标签:ago web 私有 server1 registry docker latest root Docke
一、什么是Docker 仓库?
仓库是集中存放镜像文件的场所。有时候会把仓库和仓库注册服务器(Registry)混为一谈,并不严格区分。实际上,仓库注册服务器上往往存放着多个仓库,每个仓库中又包含了多个镜像,每个镜像有不同的标签(tag)。
仓库分为公开仓库(Public)和私有仓库(Private)两种形式。最大的公开仓库是 Docker Hub,存放了数量庞大的镜像供用户下载。 国内的公开仓库包括 Docker Pool等,可以提供大陆用户更稳定快速的访问。
当然,用户也可以在本地网络内创建一个私有仓库。当用户创建了自己的镜像之后就可以使用 push 命令将它上传到公有或者私有仓库,这样下次在另外一台机器上使用这个镜像时候,只需要从仓库上 pull 下来就可以了。
二、 私有仓库registry的优势
有时候使用Docker Hub这样的公共仓库可能不方便,这种情况下用户可以使用registry创建一个本地仓库供私人使用,这点跟Maven的管理类似。
使用私有仓库有许多优点:
1)节省网络带宽,针对于每个镜像不用每个人都去中央仓库上面去下载,只需要从私有仓库中下载即可;
2)提供镜像资源利用,针对于公司内部使用的镜像,推送到本地的私有仓库中,以供公司内部相关人员使用。
目前Docker Registry已经升级到了v2,最新版的Docker已不再支持v1。Registry v2使用Go语言编写,在性能和安全性上做了很多优化,重新设计了镜像的存储格式。如果需要安装registry v2,只需下载registry:2.2即可。
Docker官方提供的工具docker-registry可以用于构建私有的镜像仓库。
Registry工作原理
Index服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去index服务上做认证,然后查找镜像所在的registry的地址并放回给docker客户端,docker客户端再从registry下载镜像,在下载过程中 registry会去index校验客户端token的合法性,不同镜像可以保存在不同的registry服务上,其索引信息都放在index服务上。
1. Docker Registry有三个角色,分别是index、registry和registry client
index
负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
Web UI
元数据存储
认证服务
符号化
registry
是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
Registry Client
Docker充当registry客户端来维护推送和拉取,以及客户端的授权。
三、创建私有仓库
1.Docker 官方已经把仓库封装为镜像,直接通过启动容器就可以部署完成仓库,导入registry镜像
[root@server1 ~]# docker load -i registry2.tar
d9ff549177a9: Loading layer 4.671MB/4.671MB
f641ef7a37ad: Loading layer 1.587MB/1.587MB
d5974ddb5a45: Loading layer 20.08MB/20.08MB
5bbc5831d696: Loading layer 3.584kB/3.584kB
73d61bf022fd: Loading layer 2.048kB/2.048kB
Loaded image: registry:2
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 3 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
WARNING: IPv4 forwarding is disabled. Networking will not work.
f7655a8b10863f292e239e81ea95c382052d00889ad3e98c931bc23785fa4c68
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f7655a8b1086 registry:2 "/entrypoint.sh /etc…" 24 seconds ago Up 23 seconds 0.0.0.0:5000->5000/tcp registry
- 将本地文件上传到私有仓库
docker将文件等信息的变动抽象为一次次的commit,每一次commit以后可能走向不同的分支,当我们完成dockerfile的构建后,会生成一串无规则的字符串代表此次生成的ID,此时,tag的作用就是为他创建一个友好的NAME,方便我们对镜像库的管理。
[root@server1 ~]# docker tag nginx:latest localhost:5000/nginx:v1
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 3 days ago 133MB
localhost:5000/nginx v1 08b152afcfae 3 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
本地镜像在命名时需要加上仓库的ip和端口
[root@server1 ~]# docker push localhost:5000/nginx:v1
The push refers to repository [localhost:5000/nginx]
e3135447ca3e: Pushed
b85734705991: Pushed
988d9a3509bb: Pushed
59b01b87c9e7: Pushed
7c0b223167b9: Pushed
814bff734324: Pushed
v1: digest: sha256:3f13b4376446cf92b0cb9a5c46ba75d57c41f627c4edb8b635fa47386ea29e20 size: 1570
3.尝试拉取刚刚上传的镜像
[root@server1 ~]# docker rmi localhost:5000/nginx:v1 ##拉取前先把本地创建的镜像删掉
Untagged: localhost:5000/nginx:v1
Untagged: localhost:5000/nginx@sha256:079aa93463d2566b7a81cbdf856afc6d4d2a6f9100ca3bcbecf24ade92c9a7fe
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 3 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server1 ~]# docker pull localhost:5000/nginx:v1
v1: Pulling from nginx
Digest: sha256:3f13b4376446cf92b0cb9a5c46ba75d57c41f627c4edb8b635fa47386ea29e20
Status: Downloaded newer image for localhost:5000/nginx:v1
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 3 days ago 133MB
localhost:5000/nginx v1 08b152afcfae 3 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
4.安装tree,查看/opt/registry/目录下的镜像数据
[root@server1 ~]# cd /opt/registry/
[root@server1 registry]# ls
docker
[root@server1 registry]# tree docker/
可以看到nginx镜像是分层的,并且为们还看到拉取的镜像ID和最上层的nginx镜像ID相同
[root@server1 registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 3 days ago 133MB
localhost:5000/nginx v1 08b152afcfae 3 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
四、给私有库添加证书
1.创建服务端key以及证书
[root@server1 docker]# mkdir -p /opt/docker/certs
[root@server1 docker]# cd /opt/docker/
[root@server1 docker]# ls
certs
[root@server1 docker]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
........++
..........................................................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
2.添加本地解析
[root@server1 docker]# vim /etc/hosts
[root@server1 docker]# awk -F: 'NR==4 {print}' /etc/hosts
172.25.10.1 server1 westos.org
3.创建仓库
1) 删除之前的registry容器
2) 构建容器
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry registry:2
WARNING: IPv4 forwarding is disabled. Networking will not work.
8d4b0e8627d3ffd3d82a3784fc6f3d320fbec623ec56e66ce402bcc94bbc6550
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8d4b0e8627d3 registry:2 "/entrypoint.sh /etc…" 16 seconds ago Up 15 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
4.创建证书存放目录,并复制证书
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs
[root@server1 certs]# cd ..
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir westos.org
[root@server1 certs.d]# cd westos.org/
[root@server1 westos.org]# ls
[root@server1 westos.org]# cp /opt/docker/certs/westos.org.crt ca.crt
[root@server1 westos.org]# ls
ca.crt
[root@server1 westos.org]#
5.导入一个镜像并上传到私有仓库
[root@server1 westos.org]# docker tag game2048:latest westos.org/game2048
[root@server1 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 4 days ago 133MB
localhost:5000/nginx v1 08b152afcfae 4 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server1 westos.org]# docker push westos.org/game2048
The push refers to repository [westos.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
6 拉取
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server2 docker]# docker pull westos.org/game2048:latest
latest: Pulling from game2048
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for westos.org/game2048:latest
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
五. 配置用户权限 ,给证书加密
如果想要控制registry的使用权限,使其只有在登录用户名和密码之后才能使用的话
还需要做额外的设置,registry的用户名密码文件可以通过htpasswd来生成
(1)在服务端设置用户密码并查看
[root@server1 docker]# cd /etc/docker/
[root@server1 docker]# mkdir auth
[root@server1 docker]# ls
auth certs certs.d daemon.json key.json
[root@server1 docker]# docker run --entrypoint htpasswd registry:2 -Bbn bang westos > auth/htpasswd
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:2 -Bbn admin westos >> auth/htpasswd
[root@server1 docker]# ls
auth certs certs.d daemon.json key.json
[root@server1 docker]# cat auth/htpasswd
bang:$2y$05$csO.SaKxxyHoEaHIHnb8deUnuNRCxdleCslbh94bZtJNyf14v//Li
admin:$2y$05$FLKD5ptJewF4txlMqTKYdewTbjAWuESxCqYg2AQKSr4aRzPr9oZ8O
(2)再次创建仓库
同理,先删除之前的
[root@server1 docker]# docker rm -f 7fb32bd49eda
7fb32bd49eda
[root@server1 docker]# pwd
/etc/docker
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> -v "$(pwd)"/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
74214aca4a4c381cc597a119887e71d8c208e583bb91b69e6399f063c60d541c
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
74214aca4a4c registry:2 "/entrypoint.sh /etc…" 7 seconds ago Up 6 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
(3)准备上传本地镜像到私有仓库当中,先换标签
[root@server1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 08b152afcfae 4 days ago 133MB
localhost:5000/nginx v1 08b152afcfae 4 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server1 docker]# docker tag mario:latest westos.org/mario
[root@server1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/nginx v1 08b152afcfae 4 days ago 133MB
nginx latest 08b152afcfae 4 days ago 133MB
ubuntu latest c29284518f49 12 days ago 72.8MB
registry 2 f32a97de94e1 2 years ago 25.8MB
game2048 latest 19299002fdbe 4 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 4 years ago 55.5MB
westos.org/mario latest 9a35a9e43e8c 5 years ago 198MB
mario latest 9a35a9e43e8c 5 years ago 198MB
[root@server1 docker]# netstat -antlupe | grep 443
tcp6 0 0 :::443 :::* LISTEN 0 80631 15234/docker-proxy
(5)上传本地镜像到私有仓库当中
[root@server1 docker]# docker push westos.org/mario:latest
The push refers to repository [westos.org/mario]
5f70bf18a086: Preparing
44e5704d49fb: Preparing
dbe97b1b7330: Preparing
90222f49bc4c: Preparing
708fd576a927: Preparing
4aeeaca5ce76: Preparing
no basic auth credentials
###被拒绝
[root@server1 docker]# docker login westos.org
Username: bang
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
##认证成功,上传成功
标签:ago,web,私有,server1,registry,docker,latest,root,Docke 来源: https://blog.csdn.net/Ma_JunSSR/article/details/119107635
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。