環境說明:
操作系統:centos7
內核版本:
[root@node-11 ~]# uname -r
3.10.0-693.21.1.el7.x86_64
摘要:
倉庫(Repository)是集中存放鏡像的地方,與之關聯的是註冊服務器。
那註冊服務器和倉庫有什麼關係呢?
比如倉庫地址爲:https://dl.dockerpool.com/ubuntu
那麼dl.dockerpool.com就是註冊服務器,ubuntu是倉庫名
也就是說,註冊服務器上可以存放多個鏡像倉庫,而每個鏡像倉庫裏面存放多個鏡像
Docker Hub 雖然非常方便,但還是有些限制,比如:
需要 internet 連接,而且下載和上傳速度慢。
上傳到 Docker Hub 的鏡像任何人都能夠訪問,雖然可以用私有 repository,但不是免費的。
安全原因很多組織不允許將鏡像放到外網。
一、公共倉庫Registry使用
Docker Hub 是 Docker 公司維護的公共 Registry。用戶可以將自己的鏡像保存到 Docker Hub 免費的 repository 中。如果不希望別人訪問自己的鏡像,也可以購買私有 repository。
除了 Docker Hub,quay.io 是另一個公共 Registry,提供與 Docker Hub 類似的服務。
- 在https://hub.docker.com/?next=https%3A%2F%2Fhub.docker.com%2F
註冊一個Docker Hub賬號
2.在Dokcer host上驗證登錄
root@node-11 ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: liulei123
Password:
Login Succeeded
3.Docker Hub 爲了區分不同用戶的同名鏡像,鏡像的 registry 中要包含用戶名,完整格式爲:[username]/xxx:tag
通過docker tag 命令重命名鏡像名字
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@node-11 ~]# docker pull centos
Using default tag: latest
Trying to pull repository docker.io/library/centos ...
latest: Pulling from docker.io/library/centos
469cfcc7a4b3: Pull complete
Digest: sha256:989b936d56b1ace20ddf855a301741e52abca38286382cba7f44443210e96d16
Status: Downloaded newer image for docker.io/centos:latest
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 13 days ago 199 MB
[root@node-11 ~]# docker tag docker.io/centos liu/centos ##把docker.io重命名爲liu/centos
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 13 days ago 199 MB
liu/centos latest e934aafc2206 13 days ago 199 MB
[root@node-11 ~]#
4.通過docker push 命令把本地鏡像liu/centos推送到公共倉庫Docker Hup
[root@node-11 ~]# docker push liu/centos
The push refers to a repository [docker.io/liu/centos]
43e653f84b79: Preparing
denied: requested access to the resource is denied
[root@node-11 ~]#
上傳鏡像報錯分析:
上面的信息顯示是拒接訪問,因爲tag的名字斜線前面部分liu不是我在Docker Hub上註冊的用戶名liulei123,因此使用docker push liu/centos是無法正常上傳本地鏡像的,需要把本地鏡像liu/centos修改爲liulei123/centos才能把本地鏡像上傳到Dokcer Hub上
以下是解決過程
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 13 days ago 199 MB
liu/centos latest e934aafc2206 13 days ago 199 MB
[root@node-11 ~]# docker tag liu/centos liulei123/centos
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
liu/centos latest e934aafc2206 13 days ago 199 MB
liulei123/centos latest e934aafc2206 13 days ago 199 MB
docker.io/centos latest e934aafc2206 13 days ago 199 MB
[root@node-11 ~]# docker push liulei123/centos
The push refers to a repository [docker.io/liulei123/centos]
43e653f84b79: Pushed
latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529
5.登錄 https://hub.docker.com,在Public Repository 中就可以看到本地上傳的鏡像
二、在Docker上搭建本地的 Registry。
說明:
Docker Hub 雖然非常方便,但還是有些限制,比如:
-
需要 internet 連接,而且下載和上傳速度慢。
-
上傳到 Docker Hub 的鏡像任何人都能夠訪問,雖然可以用私有 repository,但不是免費的。
- 安全原因很多組織不允許將鏡像放到外網。
-
搭建本地的 Registry是解決以上問題的一種選擇
- 下載並啓動一個Registry容器,創建docker本地私有倉庫
[root@node-11 ~]# docker run -d -p 5000:5000 -v /mygistry:/var/lib/registry registry:2 Unable to find image 'registry:2' locally Trying to pull repository docker.io/library/registry ... 2: Pulling from docker.io/library/registry 81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 Status: Downloaded newer image for docker.io/registry:2 0ec05f0a53342d78dc0b6e1697328b5588f6f6744c781e1741cff038fbc04f02
參數說明:
-d 表示後臺啓動容器
-p 將容器的5000端口映射到宿主機5000端口,5000是註冊服務器服務端口
-v 將 registry容器中/var/lib/registry的目錄映射到宿主機的 /mygistry
2.使用docker tag 將liulei123/centos鏡像標記爲10.71.11.11:5000/liulei123/registry
[root@node-11 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos latest e934aafc2206 13 days ago 199 MB
liu/centos latest e934aafc2206 13 days ago 199 MB
liulei123/centos latest e934aafc2206 13 days ago 199 MB
docker.io/registry 2 d1fd7d86a825 3 months ago 33.3 MB
[root@node-11 ~]# docker tag liulei123/centos 10.71.11.11:5000/liulei123/registry
3.通過docker push 上傳鏡像
[root@node-11 ~]# docker push 10.71.11.11:5000/liulei123/registry
The push refers to a repository [10.71.11.11:5000/liulei123/registry]
Get https://10.71.11.11:5000/v1/_ping: http: server gave HTTP response to HTTPS client
報錯1:Get https://10.71.11.11:5000/v1/_ping: http: server gave HTTP response to HTTPS client
原因分析:
這個問題可能是由於客戶端採用https,docker registry未採用https服務所致。
解決方法:
編輯/etc/docker/daemon.json文件,寫入下面配置
{"insecure-registries":["10.71.11.11:5000"] }
重啓docker服務
[root@node-11 docker]# systemctl restart docker
報錯2:
[root@node-11 docker]# docker push 10.71.11.11:5000/liulei123/registry
The push refers to a repository [10.71.11.11:5000/liulei123/registry]
Put http://10.71.11.11:5000/v1/repositories/liulei123/registry/: dial tcp 10.71.11.11:5000: getsockopt: connection refused
說明:從報錯信息Put http://10.71.11.11:5000/v1/repositories/liulei123/registry/: dial tcp 10.71.11.11:5000: getsockopt: connection refused來看,估計大家會先去網上查找相關報錯的信息,經過查閱大量的文檔,說是需要編輯/etc/sysconfig/docker,加入如下配置
但是加入INSECURE_REGISTRY='--insecure-registry=10.71.11.11:5000'
配置後,重啓docker服務報錯
[root@node-11 docker]# vi /etc/sysconfig/docker
[root@node-11 docker]# systemctl restart docker
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
把添加的配置註釋掉後,重啓docker成功
後來想了想,看看我的registry容器服務啓動沒有
[root@node-11 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
突然才恍然大悟,registry容器都沒啓動,上傳本地鏡像,肯定要報錯,問題解決過程如下
拿到registry容器ID
[root@node-11 docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0ec05f0a5334 registry:2 "/entrypoint.sh /e..." 36 minutes ago Exited (2) 19 minutes ago friendly_mahavira
然後用容器ID啓動容器
[root@node-11 docker]# docker start 0ec05f0a5334
0ec05f0a5334
[root@node-11 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0ec05f0a5334 registry:2 "/entrypoint.sh /e..." 37 minutes ago Up 5 seconds 0.0.0.0:5000->5000/tcp friendly_mahavira
再次向鏡像倉庫上傳本地鏡像
[root@node-11 docker]# docker push 10.71.11.11:5000/liulei123/registry
The push refers to a repository [10.71.11.11:5000/liulei123/registry]
43e653f84b79: Pushed
latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529
4.現在就可以從本地私有倉庫下載鏡像了
[root@node-11 docker]# docker pull 10.71.11.11:5000/liulei123/registry
Using default tag: latest
Trying to pull repository 10.71.11.11:5000/liulei123/registry ...
latest: Pulling from 10.71.11.11:5000/liulei123/registry
Digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44
Status: Image is up to date for 10.71.11.11:5000/liulei123/registry:latest
以上是搭建本地 registry 步驟和排錯過程。當然 registry 也支持認證,https 安全傳輸等特性,具體可以參考官方文檔 https://docs.docker.com/registry/configuration/