一,容器端口映射:
[root@foundation92 Desktop]# docker run -d --name web -p 8080:80 nginx #将本机的8080端口映射到容器的80端口
[root@foundation92 Desktop]# docker inspect web #查看容器信息,获取容器IP
浏览器测试:
可以看见使用本机:172.25.254.92:8080和使用容器:172.17.0.2:80访问可以看见同样的效果。
同样:可以查看iptables的nat表看见端口映射的情况:iptables -nL -t nat
在nat网络模式下进行容器端口映射的时候要防止和本机的端口冲突
二,容器间互联:
--link 参数可以在不映射端口的前提下为两个容器间建立安全连接, --link 参数可以连接一个或多个容器到将要创建的容器。
--link 参数的格式为 --link name:alias,其中 name 是要链接的容器的名称,alias 是这个连接的别名
[root@foundation92 Desktop]# docker run -d --name web1 nginx
root@foundation92 Desktop]# docker run -it --name web2 --link web1:web3 nginx bash #新建容器web2,并将web1连接到web2,取名为web3,但是web3本身不是容器
root@891278bc09b3:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 web3 cbf7dff3dfb2 web1
172.17.0.3 891278bc09b3
root@a78b76ddc807:/# ping web3 #pingweb3可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.049 ms
^C--- web3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.049/0.060/0.071/0.000 ms
root@a78b76ddc807:/# ping web2
^C
root@a78b76ddc807:/# ping web1 #可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
^C--- web3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.071/0.071/0.071/0.000 ms
#说明web1和web3时同一个容器
在使用Docker的时候,经常可能需要连接到其他的容器,比如:web服务需要连接数据库。按照往常的做法,需要先启动数据库的容器,映射出端口来,然后配置好客户端的容器,再去访问。其实针对这种场景,Docker提供了--link 参数来满足
三,docker私有仓库的搭建并配置仓库认证:
为什么还要搭建私有仓库?
dockerhub上镜像的上传和下载速度可能会有影响,而且依赖与网络带宽。
[root@foundation92 Desktop]# docker push nginx
The push refers to a repository [docker.io/library/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
unauthorized: authentication required
可以看见上传镜像受阻。
原因是网络受阻:
[root@foundation92 Desktop]# ping docker.io
PING docker.io (**34.234.103.99**) 56(84) bytes of data
#创建仓库(临时测试(不安全,未添加认证)):
docker run -d -p 5000:5000 --name registry registry:2.3.1 #用仓库镜像registry:2.3.1创建仓库registry
docker tag game2048 172.25.254.92:5000/game2048 #将本地镜像game2048修改名字为172.25.254.92:5000/game2048
[root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048 #上传172.25.254.92:5000/game2048镜像到本地仓库,发现报错,只支持HTTPS上传
The push refers to a repository [172.25.254.92/game2048]
Get https://172.25.254.92/v1/_ping: dial tcp 172.25.254.92:443: getsockopt: connection refused
临时解决方案:
vim /etc/docker/daemon.json
{
"insecure-registries": ["172.25.254.92:5000"]
}
再次上传成功:
[root@foundation92 Desktop]# docker push 172.25.254.92:5000/game2048
The push refers to a repository [172.25.254.92:5000/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushing [======> ] 6.742 MB/50.1 MB
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364
#创建加密的仓库:
创建公钥和私钥:
mkdir /tmp/docker/certs
cd /tmp/docker
root@foundation92 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt #创建密钥
Generating a 4096 bit RSA private key
.....++
................................................................................................................................................................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi;an
Organization Name (eg, company) [Default Company Ltd]:redhat
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:mytestregistry.com
Email Address []:root@:mytestregistry.com
[root@foundation92 docker]# cd certs/
[root@foundation92 certs]# ls
domain.crt domain.key
创建加密仓库:
mkdir -p /etc/docker/certs.d/mytestregistry.com
cp /tmp/docker/domain.crt /etc/docker/certs.d/mytestregistry.com/ca.crt
vim /etc/hosts
172.25.254.92 mytestregistry.com
docker run -d --restart=always --name=mytestregistry -v /tmp/docker/certs:/certs -v /opt/mytestregistry:/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #创建加密仓库,并将本地仓库/opt/mytestregistry映射到容器的/var/lib/registry目录
docker tag game2048 mytestregistry.com/game2048 #将所需要上传的镜像重新命名
mv /etc/docker/daemon.json #移除解决临时上传的文件
root@foundation92 certs]# docker push mytestregistry.com/game2048 #可以看出成功完成加密上传。
The push refers to a repository [mytestregistry.com/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364
[root@foundation92 repositories]# cd /opt/mytestregistry/docker/registry/v2/repositories #进入本地仓库目录查看上传的镜像
[root@foundation92 repositories]# ls
game2048
#从本地仓库中获取镜像:
docker rmi mytestregistry.com/game2048 #删除本第改名的game2048镜像
Untagged: mytestregistry.com/game2048:latest
Untagged: mytestregistry.com/game2048@sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5
docker rmi game2048 #删除原本的game2048镜像
Untagged: game2048:latest
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
docker pull mytestregistry.com/game2048 #从本地仓库中下载上传的game2048(修改过镜像名称)jingx
Using default tag: latest
latest: Pulling from game2048
3690ec4760f9: Pull complete
2e2d6e8f545b: Pull complete
aa8a6a9d7067: Pull complete
173507b749da: Pull complete
dc19969f59b2: Pull complete
Digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5
Status: Downloaded newer image for mytestregistry.com/game2048:latest
docker tag mytestregistry.com/game2048 game2048 #重新改回镜像名称,恢复镜像
#仓库认证:
cd /tmp/docker/
mkdir auth #创建存放认证帐号密码文件的目录
[root@foundation92 docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn authtest authtestpasswd > auth/htpasswd #创建认证的帐号和密码
[root@foundation92 docker]# cd auth/
[root@foundation92 auth]# ls
htpasswd
[root@foundation92 auth]# cat htpasswd #查看存放认证帐号和密码的文件
authtest:$2y$05$ymWyu11dw/TG9.3xEAWWA.9YfYSQo.x6KV2DYzmg2hLvnC0eAojGa
[root@foundation92 docker]# cd /opt/
[root@foundation92 opt]# mkdir mytestregistryauth #创建认证仓库的本地目录
[root@foundation92 auth]# docker run -d --restart=always --name=mytestregistryauth -v /tmp/docker/certs:/certs -v /opt/mytestregistryauth/:/var/lib/registry -v /tmp/docker/auth/:/auth -e REGISTRY_AUTH=htpasswd -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #创建加密和认证仓库
244f10f6b5c9e92343a9faae3a8710070c0822b678c4bd18d1959dd9d0e68d79
[root@foundation92 auth]# docker tag nginx mytestregistry.com/nginx
[root@foundation92 auth]# docker push mytestregistry.com/nginx #上传镜像,上传不成功,是因为仓库需要认证
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
no basic auth credentials
[root@foundation92 auth]# docker login -u authtest -p authtestpasswd mytestregistry.com #登陆仓库
Login Succeeded
[root@foundation92 auth]# docker push mytestregistry.com/nginx #成功上传镜像
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Pushed
3f3324023e75: Pushed
f0d7d68f89e5: Pushed
917c0fc99b35: Pushed
latest: digest: sha256:32d30bd4dd97cddf9c476ea4665149577601741fedf6e91256f552b2975005f9 size: 1978
#查看仓库的镜像:
[root@foundation92 repositories]# cd /opt/mytestregistryauth/docker/registry/v2/repositories
[root@foundation92 repositories]# ls
nginx