(一)registry定義和功能
1、registry註冊中心是鏡像存儲的位置。
2、功能:集中的存儲、分發鏡像的服務,docker registry就是這樣的服務。
3、Docker Registry組成:由三個部分組成:index,registry,registry client。
- Index:是負責登錄、負責認證、負責存儲鏡像信息和負責對外顯示的外部實現。
- repository:是負責存儲鏡像的內部實現 。 每個倉庫可以包含多個 標籤(Tag);每個標籤對應一個鏡像。通常,一個倉庫會包含同一個軟件不同版本的鏡像,而標籤就常用於對應該軟件的各個版本。 我們可以通過 <倉庫名>:<標籤> 的格式來指定具體是這個軟件哪個版本的鏡像。如果不給出標籤,將以 latest 作爲默認標籤
- Registry Client:是docker客戶端。
(二)、docker registry包括公共的 docker registry 和私有的docker registry
2.1 Docker Registry 公開服務是開放給用戶使用、允許用戶管理鏡像的 Registry 服務。一般這類公開服務允許用戶免費上傳、下載公開的鏡像,並可能提供收費服務供用戶管理私有鏡像。 最常用的是官方的Docker Hub也是默認的Registry,並擁有高質量的官方鏡像。國內的是阿里雲
2.2、私有 Docker Registry。用戶還可以在本地搭建私有 Docker Registry。私有倉庫優勢: 1、節省帶寬。 2、更加安全。 3、內部鏡像統一管理。
(三)、大傢俬有倉庫
1、下載 [root@otrs004097 ~]# docker pull registry
2、通過registry鏡像啓動一個容器
[root@otrs004097 ~]# docker run -d -v /opt/docker-registry:/var/lib/registry -p 5000:5000 --name registry registry
6c01265a36274493fd362ab76819f262e344f8259b9a7b3ae056140ec11d1ec8
-itd:在容器中打開一個僞終端進行交互操作,並在後臺運行;
-v:把宿主機的/data/registry目錄綁定 到 容器/var/lib/registry目錄(這個目錄是registry容器中存放鏡像文件的目錄),來實現數據的持久化;
-p:映射端口;訪問宿主機的5000端口就訪問到registry容器的服務了;
--restart=always:這是重啓的策略,假如這個容器異常退出會自動重啓容器;
--name registry:創建容器命名爲registry,你可以隨便命名;
registry:latest:這個是剛纔pull下來的鏡像;
3、查看運行狀況
root@otrs004097 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6c01265a3627 registry "/entrypoint.sh /etc…" 4 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry
4、在瀏覽器輸入改地址:http://192.168.4.97:5000/v2/,說明正常
{}
5、上傳出現報錯的時候 Get https://192.168.10.102:5000/v1/_ping: http: server gave HTTP response to HTTPS client
解決方法有兩種:
方法一:修改註冊中心文件/etc/docker/daemon.json,並重啓docker
[root@otrs004097 ~]# vim /etc/docker/daemon.json
{ "registry-mirrors": ["http://hub-mirror.c.163.com"], "insecure-registries": ["192.168.4.97:5000"] }
[root@otrs004097 ~]# systemctl restart docker
註釋: insecure-registries----->開放註冊https協議 registry-mirrors----->倉庫源
方法二、通過創建證書自帶的TLS認證
5.1、生成自簽名證書
[root@otrs004097 ~]# mkdir -p /opt/docker/registry/certs
[root@otrs004097 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/docker/registry/certs/domain.key -x509 -days 365 -out /opt/docker/registry/certs/domain.crt
Generating a 4096 bit RSA private key
.....................++
.....++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:kj
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@otrs004097 ~]# ll /opt/docker/registry/certs/
total 8
-rw-r--r-- 1 root root 1944 Aug 20 11:04 domain.crt
-rw-r--r-- 1 root root 3272 Aug 20 11:04 domain.key
5.2.創建帶有TLS認證的registry容器
[root@otrs004097 ~]# docker run -d --name registry2 -p 5000:5000 -v /opt/docker-registry/:/var/lib/registry -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
0ae56ecfbcd015e59503f01ec8e3f52143753d1137aab530a823d1461b989a01
