp 0 0 0.0.0.0:123 0.0.0.0:* 19389/chronyd udp 0 0 127.0.0.1:323 0.0.0.0:* 19389/chronyd udp6 0 0 ::1:323 :::* 19389/chronyd
我们开始运行容器
[root@linux-node1 ~]# docker run -d -p 5000:5000 registryaa6b8ce82d5ab3539e7c6aa8bca23215f18f1215ccb8ca48100e525ba769d964
提示:docker比较老的版本运行起来就可以运行,1.7之后都不可以
我们新打一个标签
[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abc/mynginx:latest#我们将以前的abcdocker打一个标签到5000端口
因为Docker从1.3.X之后默认docker registry使用的是https,所以当用docker pull命令下载远程镜像时,如果远程docker registry是非https的时候就会报上面的错误。
[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abc/mynginx:latest[root@linux-node1 ~]# docker push 192.168.56.11:5000/abc/mynginx:latestThe push refers to a repository [192.168.56.11:5000/abc/mynginx]unable to ping registry endpoint https://192.168.56.11:5000/v0/v2 ping attempt failed with error: Get https://192.168.56.11:5000/v2/: http: server gave HTTP response to HTTPS client v1 ping attempt failed with error: Get https://192.168.56.11:5000/v1/_ping: http: server gave HTTP response to HTTPS client
提示:解决方法有2种,一种是去沃通或腾讯申请免费ssl,或者我们本地修改配置文件
解决Https问题
安装nginx,制作https
[root@linux-node1 ~]# yum install nginx -y[root@linux-node1 ~]# vim /etc/nginx/nginx.conf… include /etc/nginx/conf.d/*.conf;…
因为在配置文件中已经指定了目录,只有放在/etc/nginx/conf.d/*下面才会识别到
配置如下:
[root@linux-node1 conf.d]# cat docker.confupstream docker-registry { server 127.0.0.1:5000;}server {listen 443;server_name registry.abcdocker.comssl on;ssl_certificate /etc/ssl/nginx.crt;ssl_certificate_key /etc/ssl/nginx.key;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;client_max_body_size 0;chunked_transfer_encoding on;location / { auth_basic "Docker"; auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd; proxy_pass http://docker-registry;}location /_ping { auth_basic off; proxy_pass http://docker-registry;}location /v1/_ping { auth_basic off; proxy_pass http://docker-registry;}}[root@linux-node1 conf.d]#
我们需要生成一个证书,大家可以申请一个沃通或者腾讯的免费ssl
以下如果有沃通的免费ssl就不需要设置
我们先设置一个根密钥,生产上直接使用沃通的免费ssl配置就可以了
---------------此步在生产可以不使用--------------------[root@linux-node1 ~]# cd /etc/pki/CA/[root@linux-node1 CA]# touch ./{serial,index.txt}[root@linux-node1 CA]# echo "00" >serial [root@linux-node1 CA]# openssl genrsa -out private/cakey.pem 2048Generating RSA private key, 2048 bit long modulus.................................+++............+++e is 65537 (0x10001)[root@linux-node1 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:输入CNState or Province Name (full name) []: 输入BeiJingLocality Name (eg, city) [Default City]:BeiJingOrganization Name (eg, company) [Default Company Ltd]:abcdockerOrganizational Unit Name (eg, section) []:dockerCommon Name (eg, your name or your server's hostname) []:registry.abcdocker.comEmail Address []:cyh@abcdocker.com 以上步骤是生成一个根证书我们现在需要生产一个nginx的证书(生产可以直接使用运营商颁发的证书,不需要生成)[root@linux-node1 CA]# cd /etc/ssl/[root@linux-node1 ssl]# openssl genrsa -out nginx.key 2048Generating RSA private key, 2048 bit long modulus....+++.........................................+++e is 65537 (0x10001)[root@linux-node1 ssl]# openssl req -new -key nginx.key -out nginx.