docker搭建本地免密仓库、私有仓库registry加密访问控制与web页面访问
程序员文章站
2024-01-28 22:01:46
...
一 Docker仓库简介
-
Docker 仓库是用来包含镜像的位置,Docker提供一个注册服
务器(Register)来保存多个仓库,每个仓库又可以包含多个
具备不同tag的镜像。 -
Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
私有仓库
docker hub虽然方便,但是还是有限制
- 需要internet连接,速度慢
- 所有人都可以访问
- 由于安全原因企业不允许将镜像放到外网
如何搭建私有仓库?
- 第一种用docker命令拉取docker registry,将docker的仓库镜像拉取到本地,在本地构建一个docker仓库,这种方法要自己对仓库进行权限管理,没有图形化页面操作,命令操作比较繁琐,另外在dockertoolbox下搭建私有镜像库出现的问题比较多,建议还是安装linux系统进行搭建。
- 第二种集成harbor,docker-compose可以进行图形化页面仓库以及图形化权限管理,harbor也集成了mysql和log。
Registry工作原理
index服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去index服务上做认证,然后查找镜像所在的registry的地址并放回给docker客户端,docker客户端再从registry下载镜像,在下载过程中 registry会去index校验客户端token的合法性,不同镜像可以保存在不同的registry服务上,其索引信息都放在index服务上。
Docker Registry有三个角色,分别是index、registry和registryclient。
index:
负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
Web UI 元数据存储 认证服务 符号化
registry:
是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,
通过Index Auth service的Token的方式进行认证。
Registry Client
Docker充当registry客户端来维护推送和拉取,以及客户端的授权。
二 创建本地免密仓库
(1)获取私有仓库的镜像
(2)导入镜像
(3)运行容器
[aaa@qq.com ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2.3.1
0cecf56685766c15a0bca6783fd651bec02fcbf3190712205e6045260e900a70
[aaa@qq.com ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0cecf5668576 registry:2.3.1 "/bin/registry /etc/…" 13 seconds ago Up 12 seconds 0.0.0.0:5000->5000/tcp registry
##查看5000端口是否开启
[aaa@qq.com ~]# netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 727/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 902/master
tcp 0 0 172.25.60.1:22 172.25.60.250:56718 ESTABLISHED 2243/sshd: aaa@qq.com
tcp 0 0 172.25.60.1:22 172.25.60.250:56716 ESTABLISHED 2223/sshd: aaa@qq.com
tcp6 0 0 :::22 :::* LISTEN 727/sshd
tcp6 0 0 ::1:25 :::* LISTEN 902/master
tcp6 0 0 :::5000 :::* LISTEN 3785/docker-proxy
运行镜像后,5000端口成功开启
(4)上传本地镜像到私有仓库
先设定nginx镜像的标签为localhost:5000/nginx
docker tag nginx:latest localhost:5000/nginx
本地镜像在命名时需要加上仓库的ip和端口
docker images localhost:5000/nginx
##上传镜像到私有仓库
docker push localhost:5000/nginx
(5)删除本地镜像,拉取私有仓库中的镜像
重新拉取,获得镜像说明仓库搭建成功
(6)查看/opt/registry/目录下的镜像的分层结构
关闭真机的防火墙
[aaa@qq.com docker_item8]# systemctl stop firewalld.service
server1安装tree
[aaa@qq.com registry]# yum install -y tree
##查看/opt/registry/目录下的镜像分层
[aaa@qq.com registry]# pwd
/opt/registry
[aaa@qq.com registry]# tree docker/
docker/
└── registry
└── v2
├── blobs
│ └── sha256
│ ├── 8c
│ │ └── 8c0120a6f561fe6d8b23be7c15313bc9fe3daa83117640bd6eea33e18d545b5b
│ │ └── data
│ ├── 91
│ │ └── 918b255d86e5ae0936a2f8b4ae276cded2b34b29f29ae93e59b1e2f482b2ddda
│ │ └── data
│ ├── dc
│ │ └── dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f
│ │ └── data
│ ├── e4
│ │ └── e445ab08b2be8b178655b714f89e5db9504f67defd5c7408a00bade679a50d44
│ │ └── data
│ └── f5
│ └── f5d23c7fed465a9eb762fc4c3cccd551a05914aba42492ceb972497db4df38bf
│ └── data
└── repositories
└── nginx
├── _layers
│ └── sha256
│ ├── 8c0120a6f561fe6d8b23be7c15313bc9fe3daa83117640bd6eea33e18d545b5b
│ │ └── link
│ ├── 918b255d86e5ae0936a2f8b4ae276cded2b34b29f29ae93e59b1e2f482b2ddda
│ │ └── link
│ ├── e445ab08b2be8b178655b714f89e5db9504f67defd5c7408a00bade679a50d44
│ │ └── link
│ └── f5d23c7fed465a9eb762fc4c3cccd551a05914aba42492ceb972497db4df38bf
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ └── dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f
│ │ └── link
│ └── tags
│ └── latest
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f
│ └── link
└── _uploads
33 directories, 12 files
三 添加私有仓库registry加密访问控制证书
任意添加一台虚拟机,可访问仓库的信息,在企业中不安全。需要添加认证
3.1创建certs证书,生成服务器私钥
[aaa@qq.com ~]# cd /etc/docker/
[aaa@qq.com docker]# mkdir certs
[aaa@qq.com docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
............................................................................................................................................................................................................................++
...................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:aaa@qq.com
[aaa@qq.com docker]# cd certs/
