本地——>本地加密
私有仓库的加密,将本地镜像上传到docker仓库中
https://docs.docker.com/registry/insecure/ docker的官方文档
-v 本地的目录
-e 容器开启的端口
-p 映射端口
docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
systemctl status docker先开启docker
创建目录certs
[root@server1 ~]# mkdir -p certs
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
..................................................................++
...................................................................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:University
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:[email protected]
[root@server1 ~]# docker ps -a
查看私有仓库
[root@server1 ~]# docker rm -f registry
删掉之前的私有仓库,直到以下那种,删干净
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
# 注意此处:REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry 不是:/root/...
root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:latest
e6632b5d20e434dd064149b02f46efbe726a3195e78f02dc1d72c0fa03a8c927
添加本地解析,# 因为我们所使用的域名是westos.org 所以主机名要有解析
[root@server1 ~]# vim /etc/hosts
[root@server1 ~]# ping westos.org
PING server1 (172.25.28.1) 56(84) bytes of data.
64 bytes from server1 (172.25.28.1): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from server1 (172.25.28.1): icmp_seq=2 ttl=64 time=0.037 ms
^C
--- server1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.032/0.034/0.037/0.006 ms
查看端口是否开启
[root@server1 ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 848/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 949/master
tcp 0 0 172.25.28.1:22 172.25.28.250:37186 ESTABLISHED 1152/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 848/sshd
tcp6 0 0 ::1:25 :::* LISTEN 949/master
tcp6 0 0 :::443 :::* LISTEN 1625/docker-proxy
此时进行本地上传镜像
[root@server1 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 020584afccce 9 days ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
[root@server1 westos.org]# docker tag busybox westos.org/busyox
上传后的名字
[root@server1 westos.org]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Pushed
latest: digest: sha256:679b1c1058c1f2dc59a3ee70eed986a88811c0205c8ceea57cec5f22d2c3fbb1 size: 527
成功!!!
# 添加客户端的push认证
# 在之前的443更改 不用官网的5000
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn testuser testpassword > auth/htpasswd
[root@server1 ~]# cd auth/
[root@server1 auth]# ls
htpasswd
[root@server1 auth]# cat htpasswd
testuser:$2y$05$dqGVPcspJv.UNnwJ8y47FuywJ17eW9weLgoDFIbgHe9UlXVmPB1SO
可以追加认证信息
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn admin passwd >> auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
yyz:$2y$05$X3FrmrdjhhsPT7h9.NgBxO2U.z9N2ic2uD/G2IJhPoeQ44r7gu1gK
admin:$2y$05$Yv6w1WENRjMkGd6rn6yqSOhfnc4TBZkAhOrWf4DyPobCNTPeE9X.O
[root@server1 ~]# docker run --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
此时失败,报错:
Error response from daemon: Conflict. The container name "/registry" is already in use by container "a1744536053ea3efdcff4f67db781c0622d726313687f3a7af90998c940ff308". You have to remove (or rename) that container to be able to reuse that name.
必须把私有仓库删除,才可以进行
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
22bd3e55d45b70aa6048c32a73167a2dc623e780f35e9b1bec588bf7526982e1
[root@server1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
22bd3e55d45b registry "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
13a7a7843802 registry "htpasswd -Bbn admin…" 4 minutes ago Exited (0) 4 minutes ago eager_agnesi
ad8ab4752f54 registry "htpasswd -Bbn admin…" 31 minutes ago Exited (0) 31 minutes ago recursing_mendel
9dc48b269b06 registry "htpasswd -Bbn yyz z…" 31 minutes ago Exited (0) 31 minutes ago quirky_chebyshev
9399720e5b34 registry "htpasswd -Bbn testu…" 41 minutes ago Exited (0) 41 minutes ago angry_hertz
c5ac8e904955 busybox "htpasswd testpasswo…" 43 minutes ago Created focused_lovelace
[root@server1 ~]# docker login westos.org 用认证帐号等录
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# docker logout westos.org 退出,此时再进行上传,会提示没有进行登陆认证
Removing login credentials for westos.org
[root@server1 ~]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Preparing
no basic auth credentials 提示没有认证
[root@server1 ~]# docker login westos.org 再次登陆时,才可以进行上传镜像
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# docker push westos.org/busyox
The push refers to repository [westos.org/busyox]
1da8e4c8d307: Pushed
latest: digest: sha256:679b1c1058c1f2dc59a3ee70eed986a88811c0205c8ceea57cec5f22d2c3fbb1 size: 527
上传成功~~~~
#远程主机怎么连接
思想:其实在公司中,就是装配好的镜像,放到私有库里去,攻别人使用。
谁需要,就进行认证,和用公司域名去pull即可
再打开一台虚拟机,安装docker并启动
主机名要有解析
[root@server2 docker包]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.0.1 server1
172.25.0.2 server2
172.25.0.3 server3 westos.org
172.25.0.4 server4
172.25.0.5 server5
172.25.0.6 server6
172.25.0.7 server7
172.25.0.8 server8
[root@server2 docker包]# ping westos.org
PING server3 (172.25.0.3) 56(84) bytes of data.
64 bytes from server3 (172.25.0.3): icmp_seq=1 ttl=64 time=0.397 ms
要有认证文件,这个文件可以从server3这台主机获得
# 现有证书才能完成认证
[root@server3 ~]# cd /etc/docker/
[root@server3 docker]# ls
certs.d daemon.json key.json
[root@server3 docker]# scp -r certs.d/ server2:/etc/docker/
The authenticity of host 'server2 (172.25.0.2)' can't be established.
ECDSA key fingerprint is 67:9d:41:df:c9:b5:0e:f3:e1:30:72:c7:c9:07:69:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,172.25.0.2' (ECDSA) to the list of known hosts.
root@server2's password:
ca.crt 100% 2098 2.1KB/s 00:00
[root@server2 docker包]# cd /etc/docker/
[root@server2 docker]# ls
certs.d key.json
先认证再拉取
[root@server2 certs.d]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 certs.d]# docker pull westos.org/nginx
Using default tag: latest
Error response from daemon: manifest for westos.org/nginx:latest not found
[root@server2 certs.d]# docker pull westos.org/nginx:v3
v3: Pulling from nginx
48f5bbc9baf5: Pull complete
15f1fc4f91e0: Pull complete
98331229c5fd: Pull complete
4c7f36e2f886: Pull complete
df58a187e237: Pull complete
Digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5
Status: Downloaded newer image for westos.org/nginx:v3
测试运行成功
[root@server2 certs.d]# docker run -d --name nginx -p 80:80 westos.org/nginx:v3
299df76d6167d789883a1b7bdb9e338659f49be2e146bd4098e409a7f35d6a02
[root@server2 certs.d]# docker pa
docker: 'pa' is not a docker command.
See 'docker --help'
[root@server2 certs.d]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
299df76d6167 westos.org/nginx:v3 "/usr/local/nginx/sb…" 9 seconds ago Up 8 seconds 0.0.0.0:80->80/tcp nginx
[root@server2 certs.d]# curl localhost
我们需要一个web页面,来济宁
# 拉取一个镜像
# 可以先search一下
[root@server3 docker]# docker pull hyper/docker-registry-web
Using default tag: latest
latest: Pulling from hyper/docker-registry-web
04c996abc244: Pull complete
d394d3da86fe: Pull complete
bac77aae22d4: Pull complete
b48b86b78e97: Pull complete
09b3dd842bf5: Pull complete
69f4c5394729: Pull complete
b012980650e9: Pull complete
7c7921c6fda1: Pull complete
e20331c175ea: Pull complete
40d5e82892a5: Pull complete
a414fa9c865a: Pull complete
0304ae3409f3: Pull complete
13effc1a664f: Pull complete
e5628d0e6f8c: Pull complete
0b0e130a3a52: Pull complete
d0c73ab65cd2: Pull complete
240c0b145309: Pull complete
f1fd6f874e5e: Pull complete
40b5e021928e: Pull complete
88a8c7267fbc: Pull complete
f9371a03010e: Pull complete
Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae
Status: Downloaded newer image for hyper/docker-registry-web:latest
#去git hub搜索 按照文档做操作
https://github.com/mkuchin/docker-registry-web
[root@server3 ~]# cat .docker/config.json #查看之前的认证信息
{
"auths": {
"": {
"auth": "ZGFuZ2Rhbmd3ZXN0b3M6ZGFuZ2Rhbmc="
},
"https://index.docker.io/v1/": {
"auth": "ZGFuZ2Rhbmd3ZXN0b3M6ZGFuZ2Rhbmc="
},
"westos.org": {
"auth": "YWRtaW46d2VzdG9z" #-e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
}
[root@server3 ~]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" -e REGISTRY_NAME=westos.org:443 hyper/docker-registry-web #v2:是一个版本
在浏览器测试:http://172.25.28.1:8080/
# 推荐学习:https://goharbor.io/