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeiJingLocality Name (eg, city) [Default City]:BeiJingOrganization Name (eg, company) [Default Company Ltd]:abcdockerOrganizational Unit Name (eg, section) []:dockerCommon Name (eg, your name or your server's hostname) []:registry.abcdocker.comEmail Address []:cyh@abcdocker.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:#最后2个直接回车签发证书[root@linux-node1 ssl]# openssl ca -in nginx.csr -days 365 -out nginx.crtUsing configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Oct 24 14:04:16 2016 GMT Not After : Oct 24 14:04:16 2017 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = abcdocker organizationalUnitName = docker commonName = registry.abcdocker.com emailAddress = cyh@abcdocker.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 29:04:19:D9:1A:C1:8C:1C:11:38:FF:75:85:1F:B2:BD:E1:1C:79:5C X509v3 Authority Key Identifier: keyid:70:D7:95:49:C3:40:05:43:43:D4:07:AE:4D:AB:F2:D6:40:28:63:8DCertificate is to be certified until Oct 24 14:04:16 2017 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n] yCERTIFICATION CANCELED因为我们设置的是自签证书,要让系统允许[root@linux-node1 ~]# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
我们创建一个用来验证的账号密码
[root@linux-node1 ~]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd abcdockerNew password: Re-type new password: Adding password for user abcdocker#这个路径要跟nginx配置文件中的路径对应上[root@linux-node1 ~]# systemctl start nginx
查看是否有443端口
[root@linux-node1 ~]# netstat -lntupActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 19995/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14408/nginx: master tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 21574/epmd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 21557/beam tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1372/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14408/nginx: master tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 21557/beam tcp6 0 0 :::80 :::* LISTEN 14408/nginx: master tcp6 0 0 :::81 :::* LISTEN 119979/docker-proxy tcp6 0 0 :::4369 :::* LISTEN 21574/epmd tcp6 0 0 :::82 :::* LISTEN 122045/docker-proxy tcp6 0 0 :::22 :::* LISTEN 1094/sshd tcp6 0 0 ::1:25 :::* LISTEN 1372/master tcp6 0 0 :::8282 :::* LISTEN 7571/docker-proxy tcp6 0 0 :::5000 :::* LISTEN 12308/docker-proxy tcp6 0 0 :::5672 :::* LISTEN 21557/beam udp 0 0 0.0.0.0:123 0.0.0.0:* 19389/chronyd udp 0 0 127.0.0.1:323 0.0.0.0:* 19389/chronyd udp6 0 0 ::1:323 :::* 19389/chronyd
我们还需要做一个绑定,设置host解析
[root@linux-node1 ~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.56.11 linux-node1.abcdocker.com registry.abcdocker.com192.168.56.12 linux-node2.abcdocker.com
修改配置文件
[root@linux-node1 ~]# vim /etc/sysconfig/docker# Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled --insecure-registry 192.168.56.11:5000'
测试
[root@linux-node1 ~]# docker push 192.168.56.11:5000/abcdocker/abcnginx:latestThe push refers to a repository [192.168.56.11:5000/abcdocker/abcnginx]f69e85c4fed0: Pushed 0aeb287b1ba9: Pushed latest: digest: sha256:516a0527d14f5f657a984c19c3e1a4cc90fff99cf065d5b1e56740fe5d8f0796 size: 719
