1.创建一个阿里云账户
https://www.aliyun.com/
2.配置镜像加速器
[root@server1 docker]# pwd
/etc/docker
[root@server1 docker]# ls
key.json
[root@server1 docker]# vim daemon.json
{
"registry-mirrors": ["https://4nlobfqm.mirror.aliyuncs.com"]
}
3.重新加载配置,重启服务
[root@server1 docker]# systemctl daemon-reload
[root@server1 docker]# systemctl restart docker
4.查询镜像(确保可以上网)
[root@server1 docker]# docker search nginx #在阿里云上查找nginx的镜像
注意:官方的前面都不带用户
[root@server1 docker]# docker pull mariadb
[root@server1 images]# docker load -i registry2.tar
注意当查看时,发现volume时默认会生成一个位置,但此时并没有
[root@server1 docker]# docker run -d --name registry -v /opt/registry/:/var/lib/registry -p 5000:5000 registry:2
3aab170f9c4653ff56561f1719536b45392725e173db2fea21ce166ed4c33222
注意:如果出现警告信息:
[root@server1 repositories]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@server1 repositories]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
用tag命名
[root@server1 docker]# docker tag nginx localhost:5000/nginx
在本地上传镜像:
[root@server1 docker]# docker push localhost:5000/nginx
[root@server1 registry]# pwd
/opt/registry
[root@server1 registry]# ls
docker
[root@server1 registry]# tree .
[root@server1 registry]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
此时仓库里有nginx镜像
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
[root@server1 ~]# ls
certs images
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
2.进行TLS加密设置
[root@server1 ~]# docker rm registry
registry
[root@server1 ~]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \ #pwd当前路径
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -v /opt/registry:/var/lib/registry \ #指定卷挂载地址(不会自己生成长串路径)
> -p 443:443 \
> registry:2
配置如果成功会出现443的端口
注意:docker inspeck registry查看信息mounted(是我们自己-v 自己定义的)
3.做地址解析
[root@server1 ~]# vim /etc/hosts
172.25.254.1 server1 westos.org
[root@server1 ~]# docker images nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest e548f1a579cf 15 months ago 109MB
[root@server1 ~]# docker tag nginx:latest westos.org/nginx
[root@server1 ~]# docker images westos.org/nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
westos.org/nginx latest e548f1a579cf 15 months ago 109MB
4.将证书拷贝到目录下
[root@server1 ~]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir westos.org
[root@server1 certs.d]# cd westos.org/
[root@server1 westos.org]# cp ~/certs/westos.org.crt ca.crt
[root@server1 westos.org]# ls
ca.crt
测试:上传镜像
[root@server1 ~]# docker push westos.org/ngin
另外开启一台虚拟机,安装docker服务并打开
[root@server2 ~]# systemctl start docker
[root@server2 ~]# docker --version
Docker version 18.06.1-ce, build e68fc7a
添加解析
[root@server2 ~]# vim /etc/hosts
172.25.254.1 server1 westos.org
注意:此时在server2 上无法下载server1上传的镜像
解决:将server1的文件发过来
[root@server1 ~]# cd /etc/docker/
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# scp -r certs.d/ server2:/etc/docker/
将server1的认证文件发送到server2的目录下
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# scp daemon.json server2:/etc/docker/
在server1上创建auth加密
[root@server1 ~]# mkdir auth
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry:2 -Bbn wxh westos > auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
wxh:$2y$05$wIkyZA83nGv2kk4k8ZJVzuGbmdxMfAcU4tYIUQ.Upd8V7cUzbgVNG
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry:2 -Bbn lee redhat >> auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
wxh:$2y$05$wIkyZA83nGv2kk4k8ZJVzuGbmdxMfAcU4tYIUQ.Upd8V7cUzbgVNG
lee:$2y$05$WklMY0LYDCLICRPBZdgq8ujnDSlV6.Syl4MFQSeHmHruT4Y0IuhFq
配置auth认证设置
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -p 443:443 registry:2
a3b45b643aa2cd25e703a342b6422a9f7bc1505a48951c45afd5c6162c2f2d51
将之前的nginx的镜像删除
创建加密认证后进行镜像的拉取需要先登录
[root@server2 ~]# docker login westos.org
Username: wxh
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
会有此文件内容生成:
[root@server2 ~]# cat .docker/config.json
此时可以拉取: