简述:
Centos7上安装Docker及Docker仓库Docker从1.13版本之后采用时间线的方式作为版本号,分为社区版CE和企业版EE。社区版是免费提供给个人开发者和小型团体使用的,企业版会提供额外的收费服务,比如经过官方测试认证过的基础设施、容器、插件等。社区版按照stable和edge两种方式发布,每个季度更新stable版本,如18.06,18.09;每个月份更新edge版本,如18.09,18.10。
准备环境:
装有Centos7系统的机器两台
示例:
192.168.1.198[docker-app,普通Docker服务器]
192.168.1.199[docker-reop,docker仓库]
一.安装Docker
注意:普通Docker服务器及Docker仓库都需要执行此操作。
1.版本要求
Docker 要求 CentOS 系统的内核版本高于 3.10 。查看本页面的前提条件来验证你的CentOS 版本是否支持 Docker 。通过 uname -r 命令查看你当前的内核版本
2.更新yum包到最新版本
使用 root 权限登录 Centos。确保 yum 包更新到最新。(此步骤耗时较长)
yum update
3.卸载旧版本(如果安装过旧版本的话)
sudo yum remove docker docker-common docker-selinux docker-engine
4.安装需要的软件包
yum-util 提供yum-config-manager功能,另外两个是devicemapper驱动依赖的
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
5、设置yum源
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
6、可以查看所有仓库中所有docker版本,并选择特定版本安装
yum list docker-ce --showduplicates | sort -r
7、安装docker
sudo yum install docker-ce
#由于repo中默认只开启stable仓库,故这里安装的是最新稳定版17.12.0 sudo yum install
# 例如:sudo yum install docker-ce-17.12.0.ce
8、启动并加入开机启动
sudo systemctl start docker sudo systemctl enable docker
9、验证安装是否成功(有client和service两部分表示docker安装启动都成功了)
docker version
二.安装Docker仓库[在199服务器上]
1. 拉取registry镜像
docker pull registry
2.通过镜像启动一个容器(启动仓库)
docker run -e REGISTRY_STORAGE_DELETE_ENABLED=true -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry:latest
---------------------------------------------------------------------------------------------------------------------------
配置解释:
放开了Docker仓库的删除权限:REGISTRY_STORAGE_DELETE_ENABLED=true
---------------------------------------------------------------------------------------------------------------------------
官方文档解释:
In a typical setup where you run your Registry from the official image, you can specify a configuration variable from the environment by passing -e arguments to your docker run stanza or from within a Dockerfile using the ENV instruction.
To override a configuration option, create an environment variable named REGISTRY_variable where variable is the name of the configuration option and the _ (underscore) represents indention levels. For example, you can configure the rootdirectory of the filesystem storage backend:
storage: filesystem: rootdirectory: /var/lib/registry
To override this value, set an environment variable like this:
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/somewhere
This variable overrides the /var/lib/registry value to the /somewhere directory.
----------------------------------》
大意就是我们可以在启动镜像容器的时候,可以在docker run 命令后边通过-e传递参数,参数设置的形式为大写的REGISTRY_加各级配置项名称=值的形式。
如我要配置下边第一个log:accesslog
docker run -e REGISTRY_LOG_ACCESSLOG_DISABLED=false 等等等等
----------------------------------》
可配置项(默认)
version: 0.1
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging
hooks:
- type: mail
disabled: true
levels:
- panic
options:
smtp:
addr: mail.example.com:25
username: mailuser
password: password
insecure: true
from: [email protected]
to:
- [email protected]
loglevel: debug # deprecated: use "log"
storage:
filesystem:
rootdirectory: /var/lib/registry
maxthreads: 100
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
gcs:
bucket: bucketname
keyfile: /path/to/keyfile
rootdirectory: /gcs/object/name/prefix
chunksize: 5242880
s3:
accesskey: awsaccesskey
secretkey: awssecretkey
region: us-west-1
regionendpoint: http://myobjects.local
bucket: bucketname
encrypt: true
keyid: mykeyid
secure: true
v4auth: true
chunksize: 5242880
multipartcopychunksize: 33554432
multipartcopymaxconcurrency: 100
multipartcopythresholdsize: 33554432
rootdirectory: /s3/object/name/prefix
swift:
username: username
password: password
authurl: https://storage.myprovider.com/auth/v1.0 or https://storage.myprovider.com/v2.0 or https://storage.myprovider.com/v3/auth
tenant: tenantname
tenantid: tenantid
domain: domain name for Openstack Identity v3 API
domainid: domain id for Openstack Identity v3 API
insecureskipverify: true
