目录
前言
环境:centos 7.9 docker 20
docker仓库一般有:公网上的docker hub,而docker的私有仓库一般有2种,docker registry和harbor,前者是docker官方的私有仓库,比较小巧,在一些小业务场景比较合适使用,且没有web页面,后者harbor是VMware 公司中国团队的开源项目,有web页面,比较人性化,企业使用范围较广。本篇先来讲解docker公司的registry镜像仓库。harbor仓库的搭建可以参考https://blog.csdn.net/MssGuo/article/details/126210184
挺好的文章:http://events.jianshu.io/p/de8969f17b53
新项目distribution(新的docker register被称为Distribution)代替了registry,两者其实就是一个意思。docker官网的镜像还是registry。
docker-distribution的2种安装方法:
yum install docker-distribution #使用yum安装,systemd管理
systemctl enable docker-distribution.service
systemctl start docker-distribution.service
docker run #docker安装
我们讲使用docker 安装镜像仓库。
搭建registry仓库
官网文档:https://docs.docker.com/registry/
#下载镜像
docker pull registry:latest
#使用docker安装并持久化(这里留了个坑,还没有给registry仓库设置账号密码)
docker run -d -p 5000:5000 --restart always --name registry -v /opt/registry:/var/lib/registry registry:latest
访问registry镜像(无账号密码)
registry镜像仓库没有图形化,访问如下:
#浏览器web页面访问方式
http://192.168.158.130:5000/v2/_catalog
{
"repositories":[]} #[]显示为空,因为没有任何镜像
#或者Linux命令行curl一下
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
"repositories":[]} #[]显示为空,因为没有任何镜像
推送镜像到registry镜像仓库(无账号密码)
#推送镜像到registry镜像仓库
vim /etc/docker/daemon.json #编辑docker配置文件,追加下面这行
"insecure-registries": ["192.168.158.130:5000"]
systemctl restart docker #重启docker
docker tag nginx:1.18 192.168.158.130:5000/nginx:1.18 #为镜像打一个tag
docker push 192.168.158.130:5000/nginx:1.18 #推送镜像到registry镜像仓库
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
"repositories":["nginx"]}
给registry镜像仓库设置账号密码
前面,我们安装registry镜像仓库并没有设置账号密码,随便一个人都能上传镜像到该镜像仓库,很不安全,现在设置账号密码:
#安装httpd-tools工具
yum install httpd-tools -y
#创建目录
mkdir -p /etc/registry/auth
touch /etc/registry/auth/passwd
#使用htpasswd工具生成秘钥,并存放于/etc/registry/auth/passwd文件。账号是admin,密码是admin123456
htpasswd -Bbn admin admin123456 > /etc/registry/auth/passwd
#
docker stop registry && docker rm registry
docker run -d -p 5000:5000 --restart always --name registry \
-v /opt/registry:/var/lib/registry \
-v /etc/registry/auth:/etc/registry/auth \ #将auth目录挂载到容器
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd" \ #指定passwd文件
registry:latest
账号密码-访问registry镜像
#浏览器页面访问
http://192.168.158.130:5000/v2/_catalog #弹出一个框显示要输入密码,admin/admin123456
#Linux命令行访问
[root@docker ~]# curl -XGET http://192.168.158.130:5000/v2/_catalog #没有账号密码访问失败
{
"errors":[{
"code":"UNAUTHORIZED","message":"authentication required","detail":[{
"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
[root@docker ~]# curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog #账号密码访问
{
"repositories":["nginx"]}
账号密码-推送镜像到registry镜像仓库
docker login -u admin -p admin123456 192.168.158.130:5000
docker tag coredns/coredns:latest 192.168.158.130:5000/coredns/coredns:latest
docker push 192.168.158.130:5000/coredns/coredns:latest
curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog
k8s搭建registry
[root@master ~]# vim deploy-registy.yaml
---
#passwd这个key的内容就是使用htpasswd -Bbn admin admin123456 命令生成的
apiVersion: v1
data:
passwd: |+
admin:$2y$05$XmcyIRU8D7w2jUCYHskSZ.dcwFDS0SlYP4xMUBj1QZJIvgGSPlTAq
kind: ConfigMap
metadata:
name: registry-cm
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: registry-pvc
labels:
release: registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: nfs-storageclass
---
apiVersion: v1
kind: Service
metadata:
name: "registry-svc"
labels:
release: registry
spec:
ports:
- name: http-registry
port: 5000
nodePort: 5000
targetPort: 5000
type: NodePort
selector:
release: registry
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: "registry-deployment"
labels:
release: registry
spec:
replicas: 1
selector:
matchLabels:
release: registry
template:
metadata:
labels:
release: registry
spec:
containers:
- name: registry
image: registry:latest
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 2
periodSeconds: 10
env: #容器环境变量,传递3个环境变量
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/etc/registry/auth/passwd"
ports:
- containerPort: 5000
volumeMounts:
- name: registry-data #使用pvc持久化
mountPath: /var/lib/registry
- name: registry-cm #挂载configmap进去
mountPath: /etc/registry/auth/passwd
subPath: passwd
volumes:
- name: registry-cm
configMap:
name: registry-cm
items:
- key: passwd
path: passwd
- name: registry-data #pvc
persistentVolumeClaim:
claimName: registry-pvc #pvc
---
验证镜像仓库是否可用
vim /etc/docker/daemon.json #每个k8s节点都要配置镜像仓库地址
"insecure-registries": ["192.168.158.128:5000"] #添加这一条
systemctl restart docker #重启docker
#登录镜像仓库
[root@master ~]# docker login -u admin -p admin123456 192.168.158.128:5000
Login Succeeded
#为镜像打个tag
[root@master ~]# docker tag busybox:1.24.1 192.168.158.128:5000/busybox:1.24.1
#推送镜像到镜像仓库,成功
[root@master ~]# docker push 192.168.158.128:5000/busybox:1.24.1
The push refers to repository [192.168.158.128:5000/busybox]
5f70bf18a086: Pushed
61e469647daa: Pushed
1.24.1: digest: sha256:458b359b8cb329f54e965bafee7b41d7557e62ba8d4c061f3dc57c7aaf9c048b size: 733
#查看后端存储,已经持久化了
[root@node2 ~]# ls /k8s_data/default-registry-pvc-pvc-d336e2f7-7bcc-4a79-8e3f-3ccff46c78c9/docker/registry/v2/repositories/
busybox
[root@node2 ~]#