[aaa@qq.com certs]# ls
westos.org.crt westos.org.key
3.2添加解析
3.3 重新创建加密仓库
##先删除原来的容器
[aaa@qq.com certs]# docker rm -f registry
registry
##使用认证启动仓库
[aaa@qq.com certs]# docker run -d \
> --restart=always \
> --name registry \
> -v /etc/docker/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry registry:2.3.1
3fe0658723fb571d60194e622685e7bff7b570313aad7ba58241d38abf1adce3
参数说明:
-d:后台静默运行容器
–restart:设置容器重启策略
–name:命名容器
-v:挂载信息
-e REGISTRY_HTTP_ADDR:设置仓库主机地址格式
-e REGISTRY_HTTP_TLS_CERTIFICATE:设置环境变量告诉容器证书的位置
-e REGISTRY_HTTP_TLS_KEY:设置环境变量告诉容器私钥的位置
-p:将容器的 443 端口映射到Host主机的 443 端口
##启动成功
[aaa@qq.com certs]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3fe0658723fb registry:2.3.1 "/bin/registry /etc/…" 13 seconds ago Up 11 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
##443端口开启
[aaa@qq.com certs]# netstat -antlup | grep :443
tcp6 0 0 :::443 :::* LISTEN 4167/docker-proxy
3.4将certs证书放到docker数据目录
[aaa@qq.com certs]# cd ..
[aaa@qq.com docker]# pwd
/etc/docker
[aaa@qq.com docker]# mkdir certs.d
[aaa@qq.com docker]# cd certs.d/
[aaa@qq.com certs.d]# ls
[aaa@qq.com certs.d]# mkdir westos.org
[aaa@qq.com certs.d]# cd westos.org/
[aaa@qq.com westos.org]# ls
[aaa@qq.com westos.org]# cp /etc/docker/certs/westos.org.crt ca.crt
[aaa@qq.com westos.org]# ls
ca.crt
3.5 上传本地镜像到私有仓库
##修改镜像标签
docker tag game2048:latest westos.org/game2048
docker images
##上传镜像
docker push westos.org/game2048
3.6客户端测试
server2上安装docker-ce 并开启(docker创建),添加解析
创建目录并复制证书
[aaa@qq.com ~]# cd /etc/docker/
[aaa@qq.com docker]# mkdir certs.d
[aaa@qq.com docker]# cd certs.d/
[aaa@qq.com certs.d]# mkdir westos.org
[aaa@qq.com certs.d]# cd westos.org/
[aaa@qq.com westos.org]# pwd
/etc/docker/certs.d/westos.org
[aaa@qq.com westos.org]# scp server1:/etc/docker/certs.d/westos.org/ca.crt .
The authenticity of host 'server1 (172.25.60.1)' can't be established.
ECDSA key fingerprint is 9d:fb:36:b7:41:da:0c:79:00:88:05:39:24:d9:8c:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1,172.25.60.1' (ECDSA) to the list of known hosts.
aaa@qq.com's password:
ca.crt 100% 2098 2.1KB/s 00:00
[aaa@qq.com westos.org]# ls
ca.crt
##拉取镜像
docker pull westos.org/game2048:latest四 通过基本身份验证实现私有仓库registry加密访问控制
4.1 生成鉴权密码文件
[aaa@qq.com docker]# pwd
/etc/docker
[aaa@qq.com docker]# mkdir auth
[aaa@qq.com docker]# docker run --rm --entrypoint htpasswd registry:2.3.1 -Bbn admin westos > auth/htpasswd
[aaa@qq.com docker]# cat auth/htpasswd
admin:$2y$05$tQlW7nMjCBZWAB6Rwr/.s.iOiT5qgfCj8jxVV2nuT42vinS8C53Re
## > 首次建立用户,>>追加用户
[aaa@qq.com docker]# docker run --rm --entrypoint htpasswd registry:2.3.1 -Bbn van westos >> auth/htpasswd
##参数解释
–entrypoint string:覆盖镜像默认的ENTRYPOINT,ENTRYPOINT是不可以被覆盖的,如果实在要覆盖需要使用此参数
-B:强制密码加密
-b:使用命令行中的密码而不是提示输入密码
-n:不更新加密文件,只将加密后的用户名密码显示在屏幕上
[aaa@qq.com docker]# cat auth/htpasswd admin:$2y$05$tQlW7nMjCBZWAB6Rwr/.s.iOiT5qgfCj8jxVV2nuT42vinS8C53Re
van:$2y$05$ebU7n2kNWaVyoXs99F3v9OsS.XxnFEKL02wkR1G3lPOGnplCaji8O
4.2删除之前创建的仓库registry(避免443端口),防止冲突
[aaa@qq.com docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3fe0658723fb registry:2.3.1 "/bin/registry /etc/…" 3 hours ago Up 3 hours 0.0.0.0:443->443/tcp, 5000/tcp registry
[aaa@qq.com docker]# docker rm -f registry
registry
[aaa@qq.com docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4.3重新创建仓库
[aaa@qq.com certs.d]# docker run -d --restart=always --name registry -v /etc/docker/certs:/certs
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key
-p 443:443
-v /opt/registry:/var/lib/registry -v /etc/docker/auth:/auth
-e "REGISTRY_AUTH=htpasswd"
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
-e REGISTRY_STORAGE_DELETE_ENABLED=true registry:2.3.1
2821b1f0819f5a54cb1a6c241f997638d12f379642eb2a6d9556065b547e09b8
[aaa@qq.com certs.d]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2821b1f0819f registry:2.3.1 "/bin/registry /etc/…" 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
4.4上传本地镜像,登陆并获取auth认证信息
##上传本地镜像到私有仓库
[aaa@qq.com certs.d]# docker push westos.org/game2048
The push refers to repository [westos.org/game2048]