小结:制作好nginx—ssl 后,docker基本上只需要三步
1、修改/etc/sysconfig/docker 配置文件,设置域名2、构建镜像[root@linux-node1 ~]# docker tag abcdocker/abcdocker:v1 192.168.56.11:5000/abcdocker/abc:latest3、上传到仓库中[root@linux-node1 ~]# docker push 192.168.56.11:5000/abcdocker/abc:latest
提示:如果使用的是域名此处的IP地址就是域名的地址
连接
首先我们修改配置文件,因为不是https,所以要修改配置文件,跟服务端修改的一样
设置hosts解析
然后我们使用docker pull即可
[root@linux-node2 ~]# docker p_w_picpaths REPOSITORY TAG IMAGE ID CREATED SIZE[root@linux-node2 ~]# docker pull 192.168.56.11:5000/abcdocker/abc:latestTrying to pull repository 192.168.56.11:5000/abcdocker/abc ... latest: Pulling from 192.168.56.11:5000/abcdocker/abc8d30e94188e7: Pull complete 9cc6fcb823f4: Pull complete Digest: sha256:516a0527d14f5f657a984c19c3e1a4cc90fff99cf065d5b1e56740fe5d8f0796Status: Downloaded newer p_w_picpath for 192.168.56.11:5000/abcdocker/abc:latest
查看是否存在
[root@linux-node2 ~]# docker p_w_picpaths REPOSITORY TAG IMAGE ID CREATED SIZE192.168.56.11:5000/abcdocker/abc latest d1da04e088af 44 minutes ago 386.5 MB
创建容器
[root@linux-node2 ~]# docker run -d -it --name nginx1 -d -p 81:80 192.168.56.11:5000/abcdocker/abc5086eafe42a7c82c8c1b2adaeaa223766348c7ec349c407d57868add9cd7a77e[root@linux-node2 ~]# sh docker.sh nginx1[root@5086eafe42a7 /]# lsanaconda-post.log bin dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var
案例:按照我们上面的方法,制作一个nginx镜像并上传到docker仓库中,并运行容器启动nginx服务
[root@linux-node2 ~]# docker run -d --name nginx -p 192.168.56.12:87:80 192.168.56.11:5000/abc 477a9eda45b0262d2c914539698efc0eedc580d123fd25188c9c1f3205bfd445[root@linux-node2 ~]# netstat -lntupActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1094/sshd tcp 0 0 192.168.56.12:87 0.0.0.0:* LISTEN 25508/docker-proxy tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1373/master tcp6 0 0 :::22 :::* LISTEN 1094/sshd tcp6 0 0 ::1:25 :::* LISTEN 1373/master
Docker仓库含义
我们制作好镜像后,默认存放在本地,只可以我们本机使用,其他服务器无法使用,这时候就需要我们一个docker仓库,其他服务器使用的时候只需要进行pull下来即可
Docker默认提供了一个仓库叫docker registry
Docker registry需要使用https进行验证
官方手册 https://docs.docker.com/registry/
Docker registry私有仓库搭建基本几步流程(采用nginx+认证的方式)
1. 申请免费的ssl证书 https://buy.wosiqn.com/free 2. 设置nginx ssl证书 3. 设置验证 4. proxy_pass 5000 5. docker run -d -p 5000:5000 –name registry registry:2
docker registry可能比较low,我们还可以使用harbor是由VMware写的一款针对企业级的开源软件
下载链接:https://github.com/vmware/harbor
中文文档:http://vmware.github.io/harbor/index_cn.html
Harbor简介
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。
基于角色的访问控制 - 用户与Docker镜像仓库通过“项目”进行组织管理,一个用户可以对多个镜像仓库在同一命名空间(project)里有不同的权限。 镜像复制 - 镜像可以在多个Registry实例中复制(同步)。尤其适合于负载均衡,高可用,混合云和多云的场景。 图形化用户界面 - 用户可以通过浏览器来浏览,检索当前Docker镜像仓库,管理项目和命名空间。 AD/LDAP 支持 - Harbor可以集成企业内部已有的AD/LDAP,用于鉴权认证管理。 审计管理 - 所有针对镜像仓库的操作都可以被记录追溯,用于审计管理。 国际化 - 已拥有英文、中文、德文、日文和俄文的本地化版本。更多的语言会添加进来。 RESTful API - RESTful API 提供给管理员对于Harbor更多的操控, 使得与其它管理软件集成变得更容易。 部署简单 - docker-compose和离线安装。
VMware 一共有3个开源项目
https://github.com/vmware/vic-product
admiral Docker web管理界面
https://github.com/vmware/admiral
但是adminiral和harbor虽然都是VMware的开源软件,但是admiral没有harbor好用
完!
更多精彩请继续关注我
转载于:https://blog.51cto.com/abcdocker/1872507
563
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
