Registry搭建實操

一、搭建私有registry

1、registry鏡像傳遞

測試主機ip:192.168.192.225(內網機器)
藉助於其他能夠訪問公網的機器
docker search registry 然後docker save -o ./registry.tar
拷貝到192.168.192.225機器docker load -i registry.tar方式傳遞registry的docker鏡像

打標籤:
[root@node1 cert]# docker tag $導入後的rgistry的tag localhost/registry:latest
[root@node1 cert]# mkdir -pv /data/registry/{cert,conf,auth}

2、創建證書

在master1上操作
[root@master1 cert]# vim registry-csr.json

{
  "CN": "registry",
  "hosts": [
      "127.0.0.1",
      "192.168.192.222",
      "192.168.192.223",
      "192.168.192.224",
      "192.168.192.225",
      "192.168.192.226"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "HangZhou",
      "O": "k8s",
      "OU": "FirstOne"
    }
  ]
}

[root@master1 cert]# cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes registry-csr.json | cfssljson -bare registry
拷貝registry*.pem證書到192.168.192.225節點/data/registry/cert 目錄下

3、配置文件

[root@node1 registry]# vim /data/registry/conf/config.yml 
[root@node1 registry]# cat conf/config.yml 
version: 0.1
log:
  level: info
  fromatter: text
  fields:
    service: registry

storage:
  filesystem:
    rootdirectory: /var/lib/registry
    maxthreads: 100

http:
  addr: 0.0.0.0:888
  headers:
    X-Content-Type-Options: [nosniff]
  tls:
    certificate: /cert/registry.pem
    key: /cert/registry-key.pem

health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

二、運行測試

1、運行registry

[root@node1 registry]# docker run -itd -p 888:888 --privileged -v /data/registry/data:/var/lib/registry  -v /data/registry/cert:/cert -v /data/registry/conf/config.yml:/etc/docker/registry/config.yml --name registry localhost/registry:latest

2、ca證書分發

[root@master1 docker]# ansible all -i /root/udp/hosts.ini -m shell -a "mkdir /etc/docker/certs.d/192.168.192.225:888/ -pv "
[root@master1 docker]# ansible all -i /root/udp/hosts.ini -m copy -a "src=/etc/kubernetes/cert/ca.pem  dest=/etc/docker/certs.d/192.168.192.225:888/ca.crt"  

3、其他節點上可以額正常拉取鏡像

[root@master1 service]# ansible all -i /root/udp/hosts.ini -m shell -a "docker pull 192.168.192.225:888/pause:latest   " 

4、查看當前有哪些image

[root@node1 conf]# curl -k    https://192.168.192.225:888/v2/_catalog
{"repositories":["addon-resizer","kubernetes-dashboard-amd64","metrics-server-amd64","nginx","pause"]}

三、添加認證

1、修改配置文件

[root@node1 registry]# htpasswd  -Bbn Firstone Passwd123 &> /data/registry/auth/htpasswd
[root@node1 registry]# cat /data/registry/auth/htpasswd
Firstone:$2y$05$0CnJRBMCTYcaL8WNi/2dj.cT3q/RekI2EVo.UUoEEqPb2B2G3vWm6

[root@node1 registry]# cat conf/config.yml 
version: 0.1
log:
  level: info
  fromatter: text
  fields:
    service: registry

storage:
  filesystem:
    rootdirectory: /var/lib/registry
    maxthreads: 100

auth:
  htpasswd:
    realm: basic-realm
    path: /auth/htpasswd

http:
  addr: 0.0.0.0:888
  headers:
    X-Content-Type-Options: [nosniff]
  tls:
    certificate: /cert/registry.pem
    key: /cert/registry-key.pem

health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

2、運行registry

[root@node1 registry]# docker run -itd -p 888:888 --privileged -v /data/registry/data:/var/lib/registry -v /data/registry/auth:/auth  -v /data/registry/cert:/cert -v /data/registry/conf/config.yml:/etc/docker/registry/config.yml --name registry localhost/registry:latest

3、登陸測試

[root@node1 192.168.192.225:888]# docker login 192.168.192.225:888 
Username: Firstone
Password: 
Login Succeeded

登陸成功後的記錄信息

[root@node1 192.168.192.225:888]# cat  ~/.docker/config.json
{
    "auths": {
        "127.0.0.1:888": {
            "auth": "Rmlyc3RvbmU6UGFzc3dkMTIz"
        },
        "192.168.192.225:888": {
            "auth": "Rmlyc3RvbmU6UGFzc3dkMTIz"
        }
    }
}

4、上傳鏡像測試

上傳之前需要login，否則會上傳失敗

[root@node1 192.168.192.225:888]# docker images
REPOSITORY                                       TAG                 IMAGE ID            CREATED             SIZE
192.168.192.225:888/nginx                        latest              719cd2e3ed04        5 weeks ago         109MB
192.168.192.225:888/kubernetes-dashboard-amd64   v1.10.1             f9aed6605b81        7 months ago        122MB
192.168.192.225:888/addon-resizer                1.8.4               5ec630648120        8 months ago        38.3MB
192.168.192.225:888/metrics-server-amd64         v0.3.1              61a0c90da56e        10 months ago       40.8MB
localhost/registry                               latest              265eba1842c4        2 years ago         37.6MB
192.168.192.225:888/pause                        latest              f9d5de079539        5 years ago         240kB
[root@node1 192.168.192.225:888]# for i in $(docker images |awk '{print $1":"$2}') ;do docker  push  $i ;done 

5、查詢鏡像

uri路徑:v2/<repoName>/manifests/<tagName> 發 GET 請求
[root@node1 192.168.192.225:888]# curl --user Firstone:Passwd123 --cacert /etc/docker/certs.d/192.168.192.225\:888/ca.crt  https://192.168.192.225:888/v2/nginx/tags/list
{"name":"nginx","tags":["latest"]}
[root@node1 192.168.192.225:888]# curl --user Firstone:Passwd123 --cacert /etc/docker/certs.d/192.168.192.225\:888/ca.crt  https://192.168.192.225:888/v2/addon-resizer/tags/list
{"name":"addon-resizer","tags":["1.8.4"]}

更多API用法參考:https://docs.docker.com/registry/spec/api/

四、daemon.json配置參考

[root@master1 ~]# cat /etc/docker/daemon.json 
{
    "registry-mirrors": ["192.168.192.225:888"],
    "max-concurrent-downloads": 20,
    "live-restore": true,
    "max-concurrent-uploads": 10,
    "debug": true,
    "log-opts": {
      "max-size": "100m",
      "max-file": "5"
    }
}

原理介紹：

• 加密傳輸：對稱加密和非對稱加密 //實際使用的是對稱加密傳輸
• 對稱加密：解密和加密使用的是同一個祕鑰，不安全。因爲在協商祕鑰的過程中使用的是明文傳輸
• 非對稱加密：私鑰加密公鑰解密或者公鑰加密私鑰解密
• 協商祕鑰過程：爲了安全，使用非對稱加密，用對方的公鑰加密後傳輸給對方 //非對稱加密算法進行對稱加密算法協商過程
• 安全的獲取公鑰：CA出現了，使用數字證書籤發機構頒發的證書來保證非對稱加密過程本身的安全
  1)client->訪問server，server把自己的證書返回給client(證書包含證書的頒發機構、有效期、公鑰、證書持有者、簽名等)
  2)client去查找操作系統中已內置的受信任的證書發佈機構CA與服務器發來的證書中的頒發者CA比對，用於校驗證書是否爲合法機構頒發
  3)找不到就認爲不可行，找到了client從操作系統中取出 頒發者CA 的公鑰，然後對服務器發來的證書裏面的簽名進行解密
  使用相同的hash算法計算出服務器發來的證書的hash值，將這個計算的hash值與證書中籤名做對比，結果一致就是合法
  4)clent 讀取證書中的公鑰，用於後續加密了

問題記錄：

• 1、清理之前的registry的時候報錯
  [root@node1 ~]# docker rm 6f0d1bcd9f87
  Error response from daemon: driver "overlay" failed to remove root filesystem for 6f0d1bcd9f87a62f9b991d18d460c215f49633d16559bb07eca2ed3d1c1742fd: remove /var/lib/docker/overlay/ec8a0744de13547e690eb421e968c181acf4c043a94b9643a8867e37ec8217a0/merged: device or resource busy
  [root@node1 ~]# grep docker /proc/*/mountinfo | grep ec8a0744de1
  /proc/20276/mountinfo:125 110 0:37 / /var/lib/docker/overlay/ec8a0744de13547e690eb421e968c181acf4c043a94b9643a8867e37ec8217a0/merged rw,relatime shared:60 - overlay overlay rw,lowerdir=/var/lib/docker/overlay/59fce193b8b2ab730f7c4c556d2ac931c1567e772efb72aafcb29716287bffc2/root,upperdir=/var/lib/docker/overlay/ec8a0744de13547e690eb421e968c181acf4c043a94b9643a8867e37ec8217a0/upper,workdir=/var/lib/docker/overlay/ec8a0744de13547e690eb421e968c181acf4c043a94b9643a8867e37ec8217a0/work
  [root@node1 ~]# ps -ef |grep 20276
  root 19972 18147 0 14:22 pts/0 00:00:00 grep --color=auto 20276
  ntp 20276 1 0 Jul18 ? 00:00:00 /usr/sbin/ntpd -u ntp:ntp -g
  [root@node1 ~]# service ntpd restart
  [root@node1 ~]# docker rm 6f0d1bcd9f87

• 2、拉取鏡像報錯certificate signed by unknown authority
  解法1：docker.service ExecStart=/usr/bin/dockerd --insecure-registry 鏡像所在的地址
  解法2：[root@node1 192.168.192.234:888]# ls
  /etc/docker/certs.d/192.168.192.234:888/ca.pem
  [root@node1 192.168.192.234:888]# mv ca.pem ca.crt

• 備註：在安裝過程中，可以只開啓https即可

參考文檔：
https://docs.docker.com/registry/deploying/
https://docs.docker.com/registry/configuration/#list-of-configuration-options
https://deepzz.com/post/secure-docker-registry.html
https://blog.51cto.com/11883699/2160032