企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。
程序员文章站
2024-03-22 21:43:04
...
docker仓库的简单介绍。
是用来保存镜像的位置,Dockuer体供一个注册服务器来保存多个仓库,每个仓库有可以包含多个具有不同tag的镜像,自己创建的镜像,不仅可以在本地使用,并且可以上传到Docker仓库。Docker运行时使用的Dockerfile默认仓库时Dockuer Hub公共仓库,里面存储了各类的镜像,用户通过编写Dockerfile,build创建以后生成镜像,下来创建容器,然后又将容器提交给镜像,通过Push将此镜像上传到仓库中。
1、下载镜像时:工作流程为,用户发送请求到index来下载镜像。index响应返回三个相关部分信息:1、是镜像所在的地点2、镜像所包括的多有层的教研,3、授权目的token。用户则通过返回的token来和存在的地点沟通,registry负责我们的镜像,它存储基本的镜像和继承的层。当registry,给我们的客户发出者要说明是token授权的。我们的index会放回正确或错误,给我们的redistry,这样用户就可以下载想要的镜像了。
2、推送时,流程大概相同,需要我们的推送着来,进行请求,发送认证。认证成功给一个临时token,用户将要推送的和临时token一起上传给,registery。registery载于index相互认证。然后客户端会将镜像数据传送到registry指定的库中。
3、删除镜像。index接受删除库的信号。附带这验证信息,如有验证成功,它将删除这个库,并返回一个临时的token。客户端到registry,registry接受到有删除库的信号,在与index核实后,然后删除库以及所有相关的信息。index在认证时会噶送给true或false给给registry,确定是否有效。如果有效果。docker会统治有关删除的index,然后移除库中的信息。
设置镜像加速器
官网的我们来构建
1、登陆网站
2、推送的镜像的名字一样。用户+镜像名
[aaa@qq.com ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: gonghaozhong
Password:
Login Succeeded
[aaa@qq.com ~]# docker tag busybox:latest gonghaozhong/busybox:tagname 贴标签
[aaa@qq.com ~]# docker push gonghaozhong/busybox
The push refers to repository [docker.io/gonghaozhong/busybox]
8a788232037e: Pushed
tagname: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
我们来下载镜像从官方
[aaa@qq.com ~]# docker rmi gonghaozhong/busybox:tagname 将前面的删掉,我们重新打标签
[aaa@qq.com ~]# docker tag busybox:latest gonghaozhong/busybox:latest
[aaa@qq.com ~]# docker pull gonghaozhong/busybox:latest 从官网上下在
latest: Pulling from gonghaozhong/busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for gonghaozhong/busybox:latest
[aaa@qq.com ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
gonghaozhong/busybox latest 59788edf1f3e 12 months ago 1.15MB
从官方的仓库中拉取镜像会比较慢,可以设置镜像加速器,相当反向代理。用阿里云来示范
注册阿里云帐号,。进入阿里云的镜像中心,镜像加速器,得到一个进行加速区地址。
配置docker daemon文件
配置完成后可以尝试下个软件尝试。查找镜像的速度是否加快
[aaa@qq.com ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://fr5fp7qg.mirror.aliyuncs.com"]
}
[aaa@qq.com ~]#
[aaa@qq.com ~]# systemctl daemon-reload
[aaa@qq.com ~]# systemctl restart docker.service
[aaa@qq.com ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
b8f262c62ec6: Pull complete
e9218e8f93b1: Pull complete
7acba7289aa3: Pull complete
Digest: sha256:aeded0f2a861747f43a01cf1018cf9efe2bdd02afd57d2b11fcc7fcadc16ccd1
Status: Downloaded newer image for nginx:latest
docker私有仓库的搭建。也就是本地仓库的搭建。因为共有的可能不安全。不能定制。
私有镜像的搭建。
下载registry镜像
[aaa@qq.com ~]# docker pull registry
[aaa@qq.com ~]# docker images registry:latest
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 7 months ago 25.8MB
