Docker私有仓库的搭建及如何从阿里云拉取镜像
一.从阿里云上拉取镜像
1.注册一个阿里云帐号,获取一个加速地址
2.按照提示编辑文件
[root@server1 ~]# mkdir -p /etc/docker
[root@server1 ~]# vim /etc/docker/daemon.json
[root@server1 docker]# cat daemon.json
{
“registry-mirrors”: [“https://2kb9s7p2.mirror.aliyuncs.com”]
}
3.重启docker,拉取镜像
[root@server1 ~]# systemctl daemon-reload
[root@server1 ~]# systemctl restart docker
[root@server1 ~]# docker history nginx:latest
[root@server1 ~]# docker pull nginx ##拉取镜像,有了加速地址速度客观
Using default tag: latest
latest: Pulling from library/nginx
743f2d6c1f65: Pull complete
6bfc4ec4420a: Pull complete
688a776db95f: Pull complete
Digest: sha256:23b4dcdf0d34d4a129755fc6f52e1c6e23bb34ea011b315d87e193033bcd1b68
Status: Downloaded newer image for nginx:latest
[root@server1 ~]# docker history nginx:latest
可以看到我们的nginx镜像版本得到更新
二.搭建私有仓库
从阿里云上拉取镜像虽然方便,但是受限与网速
但是docker公司已经将registry开源,方便我们快速构建企业私有仓库
1.导入registry镜像
[root@server1 ~]# docker load -i registry2.tar
d9ff549177a9: Loading layer 4.671MB/4.671MB
f641ef7a37ad: Loading layer 1.587MB/1.587MB
d5974ddb5a45: Loading layer 20.08MB/20.08MB
5bbc5831d696: Loading layer 3.584kB/3.584kB
73d61bf022fd: Loading layer 2.048kB/2.048kB
Loaded image: registry:2
[root@server1 ~]# docker search registry
官方提供的镜像名字
2.运行registry容器
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
e35bf45c00addc58815e225e0b860a771c9d4f45fe4999809c2632843b5df284
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e35bf45c00ad registry:2 "/entrypoint.sh /etc…" 7 seconds ago Up 4 seconds 0.0.0.0:5000->5000/tcp registry
3.上传镜像到本地仓库,本地镜像在命名时需要加上仓库的ip和端口
[root@server1 ~]# docker tag nginx:latest localhost:5000/nginx
[root@server1 ~]# docker images localhost:5000/nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/nginx latest 53f3fd8007f7 3 weeks ago 109MB
[root@server1 ~]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
332fa54c5886: Pushed
6ba094226eea: Pushed
6270adb5794c: Pushed
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948
[root@server1 registry]# curl http://localhost:5000/v2/_catalog
{"repositories":["nginx"]}
[root@server1 registry]# docker pull localhost:5000/nginx
Using default tag: latest
latest: Pulling from nginx
Digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
Status: Image is up to date for localhost:5000/nginx:latest
4.从私有仓库拉取镜像
[root@server1 registry]# docker pull localhost:5000/nginx
Using default tag: latest
latest: Pulling from nginx
743f2d6c1f65: Pull complete
6bfc4ec4420a: Pull complete
688a776db95f: Pull complete
Digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
Status: Downloaded newer image for localhost:5000/nginx:latest
[root@server1 registry]# docker images
localhost:5000/nginx latest 53f3fd8007f7 3 weeks ago 109MB
可以修改本地镜像的名字
[root@server1 registry]# docker tag localhost:5000/nginx:latest nginx
[root@server1 registry]# docker images
localhost:5000/nginx latest 53f3fd8007f7 3 weeks ago 109MB
nginx latest 53f3fd8007f7 3 weeks ago 109MB
三.用户要拉取镜像从registry中与安全认证
registry
[root@server1 ~]# cd /tmp/docker/
[root@server1 docker]# mkdir -p certs
[root@server1 docker]# ls
certs Dockerfile dvd.repo nginx-1.15.8.tar.gz website
[root@server1 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/redhat.org.key -x509 -days 365 -out certs/redhat.org.crt
Generating a 4096 bit RSA private key
........++
..........................................................................................................................................++
writing new private key to 'certs/redhat.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:changan
Organization Name (eg, company) [Default Company Ltd]:redhat
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:redhat.org
Email Address []:[email protected]
[root@server1 docker]# vim /etc/hosts
[root@server1 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
356798431cf3 registry:2 "/entrypoint.sh /etc…" 13 minutes ago Up 13 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 docker]# docker rm -f registry
registry