88fca8ae768a: Preparing
6d7504772167: Preparing
192e9fad2abc: Preparing
36e9226e74f8: Preparing
011b303988d2: Preparing
no basic auth credentials
##登陆
[aaa@qq.com certs.d]# docker login westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
##查看auth认证信息
[aaa@qq.com certs.d]# cd /root/.docker/
[aaa@qq.com .docker]# cat config.json
{
"auths": {
"westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.7 (linux)"
}
[aaa@qq.com .docker]#
4.5server2中验证
[aaa@qq.com certs.d]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
westos.org/game2048 latest 19299002fdbe 2 years ago 55.5MB
##删除原来的镜像
[aaa@qq.com certs.d]# docker rmi westos.org/game2048:latest
Untagged: westos.org/game2048:latest
Untagged: westos.org/aaa@qq.com:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
[aaa@qq.com certs.d]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
##直接拉取失败
[aaa@qq.com certs.d]# docker pull westos.org/game2048:latest
Error response from daemon: Get https://westos.org/v2/game2048/manifests/latest: no basic auth credentials
##使用用户密码登陆westos.org
[aaa@qq.com certs.d]# docker login westos.org
Username: van
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
##登陆成功后,拉取成功
[aaa@qq.com certs.d]# docker pull westos.org/game2048:latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for westos.org/game2048:latest
[aaa@qq.com certs.d]#
4.6运行web页面
[aaa@qq.com ~]# ls
certs distroless.tar docker docker-registry-web.tar game2048.tar nginx.tar registry2.tar registry.tar rhel7.tar ubuntu.tar
[aaa@qq.com ~]# docker load -i docker-registry-web.tar
78ff13900d61: Loading layer [==================================================>] 196.8MB/196.8MB
641fcd2417bc: Loading layer [==================================================>] 209.9kB/209.9kB
292a66992f77: Loading layer [==================================================>] 7.168kB/7.168kB
3567b2f05514: Loading layer [==================================================>] 4.608kB/4.608kB
367b9c52c931: Loading layer [==================================================>] 3.072kB/3.072kB
8b1153b14d3a: Loading layer [==================================================>] 3.584kB/3.584kB
5ee52271b8b7: Loading layer [==================================================>] 162.5MB/162.5MB
f7049feabf0b: Loading layer [==================================================>] 4.096kB/4.096kB
7ef05f1204ee: Loading layer [==================================================>] 3.072kB/3.072kB
03457c5158e2: Loading layer [==================================================>] 3.584kB/3.584kB
8418a42306ef: Loading layer [==================================================>] 3.584kB/3.584kB
f469fc28e82e: Loading layer [==================================================>] 7.68kB/7.68kB
d96a8038b794: Loading layer [==================================================>] 2.56kB/2.56kB
be44224e76b9: Loading layer [==================================================>] 13.82kB/13.82kB
463a4bd8f8c1: Loading layer [==================================================>] 438.8kB/438.8kB
d16096ccf0bb: Loading layer [==================================================>] 8.704kB/8.704kB
1315f14832fa: Loading layer [==================================================>] 197.1MB/197.1MB
d6c3b0e63834: Loading layer [==================================================>] 1.009MB/1.009MB
64d1c65ea33e: Loading layer [==================================================>] 3.584kB/3.584kB
9eb22ef427e2: Loading layer [==================================================>] 3.584kB/3.584kB
8779b4998d0c: Loading layer [==================================================>] 55.63MB/55.63MB
Loaded image: docker-registry-web:latest
[aaa@qq.com ~]# docker run -d -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" -e REGISTRY_NAME=westos.org docker-registry-web
4da3e9fcf4d842f20e0f2a5914d56ff1c54477aaddbcbfd672bb9fd822ece288
##-e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" 是 config.json 中的
"auth": "YWRtaW46d2VzdG9z" 信息
4.7 访问页面测试
可以查看到私有仓库中的镜像,web页面搭建成功
上一篇: 关于减少脱标流使用的一个小技巧
下一篇: 前端攻城狮---js对象的高级使用(2)