文章目錄
部署拓撲
以下過程建議需要以下兩個宿主機分別安裝Docker和Docker-Distribution(或運行Docker Registry容器)。
準備宿主機
創建SSL證書和用戶認證文件
在運行Registry的宿主機上完成本節的操作。
- 確定環境變量。其中REGISTRY_DOMAIN的是運行Registry服務的宿主機的有效域名(假設宿主機域名是registry.domain.com)。
$ REGISTRY_PATH=/data/registry
$ REGISTRY_DOMAIN=registry.domain.com
- 創建Registry使用目錄,其中auth是用來存放校驗用戶名/密碼的文件目錄、certs是用來存放TLS所需證書/祕鑰的目錄、data是用來存放容器鏡像的目錄。
$ mkdir -p ${REGISTRY_PATH}/{auth,certs,data}
- 執行命令創建證書(包括公鑰和私鑰文件),以支持Registry運行在HTTPs上。其中CN必須是運行Registry服務的宿主機的有效域名。
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ${REGISTRY_PATH}/certs/registry.key -x509 -days 365 \
-out ${REGISTRY_PATH}/certs/registry.crt \
-subj "/C=CN/ST=BEIJING/L=BJ/O=REDHAT/OU=IT/CN=${REGISTRY_DOMAIN}/emailAddress=admin@${REGISTRY_DOMAIN}"
- 查看證書。
$ openssl x509 -in ${REGISTRY_PATH}/certs/registry.crt -text | head -n 14
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:02:34:f6:e0:55:14:8f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BEIJING, L=BJ, O=REDHAT, OU=IT, CN=registry.domain.com/emailAddress=[email protected]
Validity
Not Before: Jun 28 04:37:54 2020 GMT
Not After : Jun 28 04:37:54 2021 GMT
Subject: C=CN, ST=BEIJING, L=BJ, O=REDHAT, OU=IT, CN=registry.domain.com/emailAddress=[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
- 創建基於httppasswd的用戶認證文件,其中的user1/password1是登錄用戶和密碼。
$ yum -y install httpd-tools
$ htpasswd -bBc ${REGISTRY_PATH}/auth/htpasswd user1 password1
$ cat ${REGISTRY_PATH}/auth/htpasswd
user1:$2y$05$i5UFQBVopBbZsXJ6sG0SoOw1krIa9YU/5IjAPjKAsSUd5dssU5yTe
- 設置防火牆。爲了能在其它節點遠程訪問registry.domain.com節點運行的Container Registry服務,要確保關閉Registry宿主機節點的防火牆,或執行以下命令打開節點防火牆的5000端口。
$ firewall-cmd --permanent --add-port=5000/tcp
$ firewall-cmd --reload
$ firewall-cmd --query-port=5000/tcp
- 安裝Docker,然後啓動它。
$ yum -y install docker
$ systemctl start docker
配置遠程客戶宿主機環境
如果需要在另一臺遠程客戶宿主機上訪問registry.domain.com節點上的容器Registry服務,需要在該遠程宿主機上執行以下命令:
- 爲了能通過SSL訪問Registry服務,複製證書到宿客戶主機。
$ cp [email protected]:/data/registry/certs/registry.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
- 在遠程客戶宿主機上安裝Docker,然後啓動它。
$ yum -y install docker
$ systemctl start docker
安裝Docker Registry
基於容器安裝運行
- 在Registry宿主機上切換到root用戶,然後在宿主機上創建容器存儲目錄。
$ sudo -i
$ mkdir /mnt/registry
- 運行Registry鏡像,並將容器中/var/lib/registry目錄掛到宿主機的/mnt/registry目錄上。同時配置跟隨Docker服務啓動自動Registry容器。
$ docker run --name registry -p 5000:5000 \
-v ${REGISTRY_PATH}/data:/var/lib/registry:z \
-v ${REGISTRY_PATH}/auth:/auth:z \
-v ${REGISTRY_PATH}/certs:/certs:z \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-d docker.io/library/registry:2
Unable to find image 'registry:2' locally
Trying to pull repository registry.access.redhat.com/registry ...
Pulling repository registry.access.redhat.com/registry
Trying to pull repository registry.fedoraproject.org/registry ...
Pulling repository registry.fedoraproject.org/registry
Trying to pull repository registry.centos.org/registry ...
Pulling repository registry.centos.org/registry
Trying to pull repository docker.io/library/registry ...