运行容器,设置端口,物理卷所在地点
[aaa@qq.com ~]# docker run -d -p 5000:5000 --name registry registry
588fad0d829c49d567caac3d2cb6a00f511f6f875d8363d2a29f7218274f7544
[aaa@qq.com ~]# docker volume ls
DRIVER VOLUME NAME
local d2f9b17eaa9be49d8f332d3c9712b31bbcb46af6865384ff2e1a8219b094c31e
查看容器运行情况和映射端口开启情况
[aaa@qq.com ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
588fad0d829c registry "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:5000->5000/tcp registry
[aaa@qq.com ~]# netstat -tnlp
tcp6 0 0 :::5000 :::* LISTEN 3575/docker-proxy
上传镜像到本地仓库。
需要对本地需要上传的镜像进行修改标签
[aaa@qq.com ~]# docker tag nginx:latest localhost:5000/nginx:latest
[aaa@qq.com ~]# docker images | grep nginx
nginx latest f949e7d76d63 9 days ago 126MB
localhost:5000/nginx latest f949e7d76d63 9 days ago 126MB
[aaa@qq.com ~]#
上传修改过标签的镜像到本地仓库
[aaa@qq.com ~]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
509a5ea4aeeb: Pushed
3bb51901dfa3: Pushed
2db44bce66cd: Pushed
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948
[aaa@qq.com ~]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}
查看其数据卷挂在点
[aaa@qq.com ~]# cd /var/lib/docker/volumes/d2f9b17eaa9be49d8f332d3c9712b31bbcb46af6865384ff2e1a8219b094c31e/_data
[aaa@qq.com _data]# ls
docker
[aaa@qq.com _data]# cd docker/registry/
[aaa@qq.com registry]# ls
v2
[aaa@qq.com registry]# cd v2/repositories/
[aaa@qq.com repositories]# ls
nginx
这样私有数据库就搭建完成但是无法运用,因为不够安全,因此,可以采用私有仓库加证书加方式来加密
dockerTLS加密。docker远程主机访问私有仓库采用TLS加密。
生成证书。
[aaa@qq.com ~]# mkdir -p certs
[aaa@qq.com ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
[aaa@qq.com ~]# cd certs/
[aaa@qq.com certs]# ls
westos.org.crt westos.org.key
重起registry,删除之前开启的容器。开启加密的容器。
[aaa@qq.com ~]# docker rm -f registry
registry
[aaa@qq.com ~]#
[aaa@qq.com certs]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> registry
a0128757bd84238cc59d4f414970b25d77e34576f9897b2a918615bf0e49ac61
查看容器运行情况以及端口开启的情况。
[aaa@qq.com ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
44b7eb381afa registry "/entrypoint.sh /etc…" 9 seconds ago Restarting (1) 2 seconds ago registry
[aaa@qq.com ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 957/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 943/cupsd
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::80 :::* LISTEN 14699/httpd
tcp6 0 0 :::22 :::* LISTEN 957/sshd
tcp6 0 0 ::1:631 :::* LISTEN 943/cupsd
tcp6 0 0 :::443 :::* LISTEN 20253/docker-proxy
加密完成。docker客户端要连接这个库,需要相同的证书才能访问。docker端进行设置
设置docker客户端的证书
[aaa@qq.com westos.org]# cp /root/certs/westos.org.crt .
