Docker构建私有registry

root
233
文章
0
评论
2020年5月13日18:58:54 评论 6084字阅读20分16秒

Docker构建私有registry

 

registry基础使用

1.启动一个容器,来作为registry的服务,把这个服务运行到一个容器上

docker contianer -d --name="registry" -p 5000:5000 --restart=always -v /opt/registry:/var/lib/registry registry

[root@hwf ~]# docker container run -d -p 5000:5000 --restart=always --name="kk_registry" -v /opt/registry:/var/l
ib/registry registry

2.修改/etc/docker/daemon.json配置文件

[root@hwf ~]# vim /etc/docker/daemon.json 
{
  "registry-mirrors":["https://fooyh53n.mirror.aliyuncs.com"],
  "insecure-registries":["192.168.1.3:5000"]
}

3.重启docker服务

systemctl restart docker

4.上传镜像到镜像仓库

要先给原先的镜像打上tag

[root@hwf ~]# docker image ls
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
kk/cen6.9_sshd_lamp   latest              8d038c77b9c4        20 hours ago        496MB
ubuntu                latest              1d622ef86b13        2 weeks ago         73.9MB
nginx                 1.16                dfcfd8e9a5d3        2 weeks ago         127MB
nginx                 latest              602e111c06b6        2 weeks ago         127MB
registry              latest              708bc6af7e5e        3 months ago        25.8MB
hello-world           latest              bf756fb1ae65        4 months ago        13.3kB
centos                6.9                 2199b8eb8390        14 months ago       195MB

比如说我想把nginx:latest镜像上床到本地仓库,tag名必须以镜像服务器的地址和端口开头,kk则是账号名

docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1

[root@hwf ~]# docker image tag nginx:latest 192.168.1.3:5000/kk/nginx:v1
[root@hwf ~]# docker image ls
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
kk/cen6.9_sshd_lamp         latest              8d038c77b9c4        20 hours ago        496MB
ubuntu                      latest              1d622ef86b13        2 weeks ago         73.9MB
nginx                       1.16                dfcfd8e9a5d3        2 weeks ago         127MB
nginx                       latest              602e111c06b6        2 weeks ago         127MB
192.168.1.3:5000/kk/nginx   v1                  602e111c06b6        2 weeks ago         127MB
registry                    latest              708bc6af7e5e        3 months ago        25.8MB
hello-world                 latest              bf756fb1ae65        4 months ago        13.3kB
centos                      6.9                 2199b8eb8390        14 months ago       195MB
[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Pushed 
216cf33c0a28: Pushed 
c2adabaecedb: Pushed 
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948

客户端192.168.1.4,进行push进行拉去镜像

docker push 192.168.1.1:5000/kk/nginx:v1

[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
v1: Pulling from kk/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422
Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1
192.168.1.3:5000/kk/nginx:v1
[root@hh ~]# docker image ls
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
192.168.1.3:5000/kk/nginx   v1                  602e111c06b6        2 weeks ago         127MB

在练习一个,把kk/cen6.9_sshd_lamp镜像进行上传,在192.168.1.4在拉取下来

[root@hwf ~]# docker tag kk/cen6.9_sshd_lamp:latest 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
[root@hwf ~]# docker push 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1 
The push refers to repository [192.168.1.3:5000/kk/cen6.9_sshd_lamp]
8f8ee30ead1f: Pushed 
934e2585daf4: Pushed 
b6ebeba6e3c4: Pushed 
1a1f4e2ff477: Pushed 
aaa5621d7c01: Pushed 
v1: digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9 size: 1369

在192.168.1.4上拉取

[root@hh ~]# docker pull 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
v1: Pulling from kk/cen6.9_sshd_lamp
831490506c47: Pull complete 
c1e840ade0c1: Pull complete 
85f4b4cb8c33: Pull complete 
14cc16cda02b: Pull complete 
ae87384c8a5c: Pull complete 
Digest: sha256:e498fce69b7fb407cf554d85878145394389ae5493f218284b17334a99899ad9
Status: Downloaded newer image for 192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
192.168.1.3:5000/kk/cen6.9_sshd_lamp:v1
[root@hh ~]# docker image ls
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
192.168.1.3:5000/kk/cen6.9_sshd_lamp   v1                  8d038c77b9c4        21 hours ago        496MB
192.168.1.3:5000/kk/nginx              v1                  602e111c06b6        2 weeks ago         127MB

