一。Docker 仓库
1.仓库是集中存放镜像文件的场所。有时候会把仓库和仓库注册服务器(Registry)混为一谈,并不严格区分。实际上,仓库注册服务器上往往存放着多个仓库,每个仓库中又包含了多个镜像,每个镜像有不同的标签(tag)。
2.仓库分为公开仓库(Public)和私有仓库(Private)两种形式。最大的公开仓库是 Docker Hub,存放了数量庞大的镜像供用户下载。 国内的公开仓库包括 Docker Pool等,可以提供大陆用户更稳定快速的访问。
3.当然,用户也可以在本地网络内创建一个私有仓库。当用户创建了自己的镜像之后就可以使用 push 命令将它上传到公有或者私有仓库,这样下次在另外一台机器上使用这个镜像时候,只需要从仓库上 pull 下来就可以了。
二、 私有仓库registry的优势
有时候使用Docker Hub这样的公共仓库可能不方便,这种情况下用户可以使用registry创建一个本地仓库供私人使用,这点跟Maven的管理类似。
使用私有仓库有许多优点:
1)节省网络带宽,针对于每个镜像不用每个人都去中央仓库上面去下载,只需要从私有仓库中下载即可;
2)提供镜像资源利用,针对于公司内部使用的镜像,推送到本地的私有仓库中,以供公司内部相关人员使用。
目前Docker Registry已经升级到了v2,最新版的Docker已不再支持v1。Registry v2使用Go语言编写,在性能和安全性上做了很多优化,重新设计了镜像的存储格式。如果需要安装registry v2,只需下载registry:2.2即可。
Docker官方提供的工具docker-registry可以用于构建私有的镜像仓库。
三、创建私有仓库
Docker 官方已经把仓库封装为镜像,直接通过启动容器就可以部署完成仓库
[root@server1 ~]# docker load -i registry2.tar
[root@server1 ~]# docker images registry
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0a60cf8bdb5d registry:2 "/entrypoint.sh /etc…" 6 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp registry
上传本地镜像到本地仓库
[root@server1 ~]# docker tag nginx:latest localhost:5000/nginx
[root@server1 ~]# docker images localhost:5000/nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/nginx latest 53f3fd8007f7 3 weeks ago 109MB
[root@server1 ~]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
332fa54c5886: Pushed
6ba094226eea: Pushed
6270adb5794c: Pushed
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948
查看
[root@server1 ~]# cd /opt/registry/
[root@server1 registry]# ls
docker
[root@server1 v2]# yum install -y tree
[root@server1 registry]# tree docker
从本地仓库下载镜像
[root@server1 registry]# docker rmi localhost:5000/nginx:latest
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
[root@server1 registry]# docker rmi nginx:latest
Untagged: nginx:latest
Untagged: nginx@sha256:23b4dcdf0d34d4a129755fc6f52e1c6e23bb34ea011b315d87e193033bcd1b68
Deleted: sha256:53f3fd8007f76bd23bf663ad5f5009c8941f63828ae458cef584b5f85dc0a7bf
Deleted: sha256:50183b8336fcc9552a55c86895cdfdfb6f1bb349a951da638f22f645ce235926
Deleted: sha256:093a0ead7cedbef266292a1b08e478489ed6584170f0d82127c5ac9a10fd8303
Deleted: sha256:6270adb5794c6987109e54af00ab456977c5d5cc6f1bc52c1ce58d32ec0f15f4
[root@server1 registry]# docker pull localhost:5000/nginx
Using default tag: latest
latest: Pulling from nginx
743f2d6c1f65: Pull complete
6bfc4ec4420a: Pull complete
688a776db95f: Pull complete
Digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
Status: Downloaded newer image for localhost:5000/nginx:latest
[root@server1 registry]# docker tag localhost:5000/nginx:latest nginx
[root@server1 registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 53f3fd8007f7 3 weeks ago 109MB
localhost:5000/nginx latest 53f3fd8007f7 3 weeks ago 109MB
registry 2 f32a97de94e1 2 months ago 25.8MB
[root@server1 registry]# docker rmi localhost:5000/nginx:latest
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
[root@server1 registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 53f3fd8007f7 3 weeks ago 109MB
加密上传
1.创建服务端key以及证书
[root@server1 registry]# cd /tmp/docker/
[root@server1 docker]# mkdir -p certs
[root@server1 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/zyc.org.key -x509 -days 365 -out certs/zyc.org.crt
Generating a 4096 bit RSA private key
...........................................................................................................................................++
................................................................................................................................................................................................................................................................++
writing new private key to 'certs/zyc.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:zyc.org
Email Address []:[email protected]
[root@server1 docker]# cd certs/
[root@server1 certs]# ls
dzh.org.crt dzh.org.key
添加本地解析
[root@server1 certs]# vim /etc/hosts
