1.什么是Docker 仓库?
仓库是集中存放镜像文件的场所。有时候会把仓库和仓库注册服务器(Registry)混为一谈,并不严格区分。
实际上,仓库注册服务器上往往存放着多个仓库,每个仓库中又包含了多个镜像,每个镜像有不同的标签(tag)。
仓库分为公开仓库(Public)和私有仓库(Private)两种形式。最大的公开仓库是 Docker Hub,存放了数量庞大的镜像供用户下载
国内的公开仓库包括 Docker Pool等,可以提供大陆用户更稳定快速的访问
当然,用户也可以在本地网络内创建一个私有仓库
当用户创建了自己的镜像之后就可以使用 push 命令将它上传到公有或者私有仓库
这样下次在另外一台机器上使用这个镜像时候,只需要从仓库上 pull 下来就可以了
2. 私有仓库registry的优势
有时候使用Docker Hub这样的公共仓库可能不方便,这种情况下用户可以使用registry创建一个本地仓库供私人使用
这点跟Maven的管理类似
使用私有仓库有许多优点
1)节省网络带宽,针对于每个镜像不用每个人都去中央仓库上面去下载,只需要从私有仓库中下载即可;
2)提供镜像资源利用,针对于公司内部使用的镜像,推送到本地的私有仓库中,以供公司内部相关人员使用。
目前Docker Registry已经升级到了v2,最新版的Docker已不再支持v1。
Registry v2使用Go语言编写,在性能和安全性上做了很多优化,重新设计了镜像的存储格式。
如果需要安装registry v2,只需下载registry:2.2即可。
Docker官方提供的工具docker-registry可以用于构建私有的镜像仓库。
3.Registry的工作原理
Index服务主要提供镜像索引以及用户认证的功能
当下载一个镜像的时候,首先会去index服务上做认证,然后查找镜像所在的registry的地址并放回给docker客户端
docker客户端再从registry下载镜像,在下载过程中 registry会去index校验客户端token的合法性
不同镜像可以保存在不同的registry服务上,其索引信息都放在index服务上
Docker Registry有三个角色,分别是index、registry和registry client
(1)index
负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
Web UI
元数据存储
认证服务
符号化
(2)registry
是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
(3)Registry Client
Docker充当registry客户端来维护推送和拉取,以及客户端的授权
4.创建私有仓库以及上传本地镜像到私有仓库当中
Docker 官方已经把仓库封装为镜像,直接通过启动容器就可以完成部署仓库,导入registry镜像
(1)从真机给server1发送一个私有仓库的镜像
scp registry.tar root@172.25.28.1:/root
(2)导入镜像,并且查看
[root@server1 ~]#cd /opt
[root@server1 opt]#mkdir -r registry/docker
[root@server1 opt]# cd registry/
[root@server1 registry]# ls
docker #创建目录
#导入镜像
[root@server1 registry]# docker load -i registry.tar
[root@server1 registry]# docker images registry (注意标签TAG)
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2.3.1 83139345d017 3 years ago 166MB
#基于镜像运行容器
[root@server1 images]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2.3.1
#重命名并上传本地镜像到仓库
[root@server1 ~]# docker load -i rhel7.tar #先导入本地镜像或者 docker pull rhel7从
docker hub下拉
[root@server1 ~]# docker run -d --name vm1 rhel7:v7 #后台运行vml,修改名字和版本号
这一步,可有可无
[root@server1 ~]# docker tag rhel7:v7 localhost:5000/rhel7:v7 #标记本地镜像,并改名字
[root@server1 ~]# docker push localhost:5000/rhel7:v7 #上传
#拉取镜像
[root@server1 images]# docker pull localhost:5000/rhel7:v7
#再次重命名
[root@server1 images]# docker tag localhost:5000/rhel7:v7 rhel7:v1
#删除原来的
[root@server1 images]# docker rmi localhost:5000/rhel7:v7
[root@server1 images]# docker images rhel7
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v1 85e9ce5e51eb About an hour ago 23.2MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
5、给私有仓库添加证书
(1)我们新加一台主机server2,尝试去访问上面我们建好的私有仓库里面的镜像,看看能否成功
这样的库任何人都可以访问,这样不安全,下来我们要增加库的安全性
(2)创建服务端key以及证书给私有仓库生成证书和key
[root@server1 ~]# mkdir -p certs
生成密钥:
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
..................................................................++
...................................................................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:University
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
删除之前创建的私有仓库
[root@server1 ~]# docker ps -a
查看私有仓库
[root@server1 ~]# docker rm -f registry
删掉之前的私有仓库,直到以下那种情况,删干净哦
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
添加本地解析,# 因为我们所使用的域名是westos.org 所以主机名要有解析
[root@server1 ~]# vim /etc/hosts
[root@server1 ~]# ping westos.org
PING server1 (172.25.28.1) 56(84) bytes of data.