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/redhat.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/redhat.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry:2
fae20650701f8c6e198647965aa2a2fb9e126a470b7a34caeab078c5913af6c6
[root@server1 docker]# cd /etc/docker/
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# ls
[root@server1 certs.d]# mkdir redhat.org
[root@server1 certs.d]# cd redhat.org/
[root@server1 redhat.org]# cp /tmp/docker/certs/redhat.org.crt ca.crt
[root@server1 redhat.org]# docker tag game2048:latest redhat.org/game2048
[root@server1 redhat.org]# docker push redhat.org/game2048
本地推送没有问题
The push refers to repository [redhat.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
docker client
systemctl start docker ##启动docker
vim /etc/hosts ##添加本地解析
172.25.61.1 server1 redhat.org
[root@server2 docker]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# mkdir certs.d
[root@server2 docker]# ls
certs.d key.json
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# ls
[root@server2 certs.d]# mkdir redhat.org
server1 将ca.crt发给server2
[root@server1 ~]# scp /etc/docker/certs.d/redhat.org/ca.crt server2:/etc/docker/certs.d/redhat.org/
root@server2's password:
ca.crt 100% 2102 2.1KB/s 00:00
拉取镜像
[root@server2 redhat.org]# docker pull redhat.org/nginx
Using default tag: latest
latest: Pulling from nginx
743f2d6c1f65: Pull complete
6bfc4ec4420a: Pull complete
688a776db95f: Pull complete
Digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d
Status: Downloaded newer image for redhat.org/nginx:latest
[root@server2 redhat.org]# docker pull redhat.org/game2048
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for redhat.org/game2048:latest
[root@server2 redhat.org]# history
四.登陆安全认证
[root@server1 ~]# cd /tmp/docker/
[root@server1 docker]# ls
certs Dockerfile dvd.repo nginx-1.15.8.tar.gz website
[root@server1 docker]# mkdir auth
设置登陆名及密码
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:2 -Bbn yzm redhat > auth/htpasswd
[root@server1 docker]# docker run --rm --entrypoint htpasswd registry:2 -Bbn wx red > auth/htpasswd
[root@server1 docker]# cat auth/htpasswd
wx:$2y$05$spbglwMcTx9iTyKNc6iCs.S34SfdGAe.1GRbs.C7ANmQiGQGSAD4m
[root@server1 docker]# docker run -d --restart=always --name registry -v /tmp/docker/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/redhat.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/redhat.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v /tmp/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry:2
b9c8d99340fc1c5eb8f41ffee68cd8ae36566c0c98fcd6465221c481f2a016b5
设置密码登陆认证之后如果没有登陆是上传不了镜像的
[root@server1 docker]# docker push redhat.org/nginx
The push refers to repository [redhat.org/nginx]
332fa54c5886: Preparing
6ba094226eea: Preparing
6270adb5794c: Preparing
no basic auth credentials
登陆之后便可以上传,密码和登陆名是前面设置的
[root@server1 docker]# docker login redhat.org
Username: wx
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 docker]# docker push redhat.org/nginx
The push refers to repository [redhat.org/nginx]
332fa54c5886: Layer already exists
6ba094226eea: Layer already exists
6270adb5794c: Layer already exists
latest: digest: sha256:e770165fef9e36b990882a4083d8ccf5e29e469a8609bb6b2e3b47d9510e2c8d size: 948
[root@server1 docker]#
docker client要拉取镜像也需要登陆
[root@server2 redhat.org]# docker pull redhat.org/rhel7
Using default tag: latest
Error response from daemon: Get https://redhat.org/v2/rhel7/manifests/latest: no basic auth credentials
[root@server2 redhat.org]# docker login redhat.org
Username: wx
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 redhat.org]# docker push redhat.org/rhel7
The push refers to repository [redhat.org/rhel7]
An image does not exist locally with the tag: redhat.org/rhel7
[root@server2 redhat.org]# docker pull redhat.org/rhel7
Using default tag: latest
latest: Pulling from rhel7
48f5bbc9baf5: Extracting 51.53MB/51.53MB
48f5bbc9baf5: Pull complete
Digest: sha256:58cd9120a4194edb0de4377b71bd564953255a1422baa1bbd9cb23d521c6873b
Status: Downloaded newer image for redhat.org/rhel7:latest