企业运维容器之 docker仓库

企业运维容器之 docker 仓库

    • 1. 什么是仓库?
    • 2. Docker hub
    • 3. Registry 工作原理
    • 4. 配置镜像加速器
    • 5. 搭建私有仓库
    • 5. 总结

1. 什么是仓库?

  • Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
  • Docker运行中使用的默认仓库是 Docker Hub 公共仓库。

Docker 的运行流程如下图所示:

企业运维容器之 docker仓库_第1张图片

2. Docker hub

Docker hub 是 docker 公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库。

  • 首先在https://hub.docker.com/网站注册一个账号;在docker hub上新建一个公共仓库。
  • 接下来要从docker主机上传镜像,首先需要登录:
    [root@server1 ~]# docker login
    Username: yakexi007
    Password: <填写密码>
  • docker hub为了区分不同用户的同名镜像,要求镜像的格式是:[username]/xxx.tag
    #docker tag busybox:latest yakexi007/busybox:latest
  • 上传镜像到docker hub
    #docker push yakexi007/busybox:latest
  • 从docker hub拉取镜像
    #docker pull yakexi007/busybox:latest
  • 删除本地镜像
    #docker rmi yakexi007/busybox:latest

3. Registry 工作原理

  • 一次docker pull 或 push背后发生的事情

企业运维容器之 docker仓库_第2张图片

index 服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去 index 服务上做认证,然后查找镜像所在的 registry的地址并放回给 docker 客户端,docker 客户端再从 registry 下载镜像,在下载过程中 registry 会去 index 校验客户端 token 的合法性,不同镜像可以保存在不同的 registry 服务上,其索引信息都放在 index 服务上。

  • Docker Registry有三个角色,分别是index、registry和registry client。
    index :负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
    Web UI、元数据存储、认证服务、符号化。
    registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
    Registry Client:Docker充当registry客户端来维护推送和拉取,以及客户端的授权。
  • 情景A:用户要获取并下载镜像。

企业运维容器之 docker仓库_第3张图片

  • 情景B:用户要推送镜像到registry中。

企业运维容器之 docker仓库_第4张图片

  • 情景C:用户要从index或registry中删除镜像。

企业运维容器之 docker仓库_第5张图片docker hub 虽然方便,但是还是有限制;需要 internet 连接,速度慢;所有人都可以访问;由于安全原因企业不允许将镜像放到外网,好消息是docker公司已经将registry开源,我们可以快速构建企业私有仓库。
https://docs.docker.com/registry/deploying/
之前搭建的仓库没有认证,相对来说可用度不是很高;接下来搭建私有仓库;

私有仓库的搭建:

[root@server1 ~]# docker search registry		##搜索
[root@server1 ~]# docker pull registry			##拉取镜像
[root@server1 ~]# docker history registry:latest 		##可以看到其容器的端口信息
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
1fd8e1b0bb7e        5 weeks ago         /bin/sh -c #(nop)  CMD ["/etc/docker/registr…   0B                  
<missing>           5 weeks ago         /bin/sh -c #(nop)  ENTRYPOINT ["/entrypoint.…   0B                  
<missing>           5 weeks ago         /bin/sh -c #(nop) COPY file:507caa54f88c1f38…   155B                
<missing>           5 weeks ago         /bin/sh -c #(nop)  EXPOSE 5000                  0B                  
<missing>           5 weeks ago         /bin/sh -c #(nop)  VOLUME [/var/lib/registry]   0B                  
<missing>           5 weeks ago         /bin/sh -c #(nop) COPY file:4544cc1555469403…   295B                
<missing>           5 weeks ago         /bin/sh -c #(nop) COPY file:21256ff7df5369f7…   20.1MB              
<missing>           5 weeks ago         /bin/sh -c set -ex     && apk add --no-cache…   549kB               
<missing>           5 weeks ago         /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B                  
<missing>           5 weeks ago         /bin/sh -c #(nop) ADD file:282b9d56236cae296…   5.62MB              
[root@server1 ~]# docker run -d --name registry -p 5000:5000 registry			
	##端口映射来运行仓库,前面的是宿主机的端口,后面为容器的端口
7bb13092f4e40a9bc129a7a94a71d188b0360e1dc244d834372580fea6857d4f
[root@server1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
7bb13092f4e4        registry            "/entrypoint.sh /etc…"   3 seconds ago       Up 2 seconds        0.0.0.0:5000->5000/tcp   registry
[root@server1 ~]# docker inspect registry		
	##用此命令来查看挂载信息,没有指定会用docker 引擎自带的卷
[root@server1 ~]# docker images 
[root@server1 ~]# docker tag yakexi007/game2048:latest localhost:5000/game2048
	##重新打标签用于区分不同用户的同名镜像
[root@server1 ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
rhel7                             v4                  b3388a690329        6 hours ago         31.9MB
<none>                            <none>              4cf308c51260        6 hours ago         146MB
rhel7                             v3                  00f0b93070b1        7 hours ago         141MB
rhel7                             v2                  55fd86415086        7 hours ago         255MB
rhel7                             v1                  c8aeebec1de9        7 hours ago         296MB
nginx                             latest              d1a364dc548d        18 hours ago        133MB
busybox                           v1                  ec156da50087        43 hours ago        1.24MB
busybox                           latest              d3cd072556c2        8 days ago          1.24MB
registry                          latest              1fd8e1b0bb7e        5 weeks ago         26.2MB
yakexi007/game2048                latest              19299002fdbe        4 years ago         55.5MB
localhost:5000/game2048           latest              19299002fdbe        4 years ago         55.5MB
rhel7                             latest              0a3eb3fde7fd        6 years ago         140MB
gcr.io/distroless/base-debian10   latest              d48fcdd54946        51 years ago        19.2MB
  ##此时查看可以看到新加入的镜像,两个镜像只是名称不一样,号还是一样的
[root@server1 ~]# docker push localhost:5000/game2048:latest 		##上传
[root@server1 ~]# cd /var/lib/docker/volumes/c6ab78e2115ecc13a0b019bd902d9c7a1576d034e7b63669068ac75e05e98108/_data
[root@server1 _data]# ls
docker		##实际上是存在了挂接的卷中

上传的仓库之后,此时删除本地的镜像;看是否能再次拉取下来;

[root@server1 ~]# docker rmi localhost:5000/game2048:latest
Untagged: localhost:5000/game2048:latest
Untagged: localhost:5000/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
[root@server1 ~]# docker rmi yakexi007/game2048:latest
Untagged: yakexi007/game2048:latest
Untagged: yakexi007/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
[root@server1 ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
<none>                            <none>              4cf308c51260        6 hours ago         146MB
rhel7                             v4                  b3388a690329        6 hours ago         31.9MB
rhel7                             v3                  00f0b93070b1        7 hours ago         141MB
rhel7                             v2                  55fd86415086        7 hours ago         255MB
rhel7                             v1                  c8aeebec1de9        7 hours ago         296MB
nginx                             latest              d1a364dc548d        18 hours ago        133MB
busybox                           v1                  ec156da50087        43 hours ago        1.24MB
busybox                           latest              d3cd072556c2        8 days ago          1.24MB
registry                          latest              1fd8e1b0bb7e        5 weeks ago         26.2MB
rhel7                             latest              0a3eb3fde7fd        6 years ago         140MB
gcr.io/distroless/base-debian10   latest              d48fcdd54946        51 years ago        19.2MB
[root@server1 ~]# docker pull localhost:5000/game2048:latest
	##成功拉取本机仓库的镜像
latest: Pulling from game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for localhost:5000/game2048:latest
localhost:5000/game2048:latest
[root@server1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
143abac135cb        registry            "/entrypoint.sh /etc…"   11 minutes ago      Up 11 minutes       0.0.0.0:5000->5000/tcp   registry

此时的仓库只能用于本机的上传下载;默认情况下远程不可以;如果远端需要访问就需要告诉是非安全的;

为了远程可以访问,此时再开一台虚拟机观察效果;先在第二台虚拟机上搭建 docker 软件仓库以及安装docker 工具;

[root@server2 yum.repos.d]# ls
docker.repo  dvd.repo  redhat.repo
[root@server2 yum.repos.d]# cat docker.repo 
[docker]
name=docker-ce
baseurl=http://172.25.25.250/docker-ce
gpgcheck=0
[root@server2 ~]# yum install -y docker-ce
[root@server2 docker]# systemctl enable --now docker.service 
[root@server2 sysctl.d]# cat dokcer.conf 
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@server2 docker]# sysctl --system
[root@server2 sysctl.d]# docker info		
	##此时查看基本信息没有错误

完成以上之后,我们还需要告诉docker 所拉取的是一个非安全的仓库;

[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim  daemon.json
[root@server2 docker]# cat daemon.json 
{
     
	"insecure-registries": ["172.25.25.1:5000"]
}

[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker info		

 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:		##此时可以看其非安全的仓库信息
  172.25.25.1:5000
  127.0.0.0/8
 Live Restore Enabled: false
[root@server2 docker]# docker pull 172.25.25.1:5000/game2048:latest
	##此时远程主机便可以拉取其镜像
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for 172.25.25.1:5000/game2048:latest
172.25.25.1:5000/game2048:latest
[root@server2 docker]# docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
172.25.25.1:5000/game2048   latest              19299002fdbe        4 years ago         55.5MB

以上是本地的最简单的仓库,没有涉及到加密认证的信息。

4. 配置镜像加速器

从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:

vim /etc/docker/daemon.json
  {
  "registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
  }
重载docker服务:
#systemctl daemon-reload
#systemctl restart docker

5. 搭建私有仓库

删除之前的仓库,以及卷;

[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker volume ls
DRIVER              VOLUME NAME
local               7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532
[root@server1 ~]# docker volume prune		##删掉所有没有用的卷
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Volumes:
7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532

Total reclaimed space: 17.75MB
[root@server1 ~]# docker container prune		##删除没有运行的容器
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Total reclaimed space: 0B
[root@server1 ~]# docker image prune		##删除所有不用的镜像
WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
Deleted Images:
deleted: sha256:4cf308c51260643b216ebfa2ad0c853f0a190de24645d0031d3d20e687801a80
deleted: sha256:d8eefca77d25ab5621bb75f669ee3ed19a98cf336586d89e9d09c74f37e1711e
deleted: sha256:9824bd8622ef082374d053fb2fb1cef2b24042390155c0d86c58e947a0f952f2

Total reclaimed space: 12.72MB
[root@server1 ~]# docker rmi rhel7:v4		##依次删除不需要的镜像
Untagged: rhel7:v4
Deleted: sha256:b3388a690329390dacbdcd45df04a82df802b02f5c87548318f916aa88d64dab
Deleted: sha256:52d6aca444a9b645652020d25a103009851df5bc6d18f054a47d97932ec4b74b
Deleted: sha256:55d6bb5728eb74472779ae0efd045b8bb46c29176157d1c8416ce047d50b1cda
Deleted: sha256:36cd5ddf7ad3cdb0bf355bb689422f2935f5a93039b30bfb9dacacc978250022
Deleted: sha256:e675a6f01e302b423efb94d625945041619b4cdd5fc5a52b2495a0a042065323

对于私有仓库的搭建,可以从官网查看:docs.docker.com/registry 获得帮助;

  1. 为Docker仓库添加证书加密功能
    生成证书(域名westos.org要求在主机上有解析)
[root@server1 ~]# mkdir -p certs		##新建一个目录
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
	##用来生成证书

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org

[root@server1 ~]# ls certs/
westos.org.crt  westos.org.key
##重建registry容器
[root@server1 ~]# docker run -d \		##运行容器。
> --restart=always \					##开机自启
> --name registry \
> -v "$(pwd)"/certs:/certs \			##挂载,-v要写绝对路径
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \	##端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \							##端口映射
> -v /opt/registry:/var/lib/registry registry	##指定挂载的数据目录
648da93dda348129139e9a3910b33139ef59f7e27f9aaca387d8137d645b6f10
[root@server1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                            NAMES
648da93dda34        registry            "/entrypoint.sh /etc…"   About a minute ago   Up About a minute   0.0.0.0:443->443/tcp, 5000/tcp   registry
[root@server1 ~]# cd /opt/registry/		##挂载时自动新建的目录
[root@server1 registry]# ls
[root@server1 registry]# docker volume ls		##将之前的挂载卷覆盖
DRIVER              VOLUME NAME

要连接就需要做解析

[root@server1 registry]# vim /etc/hosts		##写入解析
[root@server1 registry]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.15.250	foundation15.ilt.example.com
172.25.15.1	server1 reg.westos.org
172.25.15.2	server2
172.25.15.3	server3
172.25.15.4	server4
172.25.15.5	server5
172.25.15.6	server6

上传

[root@server1 ~]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
nginx                             latest              f0b8a9a54136        10 days ago         133MB
registry                          latest              1fd8e1b0bb7e        5 weeks ago         26.2MB
localhost:5000/game2048           latest              19299002fdbe        4 years ago         55.5MB
rhel7                             latest              0a3eb3fde7fd        6 years ago         140MB
gcr.io/distroless/base-debian10   latest              d48fcdd54946        51 years ago        19.2MB
[root@server1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest		
	##改名
[root@server1 ~]# docker push reg.westos.org/nginx:latest 		
	##上传此时会有问题,没有认证
The push refers to repository [reg.westos.org/nginx]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority

让docker 自动获取到证书信息;

[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt  westos.org.key
[root@server1 certs]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json  key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd  certs.d/
[root@server1 certs.d]# mkdir reg.westos.org
[root@server1 certs.d]# cd reg.westos.org/
[root@server1 reg.westos.org]# cp ~/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org]# ls
ca.crt

此时再次上传查看

[root@server1 reg.westos.org]# docker push reg.westos.org/nginx:latest 		
	##做完证书认证再次上传此时为加密上传的方式
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Pushed 
eeb14ff930d4: Pushed 
c9732df61184: Pushed 
4b8db2d7f35a: Pushed 
431f409d4c5a: Pushed 
02c055ef67f5: Pushed 
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
  1. 为Docker仓库添加用户认证功能
[root@server1 ~]# yum install httpd-tools.x86_64 -y		##安装加密插件
[root@server1 ~]# mkdir auth	
[root@server1 ~]# htpasswd -cB auth/htpasswd admin
	##生成用户密码文件
New password: 
Re-type new password: 
Adding password for user admin
[root@server1 ~]# cat auth/htpasswd 
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
[root@server1 ~]# htpasswd -B auth/htpasswd zxk		
	##注:-c 只有在第一次需要添加,后面用户要时依然加-c 会覆盖之前的;-B 是强制的意思
New password: 
Re-type new password: 
Adding password for user zxk
[root@server1 ~]# cat auth/htpasswd 
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
zxk:$2y$05$vDNpTjzreUkjfnzxfpZBYuB63W16zXPOl0mwu97sFIrKb0idr3c/2

删除之前的仓库再运行,删除仓库并不会删除数据;

[root@server1 ~]# docker rm -f registry 
registry
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 May 23 10:02 /opt/registry/
[root@server1 ~]# cd /data/
[root@server1 data]# ls
[root@server1 data]# mv ~/auth/ .
[root@server1 data]# ls
auth
[root@server1 data]# mv ~/certs/ .
[root@server1 data]# ls
auth  certs		##避免运行时的相对路径

重建registry容器,加入密码认证来运行容器

[root@server1 ~]# docker run -d \
 --restart=always \
  --name registry  \
  -v /data/certs:/certs  \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
  -p 443:443 -v /opt/registry:/var/lib/registry -v /data/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
9c565b84e8420f4a2222f978a549dff290f477fde8f81d31c5a40943386c06f8
##此次运行加入了认证之后既有加密又有用户认证
[root@server1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
9c565b84e842        registry            "/entrypoint.sh /etc…"   38 seconds ago      Up 37 seconds       0.0.0.0:443->443/tcp, 5000/tcp   registry

完成之后,上传镜像测试;

[root@server1 ~]# docker push reg.westos.org/nginx:latest		
	##此时在上传时有问题
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Preparing 
eeb14ff930d4: Preparing 
c9732df61184: Preparing 
4b8db2d7f35a: Preparing 
431f409d4c5a: Preparing 
02c055ef67f5: Preparing 
no basic auth credentials		##提示没有认证

此时用加密过的用户登陆之后,再次上传便没有问题;

[root@server1 ~]# docker login reg.westos.org
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@server1 ~]# cat /root/.docker/config.json	
	##此认证信息会存在该文件中,只需要认证一次即可
{
     
	"auths": {
     
		"reg.westos.org": {
     
			"auth": "YWRtaW46d2VzdG9z"
		}
	},
	"HttpHeaders": {
     
		"User-Agent": "Docker-Client/19.03.15 (linux)"
	}
}
[root@server1 ~]#docker push reg.westos.org/nginx:latest
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Layer already exists 
eeb14ff930d4: Layer already exists 
c9732df61184: Layer already exists 
4b8db2d7f35a: Layer already exists 
431f409d4c5a: Layer already exists 
02c055ef67f5: Layer already exists 
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570