64 bytes from server1 (172.25.28.1): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from server1 (172.25.28.1): icmp_seq=2 ttl=64 time=0.037 ms
^C
--- server1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.032/0.034/0.037/0.006 ms
创建仓库
# 注意此处:REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry 不是:/root/...
root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
查看端口是否开启(已开启)
[root@server1 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 848/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 949/master
tcp 0 0 172.25.28.1:22 172.25.28.250:37186 ESTABLISHED 1152/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 848/sshd
tcp6 0 0 ::1:25 :::* LISTEN 949/master
tcp6 0 0 :::443 :::* LISTEN 1625/docker-proxy
此时进行本地上传镜像
[root@server1 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 020584afccce 9 days ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
[root@server1 westos.org]# docker tag busybox westos.org/busyox
上传后的名字
[root@server1 westos.org]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Pushed
latest: digest: sha256:679b1c1058c1f2dc59a3ee70eed986a88811c0205c8ceea57cec5f22d2c3fbb1 size: 527
成功!!!
#添加客户端的push认证
# 在之前的443更改 不用官网的5000
在/目录下创建一个auth目录~~
生成认证信息:
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn testuser testpassword > auth/htpasswd
[root@server1 ~]# cd auth/
[root@server1 auth]# ls
htpasswd
[root@server1 auth]# cat htpasswd
testuser:$2y$05$dqGVPcspJv.UNnwJ8y47FuywJ17eW9weLgoDFIbgHe9UlXVmPB1SO
可以追加认证信息
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn admin passwd >> auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
yyz:$2y$05$X3FrmrdjhhsPT7h9.NgBxO2U.z9N2ic2uD/G2IJhPoeQ44r7gu1gK
admin:$2y$05$Yv6w1WENRjMkGd6rn6yqSOhfnc4TBZkAhOrWf4DyPobCNTPeE9X.O
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
将生成的认证信息发现给响应的客户端:
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
此时失败,报错:
Error response from daemon: Conflict. The container name "/registry" is already in use by container "a1744536053ea3efdcff4f67db781c0622d726313687f3a7af90998c940ff308". You have to remove (or rename) that container to be able to reuse that name.
