作者:【吴业亮】
博客:https://wuyeliang.blog.csdn.net/
一、创建本地仓库
1、创建仓库
# docker run -d -p 5000:5000 -v /var/lib/registry:/var/lib/registry --restart=always --name registry registry:2
Trying to pull repository docker.io/library/registry ...
2: Pulling from docker.io/library/registry
81033e7c1d6a: Pull complete
Status: Downloaded newer image for docker.io/registry:2
5188ec6904756070138edfc49d4c0f231841bfbdd620556a85eb44b201b37b31
2、查看容器
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5188ec690475 registry:2 "/entrypoint.sh /e..." 16 sec ago Up 14 seconds 0.0.0.0:5000->5000/tcp registry
3、信任本地仓库,在 /etc/docker/daemon.json中新增insecure-registries行
{
"registry-mirrors": ["https://***.mirror.aliyuncs.com"],
"insecure-registries" : ["10.130.70.34:5000"],
"dns" : [ "114.114.114.114","8.8.8.8" ]
}
4、重启dokcer服务
service docker restart
5、从外网下载percona镜像
[root@dokcer ~]# docker pull percona
Using default tag: latest
latest: Pulling from library/percona
8ba884070f61: Already exists
c6f6865b89f9: Pull complete
422d044cecee: Pull complete
8389af72ea04: Pull complete
91f3664696cb: Pull complete
31ae0525f3a4: Pull complete
df3f3d8a2a27: Pull complete
Digest: sha256:744769bb87ea11ceeb9efe7cb04cc49a86db88a6b6449c19f743161be5f6f51a
Status: Downloaded newer image for percona:latest
6、查看镜像
[root@dokcer ~]# docker images | grep percona
percona latest 69377a52e49a 2 months ago 583MB
7、打上tag
[root@dokcer ~]# docker tag percona 192.168.8.100:5000/percona
8、查看镜像
[root@dokcer ~]# docker images | grep percona
192.168.8.100:5000/percona latest 69377a52e49a 2 months ago 583MB
percona latest 69377a52e49a 2 months ago 583MB
9、上传到本地仓库
[root@dokcer ~]# docker push 10.130.70.34:5000/percona
The push refers to repository [10.130.70.34:5000/percona]
aa15337bef7a: Pushed
9e6b0d4d6830: Pushed
6ba257b8d07b: Pushed
718bd1772058: Pushed
1ac4a9b4d611: Pushed
9b8d5bae7d82: Pushed
d69483a6face: Mounted from centos
latest: digest: sha256:50c3e70053e51bc1983dc292dcb3f2dd71771f20e64adc07045bcede560a5217 size: 1784
二、本地仓库ssl加密
1、制作ssl证书
# cd /etc/pki/tls/certs
# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
...
e is 65537 (0x10001)
Enter pass phrase:# 输入密码
Verifying - Enter pass phrase:#确认
# 从private key 中删除密码
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
writing RSA key
# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN# 国家
State or Province Name (full name) []:shanghai # 省
Locality Name (eg, city) [Default City]: shanghai # 市
Organization Name (eg, company) [Default Company Ltd]:openstack # 公司
Organizational Unit Name (eg, section) []:Server World # 部门
Common Name (eg, your name or your server's hostname) []:www.srv.world # 主机名
Email Address []:xxx@srv.world # 邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:#回车
An optional company name []:# Enter
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com
Getting Private key
2、拷贝证书
cp -a /etc/pki/tls/certs/server* /etc/docker/certs.d/
3、启动容器
# docker run -d -p 5000:5000 --restart=always --name registry \
-v /var/lib/registry:/var/lib/registry \
-v /etc/docker/certs.d:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
registry:2
2: Pulling from docker.io/library/registry
81033e7c1d6a: Pull complete
6ff332201ab29c521fa70e54187d7677f9df1803550f8d61bcaff88f8c602e3b
4、查看容器
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6ff332201ab2 registry:2 "/entrypoint.sh /e..." 21 sec ago 18 seconds 0.0.0.0:5000->5000/tcp registry
三、设置用户名密码
1、安装加密工具
# yum -y install httpd-tools
2、新增用户
# htpasswd -Bc /etc/docker/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
3、启动容器
# docker run -d -p 5000:5000 --restart=always --name registry \
-v /var/lib/registry:/var/lib/registry \
-v /etc/docker/certs.d:/certs \
-v /etc/docker:/auth \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
registry:2
4、登录本地仓库
[root@node01 ~]# docker login 192.168.8.100:5000
Username: admin
Password:
Login Succeeded
[root@node01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/nginx latest b175e7467d66 6 days ago 109 MB