region: fr
container: containername
rootdirectory: /swift/object/name/prefix
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: OSS region name
endpoint: optional endpoints
internal: optional internal endpoint
bucket: OSS bucket
encrypt: optional data encryption setting
secure: optional ssl setting
chunksize: optional size valye
rootdirectory: optional root directory
inmemory: # This driver takes no parameters
delete:
enabled: false
redirect:
disable: false
cache:
blobdescriptor: redis
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
auth:
silly:
realm: silly-realm
service: silly-service
token:
realm: token-realm
service: token-service
issuer: registry-token-issuer
rootcertbundle: /root/certs/bundle
htpasswd:
realm: basic-realm
path: /path/to/htpasswd
middleware:
registry:
- name: ARegistryMiddleware
options:
foo: bar
repository:
- name: ARepositoryMiddleware
options:
foo: bar
storage:
- name: cloudfront
options:
baseurl: https://my.cloudfronted.domain.com/
privatekey: /path/to/pem
keypairid: cloudfrontkeypairid
duration: 3000s
storage:
- name: redirect
options:
baseurl: https://example.com/
reporting:
bugsnag:
apikey: bugsnagapikey
releasestage: bugsnagreleasestage
endpoint: bugsnagendpoint
newrelic:
licensekey: newreliclicensekey
name: newrelicname
verbose: true
http:
addr: localhost:5000
prefix: /my/nested/registry/
host: https://myregistryaddress.org:5000
secret: asecretforlocaldevelopment
relativeurls: false
tls:
certificate: /path/to/x509/public
key: /path/to/x509/private
clientcas:
- /path/to/ca.pem
- /path/to/another/ca.pem
letsencrypt:
cachefile: /path/to/cache-file
email: [email protected]
debug:
addr: localhost:5001
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
notifications:
endpoints:
- name: alistener
disabled: false
url: https://my.listener.com/event
headers:
timeout: 500
threshold: 5
backoff: 1000
ignoredmediatypes:
- application/octet-stream
redis:
addr: localhost:6379
password: asecret
db: 0
dialtimeout: 10ms
readtimeout: 10ms
writetimeout: 10ms
pool:
maxidle: 16
maxactive: 64
idletimeout: 300s
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
file:
- file: /path/to/checked/file
interval: 10s
http:
- uri: http://server.to.check/must/return/200
headers:
Authorization: [Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==]
statuscode: 200
timeout: 3s
interval: 10s
threshold: 3
tcp:
- addr: redis-server.domain.com:6379
timeout: 3s
interval: 10s
threshold: 3
proxy:
remoteurl: https://registry-1.docker.io
username: [username]
password: [password]
compatibility:
schema1:
signingkeyfile: /etc/registry/key.json
validation:
enabled: true
manifests:
urls:
allow:
- ^https?://([^/]+\.)*example\.com/
deny:
- ^https?://www\.example\.com/
---------------------------------------------------------------------------------------------------------------------------
三.解决HTTP服务问题
因为Docker从1.3.X之后,与docker registry交互默认使用的是https,然而此处搭建的私有仓库只提供http服务,所以当与私有仓库交互时就会报下面的错误。
解决方案:
1.在/etc/docker下新建daemon.json文件
touch daemon.json
2.然后编辑daemon.json
vim daemon.json
{"insecure-registries":["192.168.1.199:5000"]}
这句指令表示信任此私有仓库,重启docker
四.推送镜像到私有仓库
1.先从默认仓库拉取一个测试项目
docker pull hello-world
2.想推到私有仓库,必须打一个指向标签
docker tag hello-world 192.168.1.199:5000/hello-world
此时查看镜像 docker images 可以看到
3.推到私有仓库
docker push 192.168.1.199:5000/hello-world
就OK了
4.从私有仓库拉取镜像
docker pull 192.168.1.199:5000/hello-world
五.仓库镜像管理
1.镜像明细查看
http://192.168.1.199:5000/v2/_datalog
2.镜像删除(慎用)
先获取digest值
curl --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ -I \ -X HEAD http://192.168.1.199:5000/v2/hello-world/manifests/latest
curl -X DELETE http://192.168.1.199:5000/v2/hello-world/manifests/sha256:3a07b4e06c73b2e3924008270c7f3c3c6e3f70d4dbb814ad8bff2697123ca33c
执行就ok,完了再拉取就拉取不到了。
详细删除查看https://www.jb51.net/article/124549.htm博客
和官网文档
https://docs.docker.com/registry/configuration/#override-specific-configuration-options
这里未做深入探究。