172.25.26.1 server1 zyc.org
创建仓库
[root@server1 docker]# docker rm -f registry
registry
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/zyc.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/zyc.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry:2
d49cce7382e02b4322959bb7f17873ec34bc298ac73c1e1f644de11eb7c87906
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d49cce7382e0 registry:2 "/entrypoint.sh /etc…" 6 seconds ago Up 4 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
创建证书存放目录,并复制证书
[root@server1 docker]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir zyc.org
[root@server1 certs.d]# cd zyc.org/
[root@server1 zyc.org]# cp /tmp/docker/certs/zyc.org.crt ca.crt
.导入一个镜像并上传到私有仓库
[root@server1 zyc.org]# docker tag game2048:latest zyc.org/game2048
[root@server1 zyc.org]# docker push zyc.org/game2048
查看
[root@server1 zyc.org]# cd /opt/registry/
[root@server1 registry]# tree docker/
server2测试:
[root@server2 docker]# systemctl start docker
[root@server2 docker]# cd /etc/docker
[root@server2 docker]# mkdir certs.d
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# mkdir zyc.org
[root@server2 certs.d]# vim /etc/hosts
172.25.26.1 server1 zyc.org
[root@server2 certs.d]# docker pull zyc.org/game2048
Using default tag: latest
Error response from daemon: Get https://zyc.org/v2/: x509: c
ertificate signed by unknown authority ##没有证书下载不了
server1将证书传给server2
[root@server1 registry]# cd /etc/docker/certs.d/zyc.org/
[root@server1 zyc.org]# ls
ca.crt
[root@server1 zyc.org]# scp ca.crt server2:/etc/docker/certs.d/zyc.org/
The authenticity of host 'server2 (172.25.26.2)' can't be established.
ECDSA key fingerprint is 0d:6c:e1:1e:ff:c7:14:43:94:87:34:b1:15:bb:cf:94.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2' (ECDSA) to the list of known hosts.
root@server2's password:
ca.crt 100% 2078 2.0KB/s 00:00
server2再次测试
[root@server2 certs.d]# docker pull zyc.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for zyc.org/game2048:latest
[root@server2 certs.d]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
zyc.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
设置用户认证
控制registry的使用权限,使其只有在登录用户名和密码之后才能使用
1.设置用户密码并查看
[root@server1 zyc.org]# cd /tmp/docker/
[root@server1 docker]# mkdir auth
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:2 -Bbn zyc redhat > auth/htpasswd
[root@server1 docker]# cat auth/htpasswd
zyc:$2y$05$JoL1VmAdBAHENMH44tjgpOlpdoqKt/9Upkg7uGu631V3FDErROuRO
2.新建仓库
[root@server1 docker]# docker rm -f registry
registry
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/zyc.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/zyc.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v /tmp/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
5dd6f95a0d4b3d2edfc3cef0a3569bb2e35b60006bea41168c8a0d0e026b2864
docker ps[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5dd6f95a0d4b registry:2 "/entrypoint.sh /etc…" 23 seconds ago Up 12 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
3.登录库,并输入用户名和密码
[root@server1 docker]# docker login zyc.org
Username: zyc
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#在文件config.json 中可以看到记录的认证(认证一次,永久保存)
[root@server1 docker]# cat /root/.docker/config.json
{
"auths": {
"zyc.org": {
"auth": "enljOnJlZGhhdA=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
4.测试-----可以上传
[root@server1 docker]# docker tag nginx zyc.org/ubuntu
[root@server1 docker]# docker push zyc.org/ubuntu
The push refers to repository [zyc.org/ubuntu]
332fa54c5886: Pushed
6ba094226eea: Pushed
6270adb5794c: Pushed
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948
测试,当退出登陆后不能上传(一直显示在准备中)
[root@server1 docker]# docker logout zyc.org
Removing login credentials for zyc.org
[root@server1 docker]# docker push zyc.org/ubuntu
The push refers to repository [zyc.org/ubuntu]
332fa54c5886: Preparing
6ba094226eea: Preparing
6270adb5794c: Preparing
no basic auth credentials
[root@server1 docker]#