根据提示:必须把私有仓库删除,才可以进行
[root@server1 ~]# docker rm -f registry
registry
重新来:
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
22bd3e55d45b70aa6048c32a73167a2dc623e780f35e9b1bec588bf7526982e1
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
22bd3e55d45b registry "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
13a7a7843802 registry "htpasswd -Bbn admin…" 4 minutes ago Exited (0) 4 minutes ago eager_agnesi
ad8ab4752f54 registry "htpasswd -Bbn admin…" 31 minutes ago Exited (0) 31 minutes ago recursing_mendel
9dc48b269b06 registry "htpasswd -Bbn yyz z…" 31 minutes ago Exited (0) 31 minutes ago quirky_chebyshev
9399720e5b34 registry "htpasswd -Bbn testu…" 41 minutes ago Exited (0) 41 minutes ago angry_hertz
c5ac8e904955 busybox "htpasswd testpasswo…" 43 minutes ago Created focused_lovelace
用认证帐号登陆,即可进行上传
[root@server1 ~]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
退出,此时再进行上传,会提示没有进行登陆认证
[root@server1 ~]# docker logout westos.org
Removing login credentials for westos.org
[root@server1 ~]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Preparing
no basic auth credentials 提示没有认证
再次登陆才可以进行上传镜像:
[root@server1 ~]# docker login westos.org 再次登陆时,才可以进行上传镜像
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Pushed
latest: digest: sha256:679b1c1058c1f2dc59a3ee70eed986a88811c0205c8ceea57cec5f22d2c3fbb1 size: 527
上传成功~~~~
6、远程主机怎么连接
其实在公司中,就是装配好的镜像,放到私有库里去,供别人使用。
谁需要,就进行认证,用公司域名去pull即可。
再打开一台虚拟机,安装docker并启动
主机名要有解析
[root@server2 docker包]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.0.1 server1
172.25.0.2 server2
172.25.0.3 server3 westos.org
172.25.0.4 server4
172.25.0.5 server5
172.25.0.6 server6
172.25.0.7 server7
172.25.0.8 server8
[root@server2 docker包]# ping westos.org
PING server3 (172.25.0.3) 56(84) bytes of data.
64 bytes from server3 (172.25.0.3): icmp_seq=1 ttl=64 time=0.397 ms
要有认证文件,这个文件可以从server3这台主机获得
# 现有证书才能完成认证
[root@server3 ~]# cd /etc/docker/
[root@server3 docker]# ls
certs.d daemon.json key.json
[root@server3 docker]# scp -r certs.d/ server2:/etc/docker/
The authenticity of host 'server2 (172.25.0.2)' can't be established.
ECDSA key fingerprint is 67:9d:41:df:c9:b5:0e:f3:e1:30:72:c7:c9:07:69:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,172.25.0.2' (ECDSA) to the list of known hosts.
root@server2's password:
ca.crt 100% 2098 2.1KB/s 00:00
[root@server2 docker包]# cd /etc/docker/
[root@server2 docker]# ls
certs.d key.json
先认证再拉取
#进行认证登陆
[root@server2 certs.d]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#拉取镜像
[root@server2 certs.d]# docker pull westos.org/nginx
Using default tag: latest
Error response from daemon: manifest for westos.org/nginx:latest not found
[root@server2 certs.d]# docker pull westos.org/nginx:v3
v3: Pulling from nginx
48f5bbc9baf5: Pull complete
15f1fc4f91e0: Pull complete
98331229c5fd: Pull complete
4c7f36e2f886: Pull complete
df58a187e237: Pull complete
Digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5
Status: Downloaded newer image for westos.org/nginx:v3
测试运行成功
[root@server2 certs.d]# docker run -d --name nginx -p 80:80 westos.org/nginx:v3
299df76d6167d789883a1b7bdb9e338659f49be2e146bd4098e409a7f35d6a02
[root@server2 certs.d]# docker pa
docker: 'pa' is not a docker command.
See 'docker --help'
[root@server2 certs.d]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
299df76d6167 westos.org/nginx:v3 "/usr/local/nginx/sb…" 9 seconds ago Up 8 seconds 0.0.0.0:80->80/tcp nginx
[root@server2 certs.d]# curl localhost
7、给私有库添加WebUI界面
(1)先从真机给server1发送一个web镜像
(2)导入镜像并且查看
docker load -i docker-redistry-web.tar
(3)重新创建仓库(多添加了一个删除参数,也就是说我们添加了可以在图形界面中删除镜像的功能)先删除之前的私有仓库
[root@server1 docker]# pwd
/etc/docker
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> -v "$(pwd)"/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -e REGISTRY_STORAGE_DELETE_ENABLED=true registry:2.3.1 ##在这里加上了删除的操作
72d1d0496e03ad7955b19eae4e6b4c470b995688220a6d3d2d74ac40e7d608e6
(4)运行web界面注意:auth等于刚才登陆之后生成的认证信息
5)测试:在浏览器输入172.25.28.1:8080可以看到我们刚才上传的镜像