Table of contents
-
- foreword
- Build registry warehouse
- Access registry image (no account password)
- Push the image to the registry mirror warehouse (no account password)
- Set account password for registry mirror warehouse
- Account password - access registry image
- Account password - push the image to the registry mirror warehouse
- k8s build registry
- Verify that the mirror warehouse is available
foreword
Environment: centos 7.9 docker 20
Docker warehouses generally include: docker hub on the public network, and docker’s private warehouses generally have two types, docker registry and harbor. The former is docker’s official private warehouse, which is relatively small and suitable for use in some small business scenarios, and there is no The web page, the latter harbor is an open source project of VMware's Chinese team. It has a web page, which is more user-friendly and widely used by enterprises. This article first explains the registry image warehouse of docker company. The construction of the harbor warehouse can refer tohttps://blog.csdn.net/MssGuo/article/details/126210184
挺好的文章:http://events.jianshu.io/p/de8969f17b53
The new project distribution (the new docker register is called Distribution) replaces the registry, and the two actually have the same meaning. The image of docker official website is still registry.
Two installation methods of docker-distribution:
yum install docker-distribution #使用yum安装,systemd管理
systemctl enable docker-distribution.service
systemctl start docker-distribution.service
docker run #docker安装
We will use docker to install the mirror warehouse.
Build registry warehouse
官网文档:https://docs.docker.com/registry/
#下载镜像
docker pull registry:latest
#使用docker安装并持久化(这里留了个坑,还没有给registry仓库设置账号密码)
docker run -d -p 5000:5000 --restart always --name registry -v /opt/registry:/var/lib/registry registry:latest
Access registry image (no account password)
The registry mirror warehouse is not graphical, and the access is as follows:
#浏览器web页面访问方式
http://192.168.158.130:5000/v2/_catalog
{
"repositories":[]} #[]显示为空,因为没有任何镜像
#或者Linux命令行curl一下
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
"repositories":[]} #[]显示为空,因为没有任何镜像
Push the image to the registry mirror warehouse (no account password)
#推送镜像到registry镜像仓库
vim /etc/docker/daemon.json #编辑docker配置文件,追加下面这行
"insecure-registries": ["192.168.158.130:5000"]
systemctl restart docker #重启docker
docker tag nginx:1.18 192.168.158.130:5000/nginx:1.18 #为镜像打一个tag
docker push 192.168.158.130:5000/nginx:1.18 #推送镜像到registry镜像仓库
curl -XGET http://192.168.158.130:5000/v2/_catalog
{
"repositories":["nginx"]}
Set account password for registry mirror warehouse
Earlier, we installed the registry mirror warehouse without setting an account password. Anyone can upload images to the mirror warehouse, which is very unsafe. Now set the account password:
#安装httpd-tools工具
yum install httpd-tools -y
#创建目录
mkdir -p /etc/registry/auth
touch /etc/registry/auth/passwd
#使用htpasswd工具生成秘钥,并存放于/etc/registry/auth/passwd文件。账号是admin,密码是admin123456
htpasswd -Bbn admin admin123456 > /etc/registry/auth/passwd
#
docker stop registry && docker rm registry
docker run -d -p 5000:5000 --restart always --name registry \
-v /opt/registry:/var/lib/registry \
-v /etc/registry/auth:/etc/registry/auth \ #将auth目录挂载到容器
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/etc/registry/auth/passwd" \ #指定passwd文件
registry:latest
Account password - access registry image
#浏览器页面访问
http://192.168.158.130:5000/v2/_catalog #弹出一个框显示要输入密码,admin/admin123456
#Linux命令行访问
[root@docker ~]# curl -XGET http://192.168.158.130:5000/v2/_catalog #没有账号密码访问失败
{
"errors":[{
"code":"UNAUTHORIZED","message":"authentication required","detail":[{
"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
[root@docker ~]# curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog #账号密码访问
{
"repositories":["nginx"]}
Account password - push the image to the registry mirror warehouse
docker login -u admin -p admin123456 192.168.158.130:5000
docker tag coredns/coredns:latest 192.168.158.130:5000/coredns/coredns:latest
docker push 192.168.158.130:5000/coredns/coredns:latest
curl -XGET -u admin:admin123456 http://192.168.158.130:5000/v2/_catalog
k8s build registry
[root@master ~]# vim deploy-registy.yaml
---
#passwd这个key的内容就是使用htpasswd -Bbn admin admin123456 命令生成的
apiVersion: v1
data:
passwd: |+
admin:$2y$05$XmcyIRU8D7w2jUCYHskSZ.dcwFDS0SlYP4xMUBj1QZJIvgGSPlTAq
kind: ConfigMap
metadata:
name: registry-cm
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: registry-pvc
labels:
release: registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: nfs-storageclass
---
apiVersion: v1
kind: Service
metadata:
name: "registry-svc"
labels:
release: registry
spec:
ports:
- name: http-registry
port: 5000
nodePort: 5000
targetPort: 5000
type: NodePort
selector:
release: registry
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: "registry-deployment"
labels:
release: registry
spec:
replicas: 1
selector:
matchLabels:
release: registry
template:
metadata:
labels:
release: registry
spec:
containers:
- name: registry
image: registry:latest
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
scheme: HTTP
port: 5000
initialDelaySeconds: 2
periodSeconds: 10
env: #容器环境变量,传递3个环境变量
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: "Registry Realm"
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: "/etc/registry/auth/passwd"
ports:
- containerPort: 5000
volumeMounts:
- name: registry-data #使用pvc持久化
mountPath: /var/lib/registry
- name: registry-cm #挂载configmap进去
mountPath: /etc/registry/auth/passwd
subPath: passwd
volumes:
- name: registry-cm
configMap:
name: registry-cm
items:
- key: passwd
path: passwd
- name: registry-data #pvc
persistentVolumeClaim:
claimName: registry-pvc #pvc
---
Verify that the mirror warehouse is available
vim /etc/docker/daemon.json #每个k8s节点都要配置镜像仓库地址
"insecure-registries": ["192.168.158.128:5000"] #添加这一条
systemctl restart docker #重启docker
#登录镜像仓库
[root@master ~]# docker login -u admin -p admin123456 192.168.158.128:5000
Login Succeeded
#为镜像打个tag
[root@master ~]# docker tag busybox:1.24.1 192.168.158.128:5000/busybox:1.24.1
#推送镜像到镜像仓库,成功
[root@master ~]# docker push 192.168.158.128:5000/busybox:1.24.1
The push refers to repository [192.168.158.128:5000/busybox]
5f70bf18a086: Pushed
61e469647daa: Pushed
1.24.1: digest: sha256:458b359b8cb329f54e965bafee7b41d7557e62ba8d4c061f3dc57c7aaf9c048b size: 733
#查看后端存储,已经持久化了
[root@node2 ~]# ls /k8s_data/default-registry-pvc-pvc-d336e2f7-7bcc-4a79-8e3f-3ccff46c78c9/docker/registry/v2/repositories/
busybox
[root@node2 ~]#