文章目录
1、docker搭建私有仓库
Docker 仓库是用来包含镜像的位置,Docker提供一个注册服
务器(Register)来保存多个仓库,每个仓库又可以包含多个
具备不同tag的镜像。
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
Docker Registry有三个角色,分别是index、registry和registry
client
##下载registry镜像
[root@server1 ~]# docker search registry
[root@server1 ~]# docker pull registry
[root@server1 ~]# docker images registry
[root@server1 ~]# docker ps -a
[root@server1 ~]# docker stop webserver
webserver
[root@server1 ~]# docker rm webserver
[root@server1 ~]# docker history registry:latest
##运行registry容器
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
[root@server1 ~]# docker ps
[root@server1 ~]# netstat -antlp
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 2 root root 6 Jan 26 23:11 /opt/registry/
上传镜像到本地仓库,本地镜像在命名时需要加上仓库的ip和端口
[root@server1 ~]# docker tag webserver:v4 localhost:5000/webserver:latest
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
webserver v4 047ab2e35274 15 hours ago 31.7MB
localhost:5000/webserver lastest 047ab2e35274 15 hours ago 31.7MB
[root@server1 ~]# docker push localhost:5000/webserver
[root@server1 ~]# tree /opt/registry/
[root@server1 ~]# curl localhost:5000/v2/_catalog
{"repositories":["webserver"]}
2、docker仓库加密 认证
远程拉取仓库
[root@server2 yum.repos.d]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
{
"insecure-registries" : ["192.168.0.1:5000"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker pull 192.168.0.1:5000/webserver
[root@server2 docker]# docker images
[root@server2 docker]# docker tag 192.168.0.1:5000/webserver webserver
[root@server2 docker]# docker run -d webserver
签名加密
[root@server1 ~]# mkdir -p certs
[root@server1 ~]# docker stop registry
registry
[root@server1 ~]# docker ps
[root@server1 ~]# docker rm registry
registry
[root@server1 ~]# ll /opt/registry/
total 0
drwxr-xr-x 3 root root 22 Jan 27 00:31 docker
[root@server2 docker]# rm -f daemon.json
[root@server2 docker]# systemctl reload docker
[root@server1 ~]# docker rmi localhost:5000/webserver:latest
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
domain.key westos.crt
[root@server1 certs]# rm -fr *
[root@server1 certs]# cd
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server1 ~]# vim /etc/hosts
192.168.0.1 server1 reg.westos.org
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key registry
[root@server1 ~]# docker tag game2048:latest reg.westos.org/game2048:latest
[root@server1 ~]# docker push reg.westos.org/game2048:latest
[root@server1 ~]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server1 ~]# ls certs/
westos.org.crt westos.org.key
[root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# ll /etc/docker/certs.d/reg.westos.org/ca.crt
-rw-r--r-- 1 root root 2106 Jan 27 02:46 /etc/docker/certs.d/reg.westos.org/ca.crt
[root@server1 ~]# docker push reg.westos.org/game2048:latest
[root@server1 reg.westos.org]# scp ca.crt server2:/etc/docker/certs.d/reg.westos.org/
[root@server2 docker]# mkdir /etc/docker/certs.d/reg.westos.org/ -p
[root@server2 docker]# vim /etc/hosts
192.168.0.1 server1 reg.westos.org
[root@server2 docker]# cd /etc/docker/certs.d/reg.westos.org/
[root@server2 reg.westos.org]# ls
ca.crt
[root@server2 ~]# docker pull reg.westos.org/game2048
认证
[root@server1 ~]# curl -k https://192.168.0.1/v2/_catalog
{"repositories":["game2048","webserver"]}
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 Jan 27 00:31 /opt/registry/
[root@server1 ~]# mkdir auth
[root@server1 ~]# yum provides */htpasswd
[root@server1 ~]# yum install -y httpd-tools
[root@server1 ~]# htpasswd -c -B auth/htpasswd linux
[root@server1 ~]# htpasswd -B auth/htpasswd admin
[root@server1 ~]# cat auth/htpasswd
[root@server1 ~]# docker run -d --name registry -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
[root@server1 ~]# ls certs/
westos.org.crt westos.org.key
[root@server1 ~]# docker ps
[root@server1 ~]# docker tag ubuntu:latest reg.westos.org/ubuntu:latest
3、harbor仓库
建立公共仓库
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# cd harbor/
[root@server1 harbor]# docker rm -f registry
[root@server1 ~]# mkdir /data
[root@server1 ~]# cp -r certs/ /
[root@server1 ~]# cd /certs/
[root@server1 ~]# cd harbor/
[root@server1 harbor]# vim harbor.yml
hostname: reg.westos.org
certificate: /certs/westos.org.crt
private_key: /certs/westos.org.key
harbor_admin_password: westos
[root@server1 harbor]# ./install.sh --help
[root@server1 harbor]# ./install.sh
[root@server1 harbor]# docker ps
[root@server1 harbor]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server1 harbor]# cat ~/.docker/config.json
{
"auths": {}
[root@server1 harbor]#docker login reg.westos.org
Username: admin
[root@server1 harbor]# docker tag busybox:latest reg.westos.org/library/busybox:latest
[root@server1 harbor]# docker push reg.westos.org/library/busybox:latest
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# vim daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker pull busybox
[root@server1 docker]# docker tag game2048:latest reg.westos.org/library/game2048:latest
[root@server1 docker]# docker push reg.westos.org/library/game2048:latest
[root@server1 docker]# cd /data/
[root@server1 data]# ls
建立私有仓库
[root@server1 data]# docker logout reg.westos.org
[root@server1 data]# docker login reg.westos.org
Username: linux ##维护人员
[root@server1 data]# docker tag ubuntu:latest reg.westos.org/westos/ubuntu:latest
[root@server1 data]# docker push reg.westos.org/westos/ubuntu:latest
[root@server2 docker]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server2 docker]# docker login reg.westos.org
Usern[root@server2 docker]# docker tag webserver:latest reg.westos.org/westos/webserver:latest
[root@server2 docker]# docker push reg.westos.org/westos/webserver:latest
ame: demo ##访客
[root@server2 docker]# docker tag webserver:latest reg.westos.org/westos/webserver:latest
[root@server2 docker]# docker push reg.westos.org/westos/webserver:latest
[root@server2 docker]# docker rmi reg.westos.org/ubuntu
[root@server2 docker]# docker rmi 192.168.0.1:5000/webserver
[root@server2 docker]# docker pull reg.westos.org/westos/ubuntu
镜像签名
[root@server1 harbor]# docker-compose down
[root@server1 harbor]# ./prepare #清理
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
[root@server1 harbor]# docker-compose ps
[root@server1 harbor]# docker login reg.westos.org
Username: admin
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest
启用docker内容信任
[root@server1 harbor]# docker images webserver
[root@server1 harbor]# docker tag webserver:v4 reg.westos.org/library/webserver:latest
[root@server1 harbor]# docker push reg.westos.org/library/webserver:latest
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server2 docker]# docker rmi reg.westos.org/westos/ubuntu:latest
[root@server2 docker]# docker pull reg.westos.org/westos/ubuntu:latest
[root@server2 docker]# docker rmi reg.westos.org/westos/ubuntu:latest
[root@server1 harbor]# docker tag game2048:latest reg.westos.org/westos/game2048:latest
[root@server1 ~]# cd .docker/
[root@server1 .docker]# mkdir tls/reg.westos.org:4443 -p
[root@server1 .docker]# cd tls/reg.westos.org\:4443/
[root@server1 reg.westos.org:443]# cp /certs/westos.org.crt ca.crt
[root@server1 ~]# docker push reg.westos.org/westos/game2048:latest
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest
[root@server1 ~]# docker tag nginx:latest reg.westos.org/westos/game2048:v1
[root@server1 ~]# docker push reg.westos.org/westos/game2048:v1
4、docker网络
基本网络配置
[root@server1 harbor]# docker-compose stop
[root@server2 ~]# docker run -it --rm busybox
pq
[root@[root@server2 ~]# brctl show
[root@server2 ~]# brctl show
[root@server2 ~]# docker run -d --name demo webserver
57180e07485ad1a0e9457b766910359b8d32869dde12dc5d98d82849a1ba3ee5
[root@server2 ~]# docker ps
[root@server2 ~]# docker attach b404b959e51e
/ # route -n
## host网络模式需要在容器创建时指定--network=host
[root@server2 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server2 ~]# docker run -d --name demo --network=host webserver
[root@server2 ~]# brctl show
[root@server2 ~]# docker run -it --rm --network=none busybox
none模式是指禁用网络功能,只有lo接口,在容器创建时使用
–network=none指定。
自定义网络
[root@server2 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server2 ~]# docker network create mynet1
979f4aa7daf9dcfa986b0b29bc2e561d81b11d2e01e00da9f994fb73c43849db
[root@server2 ~]# docker network ls
979f4aa7daf9 mynet1 bridge local
[root@server2 ~]# docker inspect demo
"IPAddress": "172.18.0.2",
[root@server2 ~]# docker run -d --name demo2 --network=mynet1 webserver
[root@server2 ~]# docker run -it --rm --network=mynet1 busybox
[root@server2 ~]# docker stop demo
demo
[root@server2 ~]# docker stop demo2
demo2
[root@server2 ~]# docker start demo2
demo2
[root@server2 ~]# docker start demo
demo