2: Pulling from docker.io/library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for docker.io/registry:2
8940dc961afeeb5d8a9ffa52915fca038f2c1156b1b59f2ae81aad064134b93b
注意:如果還想在相同的宿主機上完成“基於軟件包安裝運行”章節操作,需要先運行以下命令停掉Registry容器,以釋放5000端口。
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79906ce6b19b docker.io/library/registry:2 "/entrypoint.sh /e..." 2 hours ago Up 2 hours 0.0.0.0:5000->5000/tcp registry
$ docker stop registry
$ docker rm registry
基於軟件包安裝運行
- 如果是RHEL,需要先用“subscription-manager repos --enable=rhel-7-server-extras-rpms”命令打開名爲rhel-7-server-extras-rpms的Yum Reop。也可以執行以下命令,使用CentOS的YUM源創建Repo配置文件。
$ cat > /etc/yum.repos.d/docker.repo << EOF
[extras]
name=CentOS 7 - Extras
baseurl=http://mirrors.163.com/centos/7/extras/x86_64
gpgcheck=0
EOF
- 在配置完docker-distribution用到的Yum後,就可以執行以下操作安裝docker-distribution和httpd-tools。
$ sudo -i
$ yum -y install docker-distribution
- 修改/etc/docker-distribution/registry/config.yml文件,
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /data/registry/data
delete:
enabled: true
auth:
htpasswd:
realm: basic-realm
path: /data/registry/auth/htpasswd
http:
addr: 0.0.0.0:5000
host: https://registry.domain.com:5000
tls:
certificate: /data/registry/certs/registry.crt
key: /data/registry/certs/registry.key
- 爲了允許該刪除鏡像,修改/etc/docker-distribution/registry/config.yml文件,將storage.delete.enabled設爲true。
- 啓動docker-distribution服務。
$ systemctl start docker-distribution
容器操作
連通性驗證
本地驗證
- 在運行Registry的宿主機上執行命令,從本地訪問docker-distribution,查看其上的repositories。
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 在運行Registry的宿主機上執行命令登錄Registry。
$ docker login ${REGISTRY_DOMAIN}:5000 -u user1 -p password1
遠程驗證
- 再次確認遠程客戶宿主機上有/etc/pki/ca-trust/source/anchors/registry.crt 文件。
- 在遠程客戶宿主機上執行以下命令,查看遠程節點上的鏡像repositories。
$ REGISTRY_DOMAIN=registry.domain.com
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 在遠程客戶宿主機上執行命令登錄Registry。
$ docker login ${REGISTRY_DOMAIN}:5000 -u user1 -p password1
鏡像推拉
以下操作在Registry服務的本地節點或遠程節點均可執行。
- 查看docker的配置文件,確認其中在‘[registries.search]’區域中包括‘docker.io’。
$ more /etc/containers/registries.conf | grep registries.search -A1
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
- 將busybox鏡像從docker.io拉到本地緩存。
$ docker pull busybox
Using default tag: latest
Trying to pull repository docker.io/library/busybox ...
latest: Pulling from docker.io/library/busybox
76df9210b28c: Pull complete
Digest: sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209
Status: Downloaded newer image for docker.io/busybox:latest
- 查看本地緩存鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
- 對本地busybox鏡像重新打標籤。
$ docker tag docker.io/busybox ${REGISTRY_DOMAIN}:5000/busybox
- 再次查看本地緩存鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
registry.domain.com:5000/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
- 將本地緩存中的registry.domain.com:5000/busybox鏡像推至Registry上。
$ docker push ${REGISTRY_DOMAIN}:5000/busybox
The push refers to a repository [registry.domain.com:5000/busybox]
- 執行命令,確認registry.domain.com:5000上已經有busybox的Repository。
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":["busybox"]}
$ curl -XGET -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
- 從本地緩存中刪除所有busybox鏡像。
$ docker image remove docker.io/busybox:latest
Untagged: docker.io/busybox:latest
Untagged: docker.io/busybox@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209
$ docker image remove ${REGISTRY_DOMAIN}:5000/busybox:latest
Untagged: registry.domain.com:5000/busybox:latest
Untagged: registry.domain.com:5000/busybox@sha256:fd4a8673d0344c3a7f427fe4440d4b8dfd4fa59cfabbd9098f9eb0cb4ba905d0
Deleted: sha256:1c35c441208254cb7c3844ba95a96485388cef9ccc0646d562c7fc026e04c807
Deleted: sha256:1be74353c3d0fd55fb5638a52953e6f1bc441e5b1710921db9ec2aa202725569
- 執行命令,確認本地緩存中已經沒有鏡像了
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
- 從本地Docker Registry上拉取busybox鏡像。
$ docker pull ${REGISTRY_DOMAIN}:5000/busybox:latest
Trying to pull repository registry.domain.com:5000/busybox ...
latest: Pulling from registry.domain.com:5000/busybox
76df9210b28c: Pull complete
Digest: sha256:fd4a8673d0344c3a7f427fe4440d4b8dfd4fa59cfabbd9098f9eb0cb4ba905d0
Status: Downloaded newer image for registry.domain.com:5000/busybox:latest
- 確認本地緩存中有了registry.domain.com:5000/busybox鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.domain.com:5000/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
Docker Registry操作
本節操作都在Registry宿主機上完成。
查看Docker Registry保存的鏡像
- 查看docker-distribution在本地保存的鏡像。
$ export REGISTRY_DATA_DIR=${REGISTRY_PATH}/data/docker/registry/v2
$ ll ${REGISTRY_DATA_DIR}/repositories
drwxr-xr-x. 5 root root 55 Jun 28 12:44 busybox
從Docker Registry中刪除鏡像
- 下載刪除Registry中鏡像的腳本。
$ curl -L https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py -o /usr/local/bin/delete_docker_registry_image
$ chmod +x /usr/local/bin/delete_docker_registry_image
- 確認Docker鏡像保存的目錄。
$ echo ${REGISTRY_DATA_DIR}
/data/registry/data/docker/registry/v2/
- 執行命令,刪除busybox鏡像。
$ delete_docker_registry_image --image busybox
- 驗證鏡像已經從Docker Registry上被刪除
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 驗證在本地存儲中已經沒有了保存busybox鏡像用到的目錄。
$ ll ${REGISTRY_DATA_DIR}/repositories
total 0
停止Docker Registry
- 如果是以容器方式運行Registry,可執行以下命令停掉Registry容器運行。
$ docker container stop registry
$ docker container rm -v registry
- 如果Docker Registry是在宿主機上直接運行,執行以下命令停掉該服務運行。
$ systemctl stop docker-distribution
參考
https://www.centlinux.com/2019/04/configure-secure-registry-docker-distribution-centos-7.html