一、私有倉庫的搭建
1.創建一個阿里雲賬戶
https://www.aliyun.com/
2.配置鏡像加速器
[root@server1 docker]# pwd
/etc/docker
[root@server1 docker]# ls
key.json
[root@server1 docker]# vim daemon.json
{
"registry-mirrors": ["https://4nlobfqm.mirror.aliyuncs.com"]
}
3.重新加載配置,重啓服務
[root@server1 docker]# systemctl daemon-reload
[root@server1 docker]# systemctl restart docker
4.查詢鏡像(確保可以上網)
[root@server1 docker]# docker search nginx #在阿里雲上查找nginx的鏡像
注意:官方的前面都不帶用戶
嘗試在阿里雲鏡像倉庫拉取鏡像
[root@server1 docker]# docker pull mariadb
當需要用鏡像,會先從本地查找,沒有的話進行下載
上傳鏡像到本地私有倉庫:
我們選擇較小的版本鏡像
[root@server1 images]# docker load -i registry2.tar
注意當查看時,發現volume時默認會生成一個位置,但此時並沒有
[root@server1 docker]# docker run -d --name registry -v /opt/registry/:/var/lib/registry -p 5000:5000 registry:2
3aab170f9c4653ff56561f1719536b45392725e173db2fea21ce166ed4c33222
注意:如果出現警告信息:
[root@server1 repositories]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@server1 repositories]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
用tag命名
[root@server1 docker]# docker tag nginx localhost:5000/nginx
在本地上傳鏡像:
[root@server1 docker]# docker push localhost:5000/nginx
查看邏輯卷結構:
[root@server1 registry]# pwd
/opt/registry
[root@server1 registry]# ls
docker
[root@server1 registry]# tree .
[root@server1 registry]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
此時倉庫裏有nginx鏡像
二、加密倉庫的配置
1.創建文件,生成證書
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
查看生成文件
[root@server1 ~]# ls
certs images
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
2.進行TLS加密設置
[root@server1 ~]# docker rm registry
registry
[root@server1 ~]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \ #pwd當前路徑
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -v /opt/registry:/var/lib/registry \ #指定卷掛載地址(不會自己生成長串路徑)
> -p 443:443 \
> registry:2
配置如果成功會出現443的端口
注意:docker inspeck registry查看信息mounted(是我們自己-v 自己定義的)
3.做地址解析
[root@server1 ~]# vim /etc/hosts
172.25.254.1 server1 westos.org
[root@server1 ~]# docker images nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest e548f1a579cf 15 months ago 109MB
[root@server1 ~]# docker tag nginx:latest westos.org/nginx
[root@server1 ~]# docker images westos.org/nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
westos.org/nginx latest e548f1a579cf 15 months ago 109MB
4.將證書拷貝到目錄下
[root@server1 ~]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir westos.org
[root@server1 certs.d]# cd westos.org/
[root@server1 westos.org]# cp ~/certs/westos.org.crt ca.crt
[root@server1 westos.org]# ls
ca.crt
測試:上傳鏡像
[root@server1 ~]# docker push westos.org/ngin
另外開啓一臺虛擬機,安裝docker服務並打開
[root@server2 ~]# systemctl start docker
[root@server2 ~]# docker --version
Docker version 18.06.1-ce, build e68fc7a
添加解析
[root@server2 ~]# vim /etc/hosts
172.25.254.1 server1 westos.org
注意:此時在server2 上無法下載server1上傳的鏡像
解決:將server1的文件發過來
[root@server1 ~]# cd /etc/docker/
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# scp -r certs.d/ server2:/etc/docker/
- auth 認證 + 加密
將server1的認證文件發送到server2的目錄下
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# scp daemon.json server2:/etc/docker/
在server1上創建auth加密
[root@server1 ~]# mkdir auth
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry:2 -Bbn wxh westos > auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
wxh:$2y$05$wIkyZA83nGv2kk4k8ZJVzuGbmdxMfAcU4tYIUQ.Upd8V7cUzbgVNG
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry:2 -Bbn lee redhat >> auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
wxh:$2y$05$wIkyZA83nGv2kk4k8ZJVzuGbmdxMfAcU4tYIUQ.Upd8V7cUzbgVNG
lee:$2y$05$WklMY0LYDCLICRPBZdgq8ujnDSlV6.Syl4MFQSeHmHruT4Y0IuhFq
配置auth認證設置
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -p 443:443 registry:2
a3b45b643aa2cd25e703a342b6422a9f7bc1505a48951c45afd5c6162c2f2d51
將之前的nginx的鏡像刪除
創建加密認證後進行鏡像的拉取需要先登錄
[root@server2 ~]# docker login westos.org
Username: wxh
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
會有此文件內容生成:
[root@server2 ~]# cat .docker/config.json
此時可以拉取: