本编主要记录如何创建本地镜像寄存服务器,及容器主机如何pull和push镜像,以及如何安装证书。
环境规划
镜像寄存服务器 | 容器主机服务器 |
registry | container-01 |
创建本地镜像寄存器
创建本地镜像寄存器,可以利用开源镜像registry,镜像的版本和源码网址:https://github.com/docker/distribution/releases
假设镜像寄存服务器与容器主机服务器是同一台机器
1.创建镜像寄存器
说明:若之前没有安装registry容器则会自动下载并启动一个registry容器,创建本地的私有仓库服务。默认情况下,会将仓库创建在容器的/tmp/registry目录下,可以通过 -v 参数来将镜像文件存放在本地的指定路径上(如:-v /root/my_registry:/tmp/registry registry)。
[root@container-01~]# docker run -d -p 5000:5000 --name registry registry:2.6.0
2.push镜像到寄存器
[root@container-01 ~]# docker tag helloword:1.2 localhost:5000/helloword:1.2
[root@container-01 ~]# docker push localhost:5000/helloword:1.2
3.pull镜像
删除本地镜像,再从寄存器中重新pull
[root@container-01 ~]# docker rmi localhost:5000/helloword:1.2
[root@container-01 ~]# docker pull localhost:5000/helloword:1.2
关于证书
如果镜像寄存服务器与容器主机服务器是在不同机器上,或即使在同一机机器上但不用localhost,这时候都不可以进行pull或push,因为docker会认为没有一个有效的TLS证书。
要解决这个问题有三种方法:
1.在docker守护进程上加上--insecure-registry=registry :5000(此方法不安全)
2.安装一个来自可信证书颁发机构签署的证书(需要费用)。
3.安装一个自签名证书
本编只讲述第2种方法。
安装自签名证书(镜像寄存服务器)
1.创建证书存放目录
[root@registry ~]# mkdir registry_certs
2.生成证书
[root@registry ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout registry_certs/domain.key -x509 -days 365 -out registry_certs/domain.crt
Generating a 4096 bit RSA private key
..........................................................................................................................++
.......................................................................................................................................................................++
writing new private key to 'registry_certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry
Email Address []:
3.运行镜像寄存器容器
创建本地镜像寄存器,可以利用开源镜像registry,镜像的版本和源码网址:https://github.com/docker/distribution/releases
[root@registry ~]# docker run -d -p 5000:5000 -v $(pwd)/registry_certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key --restart=always --name registry registry:2.6.0
7704ad9028b67565e152b3fddc828b49158fca4493b8b50bce44e53dc8a7c21e
使用证书(容器主机服务器)
4.容器服务器创建证书存放目录
[root@container-01 ~]# mkdir /etc/docker/certs.d
[root@container-01 ~]# mkdir /etc/docker/certs.d/registry:5000
5.复制证书到容器服务器
[root@registry ~]# scp registry_certs/domain.crtcontainer-01:/etc/docker/certs.d/ca.crt
6.push镜像到寄存器
[root@container-01 ~]# docker tag helloword:1.2 registry:5000/helloword:1.2
[root@container-01 ~]# docker push registry:5000/helloword:1.2
7.验证
删除本地镜像,再从寄存器中重新pull
[root@container-01 ~]# docker rmi registry:5000/helloword:1.2
[root@container-01 ~]# docker pull registry:5000/helloword:1.2
参考资料:
《Docker开发指南》第7.4.1节