5.3、通過瀏覽器輸入進行訪問
6.[root@otrs004097 certs.d]# curl -X GET https://192.168.4.97:5000/v2/ -k
{}
5.4、在其他服務器進行上傳鏡像。
[root@DEV004019 ~]# docker push 192.168.4.97:5000/lqb_nginx:v1
The push refers to repository [192.168.4.97:5000/lqb_nginx]
fe6a7a3b3f27: Pushed
d0673244f7d4: Pushed
d8a33133e477: Pushed
v1: digest: sha256:dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f size: 948
5.5、查看上傳的鏡像
[root@otrs004097 certs.d]# curl -X GET https://192.168.4.97:5000/v2/_catalog -k
{"repositories":["lqb_nginx"]}
6、把需要上傳的鏡像,修改tag,爲本地鏡像,然後push。
[root@otrs004097 ~]# docker tag lqb2:v2.0 localhost:5000/lqb2v1:v1
[root@otrs004097 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/yz v1.0 0011d86948f4 26 hours ago 346MB
localhost:5000/yzv1 v1 0011d86948f4 26 hours ago 346MB
lqb2 v2.0 62226ff8a5bc 27 hours ago 346MB
localhost:5000/lqb2v1 v1 62226ff8a5bc 27 hours ago 346MB
t1 latest ee097386456f 27 hours ago 380MB
[root@otrs004097 ~]# docker push localhost:5000/lqb2v1:v1
The push refers to repository [localhost:5000/lqb2v1]
fd214f756b32: Mounted from yzv1
v1: digest: sha256:dc7415d74223057a91d6525473e0aa7e1a8edd89ea63e9ec2166b2deeccb4fe2 size: 529
7、打開瀏覽器輸入:以下,會顯示上傳的鏡像列表
http://192.168.4.97:5000/v2/_catalog
{"repositories":["lqb2v1","myubuntu","yzv1"]}
[root@otrs004097 ~]# curl -XGET HTTP://192.168.4.97:5000/v2/_catalog
{"repositories":["lqb2v1","myubuntu","yzv1"]}
8、測試下載鏡像,首先刪除鏡像,然後在下載
[root@otrs004097 ~]# docker rmi localhost:5000/lqb2v1:v1
Untagged: localhost:5000/lqb2v1:v1
Untagged: localhost:5000/lqb2v1@sha256:dc7415d74223057a91d6525473e0aa7e1a8edd89ea63e9ec2166b2deeccb4fe2
[root@otrs004097 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/yzv1 v1 0011d86948f4 27 hours ago 346MB
localhost:5000/yz v1.0 0011d86948f4 27 hours ago 346MB
lqb2 v2.0 62226ff8a5bc 27 hours ago 346MB
t1 latest ee097386456f 27 hours ago 380MB
lqb1 v1.0 add4aac9e719 27 hours ago 369MB
[root@otrs004097 ~]# docker pull localhost:5000/lqb2v1:v1
v1: Pulling from lqb2v1
Digest: sha256:dc7415d74223057a91d6525473e0aa7e1a8edd89ea63e9ec2166b2deeccb4fe2
Status: Downloaded newer image for localhost:5000/lqb2v1:v1
localhost:5000/lqb2v1:v1
[root@otrs004097 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:5000/yz v1.0 0011d86948f4 27 hours ago 346MB
localhost:5000/yzv1 v1 0011d86948f4 27 hours ago 346MB
lqb2 v2.0 62226ff8a5bc 27 hours ago 346MB
localhost:5000/lqb2v1 v1 62226ff8a5bc 27 hours ago 346MB
pull和push都正常上傳下載了
備註:
docker push <registry_ip>:5000/<image_name>:<version>;上傳鏡像至私有倉庫
docker pull <registry_ip>:5000/<image_name>:<version>;從私有倉庫pull鏡像
docker run -d --name registry2 -p 5000:5000 -v /opt/docker-registry/:/var/lib/registry -v /opt/dcerts/:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2