Centos7 安装 docker 私有仓库及基于容器安装运行 Docker 私有仓库及添加认证
环境准备
192.168.31.171 docker-registry 192.168.31.164 dokcer客户端1 192.168.31.170 docker客户端https
Centos7 安装 docker 私有仓库
安装 DOCKER 环境
安装 docker-registry2
yum install -y docker-distribution
开启 docker 及 docker-registry2 开机启动
systemctl enable docker systemctl start docker systemctl enable docker-distribution systemctl start docker-distribution systemctl status docker-distribution
创建仓库存储目录
mkdir -p /data/docker/registry2
修改存储目录
/etc/docker-distribution/registry/config.yml
rootdirectory: /data/docker/registry2
查看服务
service docker-distribution status
netstat -anp|grep 5000
仓库地址为:192.168.31.*:5000
Centos7 基于容器安装运行 Docker 私有仓库及添加认证
docker 部署完成后,我们下载 docker registry 仓库并启动
docker pull registry:2.4.1 2.4.1: Pulling from library/registry 5c90d4a2d1a8: Pull complete fb8b2153aae6: Pull complete f719459a7672: Pull complete fa42982c9892: Pull complete Digest: sha256:504b44c0ca43f9243ffa6feaf3934dd57895aece36b87bc25713588cdad3dd10 Status: Downloaded newer image for registry:2.4.1 [root@docker docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest f2a91732366c 5 months ago 1.85kB registry 2.4.1 8ff6a4aae657 22 months ago 172MB
#注:由于国内网络问题直接连接官网下载可能会超时,可以重试几次,或者使用国内加速器,具体方法可以看文章最后。
启动 docker registry
mkdir -p /data/docker/registry docker run -idt -v /data/docker/registry:/var/lib/registry -p 5000:5000 --restart=always --name registry-server registry:2.4.1
参数详解:
i: 保持sdtin开放状态 d: 使容器以守护进程方式后台运行,并打印容器id t: 分配一个tty(虚拟终端设备) v: 绑定挂载一个容器内的路径到宿主机路径 p: 映射一个容器的端口到宿主机端口 restart: 当容器退出时的重启策略 name: 给容器命名一个名称
查看 docker registry 进程
[root@docker docker]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3748071cdf87 registry:2.4.1 "/bin/registry serve…" 4 seconds ago Up 4 seconds 0.0.0.0:5000->5000/tcp registry-server
下载测试镜像
[root@docker docker]# docker pull hello-world Using default tag: latest latest: Pulling from library/hello-world 9bb5a5d4561a: Pull complete Digest: sha256:f5233545e43561214ca4891fd1157e1c3c563316ed8e237750d59bde73361e77 Status: Downloaded newer image for hello-world:latest [root@docker docker]#
给测试镜像打 tag #tag 命令可以为以存在的重复命名,并不执行重命名,而是保留原有命名基础上,添加一个新的名称,看上去像新添加了一个 image
docker tag hello-world 127.0.0.1:5000/hello-world
查看本地镜像
[root@docker docker]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 127.0.0.1:5000/hello-world latest e38bc07ac18e 10 days ago 1.85kB hello-world latest e38bc07ac18e 10 days ago 1.85kB hello-world <none> f2a91732366c 5 months ago 1.85kB registry 2.4.1 8ff6a4aae657 22 months ago 172MB
push 测试镜像到私有仓库
[root@docker docker]# docker push 127.0.0.1:5000/hello-world The push refers to repository [127.0.0.1:5000/hello-world] 2b8cbd0846c5: Pushed latest: digest: sha256:d5c74e6f8efc7bdf42a5e22bd764400692cf82360d86b8c587a7584b03f51520 size: 524
查看宿主机映射目录
[root@docker docker]# ll /data/docker/registry/docker/registry/v2/repositories/ 总用量 0 drwxr-xr-x. 5 root root 55 4月 22 16:35 hello-world
在客户机上下载刚刚上传的测试镜像
[root@devtools ~]# docker pull 192.168.31.171:5000/hello-world Using default tag: latest Error response from daemon: Get https://192.168.31.171:5000/v2/: http: server gave HTTP response to HTTPS client
因为 Docker 从 1.3.X 之后,与 docker registry 交互默认使用的是 https,然而此处搭建的私有仓库只提供 http 服务,所以当与私有仓库交互时就会报上面的错误。
目前很多文章都是通过修改 docker 的配置文件“/etc/systemconfig/docker",重启 docker 来解决这个问题。但发现 18.03.0-ce 版本并无此文件,根据网上创建此文件,并填入相应内容,重启 docker 无效果,仍然报此错误。
解决方法:
在”/etc/docker/“目录下,创建”daemon.json“文件。在文件中写入:
{ "insecure-registries":["192.168.31.171:5000"] },保存后重启.
[root@devtools ~]# cat /etc/docker/daemon.json { "insecure-registries":["192.168.31.164:5000","192.168.31.171:5000"] } [root@devtools ~]# systemctl daemon-reload [root@devtools ~]# systemctl restart docker
再一次下载测试镜像
[root@devtools ~]# docker pull 192.168.31.171:5000/hello-world Using default tag: latest latest: Pulling from hello-world 9bb5a5d4561a: Pull complete Digest: sha256:d5c74e6f8efc7bdf42a5e22bd764400692cf82360d86b8c587a7584b03f51520 Status: Downloaded newer image for 192.168.31.171:5000/hello-world:latest
现在 docker 的本地仓库已经搭建完成了,但是这样在生产环境中是不安全的,所以需要添加验证保证安全。
添加允许访问的用户和密码
mkdir -p /data/docker/registry/auth docker run --entrypoint htpasswd registry:2.4.1 -Bbn abc 123 >> /data/docker/registry/auth/htpasswd #生成用户abc,渺密码为123 docker run --entrypoint htpasswd registry:2.4.1 -Bbn root 123456 >> /data/docker/registry/auth/htpasswd #生成用户root,渺密码为123456 docker run --entrypoint htpasswd registry:2.4.1 -Bbn admin admin >> /data/docker/registry/auth/htpasswd #生成用户admin,渺密码为admin
设置配置文件,启用删除镜像功能(也可以不启用,看业务需要,修改 storage: delete: enable 为 false 即可)
mkdir -p /data/docker/registry/config vim /data/docker/registry/config/config.yml version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /data/docker/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3
启动服务
这里将镜像路径映射到宿主机的 /opt/registry-var/ 文件夹下,可以根据需要修改
docker run -d -p 5000:5000 --restart=always --name=registry-server \ -v /data/docker/registry/config/:/etc/docker/registry/ \ -v /data/docker/registry/auth/:/auth/ \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /data/docker/registry/:/var/lib/registry/ \ registry:2.4.1
停止服务
docker stop registry-server && docker rm -v registry-server
客户端操作
开启 http 形式访问私有仓库模式
[root@email ~]# vim /etc/docker/daemon.json [root@email ~]# systemctl daemon-reload [root@email ~]# systemctl restart docker [root@email ~]# cat /etc/docker/daemon.json { "insecure-registries":["192.168.31.171:5000"] } [root@email ~]#
测试登录
我们发现按照上面启动的 registry 无法登陆
[root@email ~]# docker login 192.168.31.171:5000 Username (root): abc Password: Error response from daemon: login attempt to http://192.168.31.171:5000/v2/ failed with status: 503 Service Unavailable
偶尔能登陆成功,然后换账号登录就出现上面的错误
原因是 registry 的配置文件开启了健康检查,将其关闭即可
health: storagedriver: enabled: true interval: 10s
config.yml 修改后的文件如下:
vim /data/docker/registry/config/config.yml version: 0.1 log: fields: service: registry storage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /data/docker/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: false interval: 10s threshold: 3
重新启动 registry 就 ok 了。
开启 ssl 访问
默认情况下,docker-registry 使用 http 进行连接,docker 客户端默认采用 https。通常在开发环境或者测试环境直接在/etc/docker/daemon.json 文件中写入:
{ "insecure-registries":["192.168.31.171:5000"] },保存后重启。然后就可以进行正常的访问操作了。
然而我们需要做成 https 访问,我们有 2 种方式:1.直接开启 docker-registry 的 443 端口,2.使用 nginx 做代理
1. 开启 443 端口
生成秘钥文件
mkdir -p /data/docker/registry/certs cd /data/docker/registry/certs [root@docker certs]# openssl genrsa -out suanyuntest.com.key 2048 Generating RSA private key, 2048 bit long modulus .........................................+++ .......................................+++ e is 65537 (0x10001) [root@docker certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout suanyuntest.com.key -x509 -days 1024 -out suanyuntest.com.crt Generating a 4096 bit RSA private key ..................................................++ .......................................................++ writing new private key to 'suanyuntest.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:chongqing Organization Name (eg, company) [Default Company Ltd]:suanyun Organizational Unit Name (eg, section) []:suanyun Common Name (eg, your name or your server's hostname) []:centre Email Address []:centrez@126.com [root@docker certs]# ll 总用量 8 -rw-r--r-- 1 root root 2106 4月 23 00:57 centrexzj.vicp.cc -rw-r--r-- 1 root root 3272 4月 23 00:57 suanyun.key [root@docker certs]#
这样自签名证书就制作完成了。
由于是自签名证书,默认是不受 Docker 信任的,故而需要将证书添加到 Docker 的根证书中,Docker 在 CentOS 7 中,证书存放路径是 :
192.168.31.171
mkdir -p /etc/docker/certs.d/suanyuntest.com cp -r suanyuntest.com.crt /etc/docker/certs.d/suanyuntest.com
192.168.31.164 和 192.168.31.170
scp -r suanyuntest.com.crt root@192.168.31.164:/etc/docker/certs.d/suanyuntest.com scp -r suanyuntest.com.crt root@192.168.31.170:/etc/docker/certs.d/suanyun
启动命令
docker run -d -p 443:5000 --restart=always --name=registry-server \ -v /data/docker/registry/certs:/certs \ -v /data/docker/registry/config/:/etc/docker/registry/ \ -v /data/docker/registry/auth/:/auth/ \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /data/docker/registry/:/var/lib/registry/ \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/suanyuntest.com.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/suanyuntest.com.key \ registry:2.4.1
接下来就可以在浏览器和另外 2 个客户端测试
在 192.168.31.171 执行如下命令:
docker tag hello-world suanyuntest.com/hello-world docker images docker login suanyuntest.com 账号:admin 密码:admin docker push suanyuntest.com/hello-world
在 192.168.31.164 执行如下命令:
docker pull suanyuntest.com/hello-world docker images
到这里我们的 docker 私有仓库就搭建完成了
采用 nginx 代理
docker 仍然采用 5000 端口,nginx 使用 443 端口,结构如下:
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于