Docker构建私有registry
registry基础使用
1.启动一个容器,来作为registry的服务,把这个服务运行到一个容器上
docker contianer -d --name="registry" -p 5000:5000 --restart=always -v /opt/registry:/var/lib/registry registry
[root@hwf ~]# docker container run -d -p 5000:5000 --restart=always --name="kk_registry" -v /opt/registry:/var/l ib/registry registry
2.修改/etc/docker/daemon.json配置文件
[root@hwf ~]# vim /etc/docker/daemon.json
{
"registry-mirrors":["https://fooyh53n.mirror.aliyuncs.com"],
"insecure-registries":["192.168.1.3:5000"]
}
3.重启docker服务
systemctl restart docker
4.上传镜像到镜像仓库
要先给原先的镜像打上tag
[root@hwf ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
kk/cen6.9_sshd_lamp latest 8d038c77b9c4 20 hours ago 496MB
ubuntu latest 1d622ef86b13 2 weeks ago 73.9MB
nginx 1.16 dfcfd8e9a5d3 2 weeks ago 127MB
nginx latest 602e111c06b6 2 weeks ago 127MB
registry latest 708bc6af7e5e 3 months ago 25.8MB
hello-world latest bf756fb1ae65 4 months ago 13.3kB
centos 6.9 2199b8eb8390 14 months ago 195MB
比如说我想把nginx:latest镜像上床到本地仓库,tag名必须以镜像服务器的地址和端口开头,kk则是账号名
docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1
[root@hwf ~]# docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1 [root@hwf ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE kk/cen6.9_sshd_lamp latest 8d038c77b9c4 20 hours ago 496MB ubuntu latest 1d622ef86b13 2 weeks ago 73.9MB nginx 1.16 dfcfd8e9a5d3 2 weeks ago 127MB nginx latest 602e111c06b6 2 weeks ago 127MB 192.168.1.3:5000/kk/nginx v1 602e111c06b6 2 weeks ago 127MB registry latest 708bc6af7e5e 3 months ago 25.8MB hello-world latest bf756fb1ae65 4 months ago 13.3kB centos 6.9 2199b8eb8390 14 months ago 195MB [root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx The push refers to repository [192.168.1.3:5000/kk/nginx] b3003aac411c: Pushed 216cf33c0a28: Pushed c2adabaecedb: Pushed v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948
客户端192.168.1.4,进行push进行拉去镜像
docker push 192.168.1.1:5000/kk/nginx:v1
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1 v1: Pulling from kk/nginx 54fec2fa59d0: Pull complete 4ede6f09aefe: Pull complete f9dc69acb465: Pull complete Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1 192.168.1.3:5000/kk/nginx:v1 [root@hh ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.1.3:5000/kk/nginx v1 602e111c06b6 2 weeks ago 127MB
在练习一个,把kk/cen6.9_sshd_lamp镜像进行上传,在192.168.1.4在拉取下来
[root@hwf ~]# docker tag kk/cen6.9_sshd_lamp:latest 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
[root@hwf ~]# docker push 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
The push refers to repository [192.168.1.3:5000/kk/cen6.9_sshd_lamp]
8f8ee30ead1f: Pushed
934e2585daf4: Pushed
b6ebeba6e3c4: Pushed
1a1f4e2ff477: Pushed
aaa5621d7c01: Pushed
v1: digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9 size: 1369
在192.168.1.4上拉取
[root@hh ~]# docker pull 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1 v1: Pulling from kk/cen6.9_sshd_lamp 831490506c47: Pull complete c1e840ade0c1: Pull complete 85f4b4cb8c33: Pull complete 14cc16cda02b: Pull complete ae87384c8a5c: Pull complete Digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9 Status: Downloaded newer image for 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1 [root@hh ~]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.1.3:5000/kk/cen6.9_sshd_lamp v1 8d038c77b9c4 21 hours ago 496MB 192.168.1.3:5000/kk/nginx v1 602e111c06b6 2 weeks ago 127MB
registry添加安全认证
考虑到registry的安全性问题,不能让谁都能上传,谁都能下载,需要添加安全认证
下载生成用户和密码的密钥对工具包
yum install -y httpd-tools(生成用户和密码的密钥对工具包)
[root@hh ~]# yum install -y httpd-tools
生成密钥目录
mkdir -p /opt/registry-auth
[root@hh ~]# mdkir -p /opt/registry-auth
生成认证用户和密码(这里用户名和镜像里的一致)
htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd
[root@hh ~]# htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd
进行查看验证
[root@hh ~]# cat /opt/registry-auth/htpasswd
kk:$2y$05$UIGbGRtZGhaKswFNQTkhHOVb7pR6yUYFnarDtMv6ddSvjI4.i1cNm
重启一个registry的容器,只有先添加好这个认证功能,容器才会有,把这个验证目录给挂载上
docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry
Unable to find image 'registry:latest' locally
[root@hwf ~]# docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry
REGISTRY_AUTH=认证的文件名
REGISTRY_AUTH_HTPASSWD_PATH=认证文件所在位置
进行推送镜像,在192.168.1.4上拉去下来测试,报错了,这就说明开启了安全认证就不能随意pull,push镜像了
[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Preparing
216cf33c0a28: Preparing
c2adabaecedb: Preparing
no basic auth credentials
首先进行登陆registry,这里要是登陆成功,就使用http-tools工具重新添加一下用户和用户密码
docker login 192.168.1.3:5000
[root@hwf ~]# docker login 192.168.1.3:5000
Username: kk
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
现在进行push镜像,在192.168.1.4上进行拉去,如果镜像的名称不对就要使用tag进行更改,更改要求上边有提到
[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Layer already exists
216cf33c0a28: Layer already exists
c2adabaecedb: Layer already exists
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948
在192.168.1.4上拉去镜像也是要先登陆到registry的容器里,才可以拉去镜像
直接拉去报错
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
Error response from daemon: Get http://192.168.1.3:5000/v2/kk/nginx/manifests/v1: no basic auth credentials
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
[root@hh ~]# docker login 192.168.1.3:5000 Username: kk Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1 v1: Pulling from kk/nginx 54fec2fa59d0: Pull complete 4ede6f09aefe: Pull complete f9dc69acb465: Pull complete Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1 192.168.1.3:5000/kk/nginx:v1

评论