 

registry添加安全认证

考虑到registry的安全性问题,不能让谁都能上传,谁都能下载,需要添加安全认证

下载生成用户和密码的密钥对工具包

yum install -y httpd-tools(生成用户和密码的密钥对工具包)

[root@hh ~]# yum install -y httpd-tools

生成密钥目录

mkdir -p /opt/registry-auth

[root@hh ~]# mdkir -p /opt/registry-auth

生成认证用户和密码(这里用户名和镜像里的一致)

htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd

[root@hh ~]# htpasswd -Bbn kk 123 > /opt/registry-auth/htpasswd

进行查看验证

[root@hh ~]# cat /opt/registry-auth/htpasswd 
kk:$2y$05$UIGbGRtZGhaKswFNQTkhHOVb7pR6yUYFnarDtMv6ddSvjI4.i1cNm

重启一个registry的容器,只有先添加好这个认证功能,容器才会有,把这个验证目录给挂载上

docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry
Unable to find image 'registry:latest' locally

[root@hwf ~]# docker container run -d -p 5000:5000 --name="registry-auth" --restart=always -v /opt/registry:/var/lib/registry -v /opt/registry-auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" registry

REGISTRY_AUTH=认证的文件名

REGISTRY_AUTH_HTPASSWD_PATH=认证文件所在位置

进行推送镜像,在192.168.1.4上拉去下来测试,报错了,这就说明开启了安全认证就不能随意pull,push镜像了

[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1 
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Preparing 
216cf33c0a28: Preparing 
c2adabaecedb: Preparing 
no basic auth credentials

首先进行登陆registry,这里要是登陆成功,就使用http-tools工具重新添加一下用户和用户密码

docker login 192.168.1.3:5000

[root@hwf ~]# docker login 192.168.1.3:5000
Username: kk
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

现在进行push镜像,在192.168.1.4上进行拉去,如果镜像的名称不对就要使用tag进行更改,更改要求上边有提到

[root@hwf ~]# docker push 192.168.1.3:5000/kk/nginx:v1
The push refers to repository [192.168.1.3:5000/kk/nginx]
b3003aac411c: Layer already exists 
216cf33c0a28: Layer already exists 
c2adabaecedb: Layer already exists 
v1: digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 size: 948

在192.168.1.4上拉去镜像也是要先登陆到registry的容器里,才可以拉去镜像

直接拉去报错

[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
Error response from daemon: Get http://192.168.1.3:5000/v2/kk/nginx/manifests/v1: no basic auth credentials
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
[root@hh ~]# docker login 192.168.1.3:5000
Username: kk
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@hh ~]# docker pull 192.168.1.3:5000/kk/nginx:v1
v1: Pulling from kk/nginx
54fec2fa59d0: Pull complete 
4ede6f09aefe: Pull complete 
f9dc69acb465: Pull complete 
Digest: sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422
Status: Downloaded newer image for 192.168.1.3:5000/kk/nginx:v1
192.168.1.3:5000/kk/nginx:v1

 

 

 

 

继续阅读
weinxin
我的微信
这是我的微信扫一扫
  • 文本由 发表于 2020年5月13日18:58:54
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
Harbor镜像仓库 Docker

Harbor镜像仓库

Harbor镜像仓库 一、Harbor特性介绍 基于角色访问控制 每个人角色不同,需求也不同,因此就需要访问权限控制,根据角色分配相应的权限。例如,开发人员需要对项目构建这就需要用到读写权限(push...
Centos7解决systemctl无法使用 Docker

Centos7解决systemctl无法使用

systemd整合: 因为systemd要求CAPSYSADMIN授权,从而得到了读取到宿主机cgroup的能力,Centos7中已经用fakesystemd代替了systemd来解决依赖问题。如果仍...
Dockaer网络 Docker

Dockaer网络

Dockaer网络 docker本地网络类型 查看本地支持网络类型 docker network ls # docker network ls NETWORK ID NAME DRIVER SCOPE...
Dockerfile练习 Docker

Dockerfile练习

Dockerfile练习 实验一:要求使用centos7基础镜像,搭建httpd+sshd+php的镜像,实现httpd与sshd服务能够正常访问 创建存放dockerfile的目录 mkdir -p...
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: