一.私有倉庫的搭建及鏡像的下載
1.將registry鏡像導入docker
[root@server1 ~]# ls
certs docker registry.tar ubuntu.tar
[root@server1 ~]# docker load -i registry.tar
917c0fc99b35: Loading layer 130.9MB/130.9MB
5f70bf18a086: Loading layer 1.024kB/1.024kB
e6107e74315e: Loading layer 20.71MB/20.71MB
5deabacb4c9b: Loading layer 20.66MB/20.66MB
32d89efca72a: Loading layer 3.584kB/3.584kB
Loaded image: registry:2.3.1
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2.3.1 83139345d017 3 years ago 166MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
注意:這裏也可以直接從官方拉取
docker search registry
docker pull registry
2.運行docker Registry容器
[root@server1 ~]# docker ps -a ##查看docker所以容器(開啓的和未開啓的)
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e85017a74f1a ubuntu "/bin/bash" 27 minutes ago Exited (0) 23 minutes ago vm2
edb4ef9b0bcf ubuntu "/bin/bash" 38 minutes ago Exited (0) 28 minutes ago vm1
清除已有容器
[root@server1 ~]# docker rm vm1
vm1
[root@server1 ~]# docker rm vm2
vm2
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:latest
##-v是做掛接,如果路徑不存在,那麼會自動生成,將本機的目錄掛載到容器的目錄上
##由於這裏的registry不是最新版,會從官方拉取最新版
3.檢查是否成功開啓Docker Registry容器
[root@server1 ~]# docker ps
[root@server1 ~]# netstat -antlp
二.上傳鏡像到本地倉庫中
1.更改ubuntu鏡像的標籤,並上傳至搭建的私人倉庫中,然後查看
[root@server1 ~]# docker tag ubuntu:latest localhost:5000/ubuntu
[root@server1 ~]# docker images localhost:5000/ubuntu
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
###上傳鏡像到私有倉庫中(通過localhost:5000端口進行對應上傳)
[root@server1 registry]# docker push localhost:5000/ubuntu
The push refers to repository [localhost:5000/ubuntu]
5f70bf18a086: Pushed
11083b444c90: Pushed
9468150a390c: Pushed
56abdd66ba31: Pushed
latest: digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984 size: 1151
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
registry 2.3.1 83139345d017 3 years ago 166MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
注意:本地鏡像在命名時需要加上倉庫的ip和端口
2.下載tree並查看docker的樹狀圖
[root@server1 ~]# yum install tree -y
#查看私有倉庫下的數狀圖
[root@server1 ~]# cd /opt/registry/
[root@server1 registry]# ls
[root@server1 registry]# tree docker/
3.在私有倉庫中下載鏡像
刪除除registry
4.從之前創建的私有倉庫下載獲取
[root@server1 ~]# docker pull localhost:5000/ubuntu
[root@server1 ~]# docker images
5.更改鏡像標籤
三.docker搭建本地免密倉庫,私有倉庫registry加密訪問控制
配置私有倉庫registry加密訪問控制證書
1.在certs目錄下創建certs證書並生成服務器私鑰
[root@server1 ~]# cd /tmp
[root@server1 tmp]# ls
[root@server1 tmp]# mkdir docker
[root@server1 tmp]# cd docker/
[root@server1 docker]# mkdir certs
[root@server1 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
..........................................................................................................................++
................................................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaaxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:[email protected]
2.更改解析,訪問
[root@server1 docker]# ls certs/
westos.org.crt westos.org.key ##生成證書
[root@server1 docker]#
[root@server1 docker]# vim /etc/hosts
[root@server1 docker]# ping westos.org
PING server1 (172.25.31.1) 56(84) bytes of data.
64 bytes from server1 (172.25.31.1): icmp_seq=1 ttl=64 time=0.035 ms
3.刪除之前搭建的registry
[root@server1 docker]# docker rm -f registry
registry
4.啓動容器並查看容器的狀態以及端口號
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v /tmp/docker/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> registry:latest
1f31372fa4aa43dba1e3f062581fdd93c09782e23891ce3efff8bd43c176a311
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1f31372fa4aa registry:latest "/entrypoint.sh /etc…" 8 seconds ago Up 7 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 docker]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 837/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 891/master
tcp 0 0 172.25.31.1:22 172.25.31.250:40700 ESTABLISHED 2327/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 837/sshd
tcp6 0 0 ::1:25 :::* LISTEN 891/master
tcp6 0 0 :::443 :::* LISTEN 16508/docker-proxy
參數說明
-v 掛載的不是倉庫的目錄,而是本機的certs
-d:後臺靜默運行容器。
–restart:設置容器重啓策略。
–name:命名容器。
-v:掛載信息
-e表示編輯,改變其內部的端口號(動態變更改變配置文件中的選項)
-e REGISTRY_HTTP_ADDR:設置倉庫主機地址格式。
#指定證書,可以在容器內直接調用
-e REGISTRY_HTTP_TLS_CERTIFICATE:設置環境變量告訴容器證書的位置。
-e REGISTRY_HTTP_TLS_KEY:設置環境變量告訴容器私鑰的位置。
-p:將容器的 443 端口映射到Host主機的 443 端口
5.將certs證書放到新建的docker數據目錄中
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir westos.org
[root@server1 certs.d]# cd westos.org/
[root@server1 westos.org]# cp /tmp/docker/certs/westos.org.crt ca.crt
[root@server1 westos.org]# ls
ca.crt
6.導入鏡像,並查看
[root@server1 westos.org]# docker load -i /root/game2048.tar
011b303988d2: Loading layer 5.05MB/5.05MB
36e9226e74f8: Loading layer 51.46MB/51.46MB
192e9fad2abc: Loading layer 3.584kB/3.584kB
6d7504772167: Loading layer 4.608kB/4.608kB
88fca8ae768a: Loading layer 629.8kB/629.8kB
Loaded image: game2048:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
7.修改標籤名,並上傳
[root@server1 ~]# docker tag game2048:latest westos.org/game2048
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
[root@server1 ~]# docker push westos.org/game2048
The push refers to repository [westos.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
注意:鏡像前的名稱要與證書的域名一致
在客戶端(server2)測試:
server2:
1.安裝docker,並啓動
將server1的/root/docker ,傳給server2並安裝
yum install *.rpm
systemctl start docker
2.創建放置證書的目錄
[root@server2 docker]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# mkdir certs.d/westos.org -p
[root@server2 docker]# ls
certs.d key.json
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# cd westos.org/
[root@server2 westos.org]# ls
[root@server2 westos.org]# scp server1:/etc/docker/certs.d/westos.org/ca.crt .
The authenticity of host 'server1 (172.25.31.1)' can't be established.
ECDSA key fingerprint is 6e:87:8f:88:b9:6e:22:9c:66:5e:05:0a:ab:c2:52:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,172.25.31.1' (ECDSA) to the list of known hosts.
root@server1's password:
ca.crt 100% 2094 2.0KB/s 00:00
[root@server2 westos.org]# ls
ca.crt
3.添加server1解析
[root@server2 westos.org]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.31.250 foundation31.ilt.example.com
172.25.31.1 server1 westos.org
172.25.31.2 server2
172.25.31.3 server3
172.25.31.4 server4
172.25.31.5 server5
172.25.31.6 server6
172.25.31.7 server7
172.25.31.8 server8
4.在server2端可以下載鏡像,說明私有倉庫加密創建成功
[root@server2 westos.org]# docker pull westos.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for westos.org/game2048:latest
[root@server2 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
通過基本身份驗證實現私有倉庫registry加密訪問控制
1.創建一個auth目錄用來存放docker用戶的密碼
[root@server1 ~]# cd /tmp/docker/
[root@server1 docker]# ls
certs
[root@server1 docker]# mkdir auth
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:latest -Bbn user1 westos >auth/htpasswd
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:latest -Bbn user2 redhat >>auth/htpasswd ##這裏用的是追加(不會覆蓋之前內容)
2.將之前創建的倉庫registry刪除,防止衝突
[root@server1 docker]# docker rm -f registry
[root@server1 docker]# docker images
3.啓動容器,查看鏡像
[root@server1 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v /tmp/docker/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry \
> -v /tmp/docker/auth:/auth \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> registry:latest
7e820dd26deec22a85b0532e6679884a7480a93621b1215348c73cdd913a947a
[root@server1 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 4 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
ubuntu latest 07c86167cdc4 3 years ago 188MB
localhost:5000/ubuntu latest 07c86167cdc4 3 years ago 188MB
測試:
1.修改ubuntu鏡像的標籤名,並查看鏡像
2.嘗試上傳ubuntu,發現上傳失敗
[root@server1 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Preparing
11083b444c90: Preparing
9468150a390c: Preparing
56abdd66ba31: Preparing
no basic auth credentials
3.登陸後,再上傳
[root@server1 docker]# docker login westos.org
Username: user1
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Layer already exists
11083b444c90: Layer already exists
9468150a390c: Layer already exists
56abdd66ba31: Layer already exists
latest: digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984 size: 1151
4.查看記錄用戶密碼的文件/root/.docker/config.json,發現會自動生成密碼,說明下次下載鏡像不用再登陸 .
[root@server1 docker]# cat /root/.docker/config.json
{
"auths": {
"westos.org": {
"auth": "dXNlcjE6d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
}
5.server2只有登陸後纔可以下載和上傳私有倉庫裏鏡像
[root@server2 westos.org]# docker login westos.org
Username: user2
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 westos.org]# docker pull westos.org/ubuntu
Using default tag: latest
latest: Pulling from ubuntu
257507fcd746: Pull complete
cd03f9b52ed8: Pull complete
493709ab45b5: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:4e709bde11754c2a27ed6e9b9ba55569647f83903f85cd8107e36162c5579984
Status: Downloaded newer image for westos.org/ubuntu:latest
[root@server2 westos.org]# docker logout westos.org
Removing login credentials for westos.org
[root@server2 westos.org]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Preparing
11083b444c90: Preparing
9468150a390c: Preparing
56abdd66ba31: Preparing
no basic auth credentials