Docker构建私有registry

Docker构建私有registry

registry基础使用

1.启动一个容器，来作为registry的服务，把这个服务运行到一个容器上

docker contianer -d --name="registry" -p 5000:5000 --restart=always -v /opt/registry:/var/lib/registry registry

[root@hwf ~]# docker container run -d -p 5000:5000 --restart=always --name="kk_registry" -v /opt/registry:/var/l
ib/registry registry

2.修改/etc/docker/daemon.json配置文件

[root@hwf ~]# vim /etc/docker/daemon.json 
{
  "registry-mirrors":["https://fooyh53n.mirror.aliyuncs.com"],
  "insecure-registries":["192.168.1.3:5000"]
}

3.重启docker服务

systemctl restart docker

4.上传镜像到镜像仓库

要先给原先的镜像打上tag

[root@hwf ~]# docker image ls
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
kk/cen6.9_sshd_lamp   latest              8d038c77b9c4        20 hours ago        496MB
ubuntu                latest              1d622ef86b13        2 weeks ago         73.9MB
nginx                 1.16                dfcfd8e9a5d3        2 weeks ago         127MB
nginx                 latest              602e111c06b6        2 weeks ago         127MB
registry              latest              708bc6af7e5e        3 months ago        25.8MB
hello-world           latest              bf756fb1ae65        4 months ago        13.3kB
centos                6.9                 2199b8eb8390        14 months ago       195MB

比如说我想把nginx:latest镜像上床到本地仓库，tag名必须以镜像服务器的地址和端口开头，kk则是账号名

docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1

[root@hwf ~]# docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1
[root@hwf ~]# docker image ls
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
kk/cen6.9_sshd_lamp         latest              8d038c77b9c4        20 hours ago        496MB
ubuntu                      latest              1d622ef86b13        2 weeks ago         73.9MB
nginx                       1.16                dfcfd8e9a5d3        2 weeks ago         127MB
nginx                       latest              602e111c06b6        2 weeks ago         127MB
192.168.1.3:5000/kk/nginx   v1                  602e111c06b6        2 weeks ago         127MB
registry                    latest              708bc6af7e5e        3 months ago        25.8MB
hello-world                 latest              bf756fb1ae65        4 months ago        13.3kB
centos                      6.9                 2199b8eb8390        14 months ago       195MB
[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Pushed 
216cf33c0a28: Pushed 
c2adabaecedb: Pushed 
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948

客户端192.168.1.4，进行push进行拉去镜像

docker push 192.168.1.1:5000/kk/nginx:v1

[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
v1: Pulling from kk/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422
Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1
192.168.1.3:5000/kk/nginx:v1
[root@hh ~]# docker image ls
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
192.168.1.3:5000/kk/nginx   v1                  602e111c06b6        2 weeks ago         127MB

在练习一个，把kk/cen6.9_sshd_lamp镜像进行上传，在192.168.1.4在拉取下来

[root@hwf ~]# docker tag kk/cen6.9_sshd_lamp:latest 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
[root@hwf ~]# docker push 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1 
The push refers to repository [192.168.1.3:5000/kk/cen6.9_sshd_lamp]
8f8ee30ead1f: Pushed 
934e2585daf4: Pushed 
b6ebeba6e3c4: Pushed 
1a1f4e2ff477: Pushed 
aaa5621d7c01: Pushed 
v1: digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9 size: 1369

在192.168.1.4上拉取

[root@hh ~]# docker pull 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
v1: Pulling from kk/cen6.9_sshd_lamp
831490506c47: Pull complete 
c1e840ade0c1: Pull complete 
85f4b4cb8c33: Pull complete 
14cc16cda02b: Pull complete 
ae87384c8a5c: Pull complete 
Digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9
Status: Downloaded newer image for 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
[root@hh ~]# docker image ls
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
192.168.1.3:5000/kk/cen6.9_sshd_lamp   v1                  8d038c77b9c4        21 hours ago        496MB
192.168.1.3:5000/kk/nginx              v1                  602e111c06b6        2 weeks ago         127MB

registry添加安全认证

考虑到registry的安全性问题，不能让谁都能上传，谁都能下载，需要添加安全认证

下载生成用户和密码的密钥对工具包

yum install -y httpd-tools（生成用户和密码的密钥对工具包）

[root@hh ~]# yum install -y httpd-tools

生成密钥目录

mkdir -p /opt/registry-auth

[root@hh ~]# mdkir -p /opt/registry-auth

生成认证用户和密码（这里用户名和镜像里的一致）

htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd

[root@hh ~]# htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd

进行查看验证

[root@hh ~]# cat /opt/registry-auth/htpasswd 
kk:$2y$05$UIGbGRtZGhaKswFNQTkhHOVb7pR6yUYFnarDtMv6ddSvjI4.i1cNm

重启一个registry的容器，只有先添加好这个认证功能，容器才会有，把这个验证目录给挂载上

docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry
Unable to find image 'registry:latest' locally

[root@hwf ~]# docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry

REGISTRY_AUTH=认证的文件名

REGISTRY_AUTH_HTPASSWD_PATH=认证文件所在位置

进行推送镜像，在192.168.1.4上拉去下来测试，报错了，这就说明开启了安全认证就不能随意pull，push镜像了

[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1 
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Preparing 
216cf33c0a28: Preparing 
c2adabaecedb: Preparing 
no basic auth credentials

首先进行登陆registry，这里要是登陆成功，就使用http-tools工具重新添加一下用户和用户密码

docker login 192.168.1.3:5000

[root@hwf ~]# docker login 192.168.1.3:5000
Username: kk
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

现在进行push镜像，在192.168.1.4上进行拉去，如果镜像的名称不对就要使用tag进行更改，更改要求上边有提到

[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Layer already exists 
216cf33c0a28: Layer already exists 
c2adabaecedb: Layer already exists 
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948

在192.168.1.4上拉去镜像也是要先登陆到registry的容器里，才可以拉去镜像

直接拉去报错

[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
Error response from daemon: Get http://192.168.1.3:5000/v2/kk/nginx/manifests/v1: no basic auth credentials
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1

[root@hh ~]# docker login 192.168.1.3:5000
Username: kk
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
v1: Pulling from kk/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422
Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1
192.168.1.3:5000/kk/nginx:v1