Centos7 安装 docker 私有仓库及基于容器安装运行 Docker 私有仓库及添加认证
环境准备
192.168.31.171 docker-registry
192.168.31.164 dokcer客户端1
192.168.31.170 docker客户端https
Centos7 安装 docker 私有仓库
安装 DOCKER 环境
安装 docker-registry2
yum install -y docker-distribution
开启 docker 及 docker-registry2 开机启动
systemctl enable docker
systemctl start docker
systemctl enable docker-distribution
systemctl start docker-distribution
systemctl status docker-distribution
创建仓库存储目录
mkdir -p /data/docker/registry2
修改存储目录
/etc/docker-distribution/registry/config.yml
rootdirectory: /data/docker/registry2
查看服务
service docker-distribution status
netstat -anp|grep 5000
仓库地址为:192.168.31.*:5000
Centos7 基于容器安装运行 Docker 私有仓库及添加认证
docker 部署完成后,我们下载 docker registry 仓库并启动
docker pull registry:2.4.1
2.4.1: Pulling from library/registry
5c90d4a2d1a8: Pull complete
fb8b2153aae6: Pull complete
f719459a7672: Pull complete
fa42982c9892: Pull complete
Digest: sha256:504b44c0ca43f9243ffa6feaf3934dd57895aece36b87bc25713588cdad3dd10
Status: Downloaded newer image for registry:2.4.1
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest f2a91732366c 5 months ago 1.85kB
registry 2.4.1 8ff6a4aae657 22 months ago 172MB
#注:由于国内网络问题直接连接官网下载可能会超时,可以重试几次,或者使用国内加速器,具体方法可以看文章最后。
启动 docker registry
mkdir -p /data/docker/registry
docker run -idt -v /data/docker/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry-server registry:2.4.1
参数详解:
i: 保持sdtin开放状态
d: 使容器以守护进程方式后台运行,并打印容器id
t: 分配一个tty(虚拟终端设备)
v: 绑定挂载一个容器内的路径到宿主机路径
p: 映射一个容器的端口到宿主机端口
restart: 当容器退出时的重启策略
name: 给容器命名一个名称
查看 docker registry 进程
[root@docker docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3748071cdf87 registry:2.4.1 "/bin/registry serve…" 4 seconds ago Up 4 seconds 0.0.0.0:5000->5000/tcp registry-server
下载测试镜像
[root@docker docker]# docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
9bb5a5d4561a: Pull complete
Digest: sha256:f5233545e43561214ca4891fd1157e1c3c563316ed8e237750d59bde73361e77
Status: Downloaded newer image for hello-world:latest
[root@docker docker]#
给测试镜像打 tag #tag 命令可以为以存在的重复命名,并不执行重命名,而是保留原有命名基础上,添加一个新的名称,看上去像新添加了一个 image
docker tag hello-world 127.0.0.1:5000/hello-world
查看本地镜像
[root@docker docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
127.0.0.1:5000/hello-world latest e38bc07ac18e 10 days ago 1.85kB
hello-world latest e38bc07ac18e 10 days ago 1.85kB
hello-world <none> f2a91732366c 5 months ago 1.85kB
registry 2.4.1 8ff6a4aae657 22 months ago 172MB
push 测试镜像到私有仓库
[root@docker docker]# docker push 127.0.0.1:5000/hello-world
The push refers to repository [127.0.0.1:5000/hello-world]
2b8cbd0846c5: Pushed
latest: digest: sha256:d5c74e6f8efc7bdf42a5e22bd764400692cf82360d86b8c587a7584b03f51520 size: 524
查看宿主机映射目录
[root@docker docker]# ll /data/docker/registry/docker/registry/v2/repositories/
总用量 0
drwxr-xr-x. 5 root root 55 4月 22 16:35 hello-world
在客户机上下载刚刚上传的测试镜像
[root@devtools ~]# docker pull 192.168.31.171:5000/hello-world
Using default tag: latest
Error response from daemon: Get https://192.168.31.171:5000/v2/: http: server gave HTTP response to HTTPS client
因为 Docker 从 1.3.X 之后,与 docker registry 交互默认使用的是 https,然而此处搭建的私有仓库只提供 http 服务,所以当与私有仓库交互时就会报上面的错误。
目前很多文章都是通过修改 docker 的配置文件“/etc/systemconfig/docker",重启 docker 来解决这个问题。但发现 18.03.0-ce 版本并无此文件,根据网上创建此文件,并填入相应内容,重启 docker 无效果,仍然报此错误。
解决方法:
在”/etc/docker/“目录下,创建”daemon.json“文件。在文件中写入:
{ "insecure-registries":["192.168.31.171:5000"] },保存后重启.
