欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Docker私有仓库

程序员文章站 2024-03-12 23:56:15
...

一、建立本地普通私有仓库

拉取官网最新镜像

docker pull daocloud.io/library/registry:latest

通过端口转发连接宿主机和新建容器的5000端口 (-p 端口转发) 

docker run -d -p 5000:5000 daocloud.io/library/registry <name or id>

测试

curl -I 172.16.170.10


curl http://172.16.170.10:5000/v2/search
curl http://172.16.170.10:5000/v2/_catalog
{"repositories":[]

上传本地镜像到本地仓库

docker tag 030a4b68e 172.16.170.10:5000/registry:v2
docker push 172.16.170.10:5000/registry:v2

二、建立带认证功能的仓库

创建用户和密码

mkdir –p /opt/data/registry
mkdir /opt/data/auth/ 
docker run --entrypoint htpasswd registry:latest -Bbn dockerUser dockerPwd  > /opt/data/auth/htpasswd

生成证书

mkdir /opt/data/cents
cd /opt/data/cents
#ca key:
openssl genrsa -aes256 -out ca-key.pem 4096
passwd  passwd

ca: openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
passwd
Country Name (2 letter code) [XX]:
CN
State or Province Name (full name) []:
BJ
Locality Name (eg, city) [Default City]:
HD
Organization Name (eg, company) [Default Company Ltd]:
BXY
Organizational Unit Name (eg, section) []:
YW
Common Name (eg, your name or your server's hostname) []:
172.16.170.10
Email Address []:
1065265865@qq.com
#server key: 
openssl genrsa
-out server-key.pem 4096
#生成server 证书:
openssl req
-subj "/CN=172.16.8.72" -sha256 -new -key server-key.pem -out server.csr
openssl req
-subj "/CN=app.linkdood.cn" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = IP:172.16.170.10,IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509
-req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf dood
#生成client证书
openssl genrsa
-out key.pem 409
openssl req
-subj '/CN=client' -new -key key.pem -out client.csr
openssl x509
-req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
passwd
cp server-*.pem  /etc/docker/
cp ca.pem /etc/docker/

修改docker配置

vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd
替换
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
systemctl restart docker

centos 6

vim /etc/sysconfig/docker
OPTIONS='--selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock'

iptables 开端口

iptables -I INPUT -p tcp --dport 2376 -j ACCEPT
iptables -L -n
/etc/init.d/iptables save

重起docker

service docker restart

使用bash文件

#!/bin/sh
docker -H 192.168.1.144:2376 --tlsverify --tlscacert=/Users/jiangtao/myapp/192.168.1.144/ca.pem --tlscert=/Users/jiangtao/myapp/192.168.1.144/cert.pem  --tlskey=/Users/jiangtao/myapp/192.168.1.144/key.pem [email protected]

出现 
Error response from daemon: client is newer than server (client API version: 1.24, server API version: 1.19)

export DOCKER_API_VERSION=1.19

重新创建本地仓库

docker run -d -p 5000:5000 \
--restart=always --name registry \
-v /opt/data/auth:/auth \
-v /opt/data/cents:/certs \
-v /opt/data/registry:/var/lib/registry \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
 registry:latest

三、docker配置文件

docker配置文件/etc/sysconfig/docker 
重要参数解释:
OPTIONS 用来控制Docker Daemon进程参数
-H 表示Docker Daemon绑定的地址, -H=unix:///var/run/docker.sock -H=tcp://0.0.0.0:2376
--registry-mirror表示Docker Registry的镜像地址--registry-mirror=http://4bc5abeb.m.daocloud.io
--insecure-registry表示(本地)私有Docker Registry的地址, --insecure-registry ${pivateRegistyHost}:5000
--selinux-enabled是否开启SELinux,默认开启 --selinux-enabled=true
-b 表示采用已经创建好的网桥, -b=xxx

OPTIONS=-H=unix:///var/run/docker.sock -H=tcp://0.0.0.0:2376 --registry-mirror=http://4bc5abeb.m.daocloud.io--selinux-enabled=true
下面是代理的设置
http_proxy=xxxxx:8080
https_proxy=xxxxxx:8080

vi /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/docker daemon -H fd:// -H=unix:///var/run/docker.sock -H=tcp://0.0.0.0:2376 --registry-mirror=http://4bc5abeb.m.daocloud.io --selinux-enabled=true
[Service]
Environment="HTTP_PROXY=..."
Environment="HTTPS_PROXY=..."
Type=notify
ExecStart=/usr/bin/docker daemo

Docker有自动化的需求时,你可以将containerID输出到指定的文件中(PIDfile): --cidfile=""
Docker的容器是没有特权的,例如不能在容器中再启动一个容器。这是因为默认情况下容器是不能访问任何其它设备的。但是通过"privileged",容器就拥有了访问任何其它设备的权限。

OPTIONS='--selinux-enabled --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem \
--tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock' other_args="--selinux-enabled --insecure-registry 172.16.170.10:5000"
ADD_REGISTRY='--insecure-registry 172.16.8.72:15000'
vim /etc/docker/daemon.json
{
"registry-mirrors": [ "https://registry.docker-cn.com" ],
 "insecure-registries": [ "http://172.16.170.10:5000" ]
}
mkdir ~/.docker
cp -cv {ca,cert,key}.pem ~/.docker/
vim /etc/profile
export DOCKER_HOST=tcp://$YOURIP:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/home/ubuntu/.docker/