[aaa@qq.com westos.org]# ls
westos.org.crt
[aaa@qq.com westos.org]# pwd
/etc/docker/certs.d/westos.org
[aaa@qq.com westos.org]# mv westos.org.crt ca.crt
[aaa@qq.com westos.org]# ls
ca.crt
[aaa@qq.com westos.org]#
证书的域名解析更改
[aaa@qq.com ~]# vim /etc/hosts
[aaa@qq.com ~]# cat /etc/host
cat: /etc/host: 没有那个文件或目录
[aaa@qq.com ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.71 doundation.com
172.25.254.1 server1 westos.org
172.25.254.2 server2
查看部署是否成功。修改本地镜像标签为特定的格式。
[aaa@qq.com ~]# docker tag nginx:latest westos.org/nginx:latest
上传镜像。
[aaa@qq.com westos.org]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
509a5ea4aeeb: Pushed
3bb51901dfa3: Pushed
2db44bce66cd: Pushed
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948
Docker仓库添加用户认证功能。
1、创建用户的密码,认证功能。
[aaa@qq.com ~]# mkdir auth
[aaa@qq.com ~]# docker run \
> --entrypoint htpasswd \
> registry -Bbn admin westos > auth/htpasswd
[aaa@qq.com ~]# cd auth/
[aaa@qq.com auth]# ls
htpasswd
[aaa@qq.com auth]# cat htpasswd
admin:$2y$05$smcEgJHF1mYOVJY2zoDUR.dEDQPEaL41pZP9H7TgZVGWwD1GWszhG
2、验证认证功能。
[aaa@qq.com ~]# docker run -d -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
4a9ce3d3d4faf3263185be16b609146854f1659b6c02448ea3bbf19b91c70ef8
[aaa@qq.com ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a9ce3d3d4fa registry "/entrypoint.sh /etc…" 6 seconds ago Up 3 seconds 0.0.0.0:443->443/tcp, 5000/tcp boring_darwin
[aaa@qq.com ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1252/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 957/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 943/cupsd
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::80 :::* LISTEN 14699/httpd
tcp6 0 0 :::22 :::* LISTEN 957/sshd
tcp6 0 0 ::1:631 :::* LISTEN 943/cupsd
tcp6 0 0 :::443 :::* LISTEN 22275/docker-proxy
测试
[aaa@qq.com ~]# docker login westos.org
Username: admin
Password:
Login Succeeded
[aaa@qq.com ~]#
[aaa@qq.com ~]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
509a5ea4aeeb: Pushed
3bb51901dfa3: Pushed
2db44bce66cd: Pushed
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948
用户的登陆信息
[aaa@qq.com ~]# cat /root/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "Z29uZ2hhb3pob25nOjg1MmdvbmdoYW96aG9uZw=="
},
"westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ce (linux)"
}
}[aaa@qq.com ~]#
远程连接当前的仓库。
需要两台虚拟机。
远程主机配置。
1、安装docker
[aaa@qq.com docker]# yum install libsemanage-*
[aaa@qq.com docker]# yum install containerd.io-1.2.5-3.1.el7.x86_64.rpm container-selinux-2.21-1.el7.noarch.rpm docker-ce-18.03.1.ce-1.el7.centos.x86_64.rpm pigz-2.3.4-1.el7.x86_64.rpm policycoreutils-2.5-17.1.el7.x86_64.rpm policycoreutils-python-2.5-17.1.el7.x86_64.rpm -y
2、添加解析
[aaa@qq.com westos.org]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.71 doundation.com
172.25.254.1 server1 westos.org
3、添加认证证书,从server1中直接拷贝
[aaa@qq.com ~]# scp -r /etc/docker/certs.d/westos.org/ca.crt aaa@qq.com:/etc/docker/certs.d/westos.org
在server2中查看
[aaa@qq.com docker]# systemctl start docker
[aaa@qq.com docker]# docker login westos.org
Username: admin
Password:
Login Succeeded
[aaa@qq.com docker]# docker pull westos.org/nginx
Using default tag: latest
latest: Pulling from nginx
b8f262c62ec6: Pull complete
e9218e8f93b1: Pull complete
7acba7289aa3: Pull complete
Digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76
Status: Downloaded newer image for westos.org/nginx:latest
下来我们可以添加一个简单的界面来看管理我们的仓库
我们从docker官网下载软件插件
[aaa@qq.com ~]# docker pull hyper/docker-registry-web
[aaa@qq.com ~]# cat .docker/config.json 查看登陆信息
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "Z29uZ2hhb3pob25nOjg1MmdvbmdoYW96aG9uZw=="
},
"westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.03.1-ce (linux)"
}
}[aaa@qq.com ~]#
运行这个容器
[aaa@qq.com ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4a9ce3d3d4fa registry "/entrypoint.sh /etc…" About an hour ago Up About an hour 0.0.0.0:443->443/tcp, 5000/tcp boring_darwin
[aaa@qq.com ~]# docker run -it -p 8080:8080 --name registry-web --link boring_darwin:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" -e REGISTRY_NAME=westos.org hyper/docker-registry-web
上一篇: Typora基础入门