[root@devtools ~]# cat /etc/docker/daemon.json
{
"insecure-registries":["192.168.31.164:5000","192.168.31.171:5000"]
}
[root@devtools ~]# systemctl daemon-reload
[root@devtools ~]# systemctl restart docker
再一次下载测试镜像
[root@devtools ~]# docker pull 192.168.31.171:5000/hello-world
Using default tag: latest
latest: Pulling from hello-world
9bb5a5d4561a: Pull complete
Digest: sha256:d5c74e6f8efc7bdf42a5e22bd764400692cf82360d86b8c587a7584b03f51520
Status: Downloaded newer image for 192.168.31.171:5000/hello-world:latest
现在 docker 的本地仓库已经搭建完成了,但是这样在生产环境中是不安全的,所以需要添加验证保证安全。
添加允许访问的用户和密码
mkdir -p /data/docker/registry/auth
docker run --entrypoint htpasswd registry:2.4.1 -Bbn abc 123 >> /data/docker/registry/auth/htpasswd #生成用户abc,渺密码为123
docker run --entrypoint htpasswd registry:2.4.1 -Bbn root 123456 >> /data/docker/registry/auth/htpasswd #生成用户root,渺密码为123456
docker run --entrypoint htpasswd registry:2.4.1 -Bbn admin admin >> /data/docker/registry/auth/htpasswd #生成用户admin,渺密码为admin
设置配置文件,启用删除镜像功能(也可以不启用,看业务需要,修改 storage: delete: enable 为 false 即可)
mkdir -p /data/docker/registry/config
vim /data/docker/registry/config/config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /data/docker/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
启动服务
这里将镜像路径映射到宿主机的 /opt/registry-var/ 文件夹下,可以根据需要修改
docker run -d -p 5000:5000 --restart=always --name=registry-server \
-v /data/docker/registry/config/:/etc/docker/registry/ \
-v /data/docker/registry/auth/:/auth/ \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /data/docker/registry/:/var/lib/registry/ \
registry:2.4.1
停止服务
docker stop registry-server && docker rm -v registry-server
客户端操作
开启 http 形式访问私有仓库模式
[root@email ~]# vim /etc/docker/daemon.json
[root@email ~]# systemctl daemon-reload
[root@email ~]# systemctl restart docker
[root@email ~]# cat /etc/docker/daemon.json
{
"insecure-registries":["192.168.31.171:5000"]
}
[root@email ~]#
测试登录
我们发现按照上面启动的 registry 无法登陆
[root@email ~]# docker login 192.168.31.171:5000
Username (root): abc
Password:
Error response from daemon: login attempt to http://192.168.31.171:5000/v2/ failed with status: 503 Service Unavailable
偶尔能登陆成功,然后换账号登录就出现上面的错误
原因是 registry 的配置文件开启了健康检查,将其关闭即可
health:
storagedriver:
enabled: true
interval: 10s
config.yml 修改后的文件如下:
vim /data/docker/registry/config/config.yml
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /data/docker/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
health:
storagedriver:
enabled: false
interval: 10s
threshold: 3
重新启动 registry 就 ok 了。
开启 ssl 访问
默认情况下,docker-registry 使用 http 进行连接,docker 客户端默认采用 https。通常在开发环境或者测试环境直接在/etc/docker/daemon.json 文件中写入:
{ "insecure-registries":["192.168.31.171:5000"] },保存后重启。然后就可以进行正常的访问操作了。
然而我们需要做成 https 访问,我们有 2 种方式:1.直接开启 docker-registry 的 443 端口,2.使用 nginx 做代理
1. 开启 443 端口
生成秘钥文件
mkdir -p /data/docker/registry/certs
cd /data/docker/registry/certs
[root@docker certs]# openssl genrsa -out suanyuntest.com.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
.......................................+++
e is 65537 (0x10001)
[root@docker certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout suanyuntest.com.key -x509 -days 1024 -out suanyuntest.com.crt
Generating a 4096 bit RSA private key
..................................................++
.......................................................++
writing new private key to 'suanyuntest.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chongqing
Organization Name (eg, company) [Default Company Ltd]:suanyun
Organizational Unit Name (eg, section) []:suanyun
Common Name (eg, your name or your server's hostname) []:centre
Email Address []:centrez@126.com
[root@docker certs]# ll
总用量 8
-rw-r--r-- 1 root root 2106 4月 23 00:57 centrexzj.vicp.cc
-rw-r--r-- 1 root root 3272 4月 23 00:57 suanyun.key
[root@docker certs]#
这样自签名证书就制作完成了。
由于是自签名证书,默认是不受 Docker 信任的,故而需要将证书添加到 Docker 的根证书中,Docker 在 CentOS 7 中,证书存放路径是 :
192.168.31.171
mkdir -p /etc/docker/certs.d/suanyuntest.com
cp -r suanyuntest.com.crt /etc/docker/certs.d/suanyuntest.com
192.168.31.164 和 192.168.31.170
scp -r suanyuntest.com.crt root@192.168.31.164:/etc/docker/certs.d/suanyuntest.com
scp -r suanyuntest.com.crt root@192.168.31.170:/etc/docker/certs.d/suanyun
启动命令
docker run -d -p 443:5000 --restart=always --name=registry-server \
-v /data/docker/registry/certs:/certs \
-v /data/docker/registry/config/:/etc/docker/registry/ \
-v /data/docker/registry/auth/:/auth/ \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /data/docker/registry/:/var/lib/registry/ \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/suanyuntest.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/suanyuntest.com.key \
registry:2.4.1
接下来就可以在浏览器和另外 2 个客户端测试
在 192.168.31.171 执行如下命令:
docker tag hello-world suanyuntest.com/hello-world
docker images
docker login suanyuntest.com
账号:admin
密码:admin
docker push suanyuntest.com/hello-world
在 192.168.31.164 执行如下命令:
docker pull suanyuntest.com/hello-world
docker images
到这里我们的 docker 私有仓库就搭建完成了
采用 nginx 代理
docker 仍然采用 5000 端口,nginx 使用 443 端口,结构如下:
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于