此时来测试远程的,将之前的非安全的改为指定的仓库;或者直接指定访问的地址;不管那种方法,都需要先做解析;

1)直接访问的地址:

[root@server2 docker]# vim /etc/hosts
[root@server2 docker]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.25.250	 foundation39.ilt.example.com
172.25.25.1	server1 reg.westos.org
172.25.25.2	server2
172.25.25.3	server3
172.25.25.4	server4
172.25.25.5	server5
172.25.25.6	server6
172.25.25.7	server7
172.25.25.8	server8
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
		##此时在拉取镜像时提示没有认证
Error response from daemon: Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
[root@server2 docker]# ls	##将前面主机的证书复制过来
certs.d  key.json	daemon.json
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
	##此时在拉取的过程中需要认证
Error response from daemon: Get https://reg.westos.org/v2/nginx/manifests/latest: no basic auth credentials
[root@server2 docker]# docker login  reg.westos.org
Username: zxk		##登陆
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
	##登陆成功之后即可拉取
latest: Pulling from nginx
69692152171a: Pull complete 
30afc0b18f67: Pull complete 
596b1d696923: Pull complete 
febe5bd23e98: Pull complete 
8283eee92e2f: Pull complete 
351ad75a6cfa: Pull complete 
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for reg.westos.org/nginx:latest
reg.westos.org/nginx:latest

2)修改文件:

[root@server2 docker]# vim daemon.json 
[root@server2 docker]# cat daemon.json
{
     
	"registry-mirrors": ["https://reg.westos.org"]
}
[root@server2 docker]# systemctl restart docker.service 
[root@server2 docker]# docker info 

 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Registry Mirrors:
  https://reg.westos.org/		##仓库地址
 Live Restore Enabled: false
 
###在这个过程中也会和前面一样需要认证,然后再拉取
[root@server2 docker]# docker logout reg.westos.org			
##登出

以上的过程仓库已经搭建好了,并且也实现了认证和加密;但是是对于仓库中的所有信息都同时加密,每次拉取都需要认证,对于企业中一些比较常用的镜像,最好允许匿名拉取,会节省很多的时间和精力;

  1. 全功能的仓库搭建:harbor 仓库
    此处用 harbor 的离线包来实现;也可以从https://github.com/goharbor/harbor/releases 上下载;
[root@server1 ~]# ls
base-debian10.tar  docker-compose-Linux-x86_64-1.27.0    rhel7.tar
docker             harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
	##将二进制程序移动到对应位置,并给一个执行权限
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# docker-compose	##查看二进制文件的情况
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz 
[root@server1 ~]# ls
base-debian10.tar  docker  harbor  harbor-offline-installer-v1.10.1.tgz  rhel7.tar
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh  harbor.v1.10.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare
[root@server1 harbor]# vim harbor.yml 
  5 hostname: reg.westos.org
  
 17   certificate: /data/certs/westos.org.crt	##证书和key
 18   private_key: /data/certs/westos.org.key

 27 harbor_admin_password: admin		##web 界面登陆密码
[root@server1 harbor]# cd /data/
[root@server1 data]# ls
auth  certs			##移走证书
[root@server1 data]# mv auth/ /mnt/
[root@server1 data]# ls
certs

完成之后便可以安装,--with-notary 做镜像签名信任, --with-clair 对镜像做扫描;--with-chartmuseum 用来存hub 的包;

[root@server1 harbor]# ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
Please set --with-clair if needs enable Clair in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@server1 harbor]# ./install.sh 	##执行脚本开始安装
[root@server1 harbor]# ls
common     docker-compose.yml     harbor.yml  LICENSE
common.sh  harbor.v1.10.1.tar.gz  install.sh  prepare
[root@server1 harbor]# docker-compose ps	
##此命令的用法类类似于docker,但是一定要在对应的目录中,会读取对应的文件,此文件为执行脚本之后生成的文件。 
##此时还可以看到其端口信息                                              
[root@server1 harbor]# docker-compose start	
	##开启之后,此时便可在网页中访问

企业运维容器之 docker仓库_第6张图片
企业运维容器之 docker仓库_第7张图片
harbor 仓库不能自动从外王下载镜像,必须手工操作来管理;
做个加速器来加快其速度;

[root@server1 harbor]# cd /etc/docker/
[root@server1 docker]# ls
certs.d  daemon.json  key.json
[root@server1 docker]# cat daemon.json 
{
     
	"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
[root@server1 harbor]# docker login reg.westos.org		##此时登陆是用的是 harbor 的用户和密码
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest 
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Pushed 
6d7504772167: Pushed 
192e9fad2abc: Pushed 
36e9226e74f8: Pushed 
011b303988d2: Pushed 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364

上传完成之后,此时在网页查看:

企业运维容器之 docker仓库_第8张图片
然后在另外一他主机上登出之前的认证,删除之前的镜像拉取最新上传的镜像;

[root@server2 docker]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@server2 docker]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server2 docker]# docker pull game2048:latest
##在客户拉取不需要认证,可以从网页的认证信息看
latest: Pulling from library/game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for game2048:latest
docker.io/library/game2048:latest

也可以在网页上看用户信息;可以看到是匿名拉取;

企业运维容器之 docker仓库_第9张图片
还可以再次上传一个镜像来观察效果;

[root@server1 ~]# docker rmi reg.westos.org/nginx:latest 
Untagged: reg.westos.org/nginx:latest
[root@server1 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest
[root@server1 ~]# docker push reg.westos.org/library/nginx:latest 

[root@server2 docker]# docker pull reg.westos.org/library/nginx:latest

企业运维容器之 docker仓库_第10张图片
对于 harbor 的其他功能的介绍:

[root@server1 harbor]# docker-compose stop	##停掉仓库
[root@server1 harbor]# docker-compose rm 		##删除所有的容器
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum 
##再次安装
[root@server1 harbor]# docker-compose ps		##此时查看是会多一些东西

此时再次安装完成之后,会多一功能:

企业运维容器之 docker仓库_第11张图片
完成之后对已有的进行扫描查看是否有漏洞;

企业运维容器之 docker仓库_第12张图片

可以看到通过加入参数可以对镜像进行扫描,;当勾选自动扫描镜像之后,当上传镜像时会自动扫描;

企业运维容器之 docker仓库_第13张图片
也可以对其进行信任管理,对其做签名;当勾选内容信任之后,此时再次拉取镜像时就提示如下所示:

[root@server2 docker]# docker pull reg.westos.org/library/game2048:latest
Error response from daemon: unknown: The image is not signed in Notary.

在开启docker内容信任之后,在网页中删除 nginx ,清除缓存,然后上传查看对其签名;

[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
	##启用内容信任
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
	##内容信任的服务器在什么位置
[root@server1 harbor]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
075508cf8f04: Pushed 
5c865c78bc96: Pushed 
134e19b2fac5: Pushed 
83634f76e732: Pushed 
766fe2c3fc08: Pushed 
02c055ef67f5: Pushed 
latest: digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa size: 1570
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority

做认证,然后再次上传:
当上传的是全新的时就需要输入两个密码;当镜像不变只是,更新版本时只需要输入一个密码;

[root@server1 ~]# cd .docker/
[root@server1 .docker]# ls
config.json  trust
[root@server1 .docker]# mkdir tls		##做认证
[root@server1 .docker]# cd tls/
[root@server1 tls]# mkdir reg.westos.org:4443
[root@server1 tls]# cd reg.westos.org\:4443/
[root@server1 reg.westos.org:4443]# cp /data/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org:4443]# ls
ca.crt

[root@server1 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:latest 
The push refers to repository [reg.westos.org/library/nginx]
f0f30197ccf9: Layer already exists 
eeb14ff930d4: Layer already exists 
c9732df61184: Layer already exists 
4b8db2d7f35a: Layer already exists 
431f409d4c5a: Layer already exists 
02c055ef67f5: Layer already exists 
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 72900f3: 
Repeat passphrase for new root key with ID 72900f3: 
Enter passphrase for new repository key with ID 2d31532: 
Repeat passphrase for new repository key with ID 2d31532: 
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest

完成之后,此时在网页查看新上传的镜像时,自动扫描,并且已经签名完成;

企业运维容器之 docker仓库_第14张图片

签名完成之后,此时再次拉取查看:
签名的作用是对镜像的信任,没有签名的可以放在仓库,但是不能被下载布如生产环境中。

[root@server2 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
69692152171a: Pull complete 
30afc0b18f67: Pull complete 
596b1d696923: Pull complete 
febe5bd23e98: Pull complete 
8283eee92e2f: Pull complete 
351ad75a6cfa: Pull complete 
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest

对仓库中已经有的镜像做签名:

[root@server1 ~]# docker push reg.westos.org/library/game2048:latest
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Layer already exists 
6d7504772167: Layer already exists 
192e9fad2abc: Layer already exists 
36e9226e74f8: Layer already exists 
011b303988d2: Layer already exists 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
Enter passphrase for root key with ID 40db6c1: 
Enter passphrase for new repository key with ID a55c78f: 
Repeat passphrase for new repository key with ID a55c78f: 
Finished initializing "reg.westos.org/library/game2048"
Successfully signed reg.westos.org/library/game2048:latest

对于已经存在的镜像版本的更新:

[root@server1 ~]# cd docker/
[root@server1 docker]# mkdir test
[root@server1 docker]# cd test/
[root@server1 test]# vim Dockerfile
[root@server1 test]# cat Dockerfile 
FROM nginx
COPY index.html	/usr/share/nginx/html
[root@server1 test]# cp ../index.html .
[root@server1 test]# ls
Dockerfile  index.html
[root@server1 test]# cat index.html 
www.westos.org
[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# docker build -t nginx:v1 .	##构建镜像
Sending build context to Docker daemon  3.072kB
Step 1/2 : FROM nginx
 ---> d1a364dc548d
Step 2/2 : COPY index.html	/usr/share/nginx/html
 ---> 3167572bbc25
Successfully built 3167572bbc25
Successfully tagged nginx:v1
[root@server1 test]# docker tag nginx:v1 reg.westos.org/library/nginx:v1	##改名
[root@server1 test]# export DOCKER_CONTENT_TRUST=1
[root@server1 test]# docker push reg.westos.org/library/nginx:v1
The push refers to repository [reg.westos.org/library/nginx]
47c5645eaeea: Pushed 
075508cf8f04: Layer already exists 
5c865c78bc96: Layer already exists 
134e19b2fac5: Layer already exists 
83634f76e732: Layer already exists 
766fe2c3fc08: Layer already exists 
02c055ef67f5: Layer already exists 
v1: digest: sha256:a19f00ff8772f68dd96f1bab4482ec70c636adfdfc3867e49bca2ba7fe2c9a25 size: 1777
Signing and pushing trust metadata
Enter passphrase for repository key with ID fdacdce: 	##此时只需要输入一个密码
Successfully signed reg.westos.org/library/nginx:v1

[root@server2 ~]# docker pull nginx:v1		##拉取测试

企业运维容器之 docker仓库_第15张图片
新建项目:

企业运维容器之 docker仓库_第16张图片
上传镜像测试:

[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# docker tag reg.westos.org/library/game2048:latest reg.westos.org/westos/game2048:latest
[root@server1 test]# docker push reg.westos.org/westos/game2048:latest
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Mounted from library/game2048 
6d7504772167: Mounted from library/game2048 
192e9fad2abc: Mounted from library/game2048 
36e9226e74f8: Mounted from library/game2048 
011b303988d2: Mounted from library/game2048 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364

企业运维容器之 docker仓库_第17张图片

对于此镜像的拉取需要做认证登陆用户,在网页创建一个用户;

[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest
Error response from daemon: pull access denied for reg.westos.org/westos/game2048, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

企业运维容器之 docker仓库_第18张图片

添加完之后,还需要给用户一定的权限;开发人员和访客可对于镜像进行拉取,但是不能上传;

企业运维容器之 docker仓库_第19张图片

添加用户之后,做认证,再次拉取:

[root@server2 ~]# docker login reg.westos.org
Username: zxk
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest
latest: Pulling from westos/game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.westos.org/westos/game2048:latest
reg.westos.org/westos/game2048:latest

此时虽然可以拉取,但是访客不能上传。

前面加了扫描参数之后,当数据发生变化之后,会再存一份,时间长了虚拟机就有点卡,现在从新编译。

[root@server1 harbor]# docker-compose stop	
[root@server1 harbor]# docker-compose rm
[root@server1 harbor]# ./install.sh --with-chartmuseum
[root@server1 harbor]# docker-compose ps

企业运维容器之 docker仓库_第20张图片

5. 总结

学习了 docker 仓库的工作原理、并实践了docker 私有仓库的构建。

  • docker 仓库子命令
    docker search 查询镜像
    docker pull 拉取镜像
    docker push 上传镜像
    docker login 登录仓库
    docker logout 登出仓库

你可能感兴趣的:(docker,运维,docker,运维)