欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。

程序员文章站 2024-03-22 21:43:04
...

docker仓库的简单介绍。
是用来保存镜像的位置,Dockuer体供一个注册服务器来保存多个仓库,每个仓库有可以包含多个具有不同tag的镜像,自己创建的镜像,不仅可以在本地使用,并且可以上传到Docker仓库。Docker运行时使用的Dockerfile默认仓库时Dockuer Hub公共仓库,里面存储了各类的镜像,用户通过编写Dockerfile,build创建以后生成镜像,下来创建容器,然后又将容器提交给镜像,通过Push将此镜像上传到仓库中。
1、下载镜像时:工作流程为,用户发送请求到index来下载镜像。index响应返回三个相关部分信息:1、是镜像所在的地点2、镜像所包括的多有层的教研,3、授权目的token。用户则通过返回的token来和存在的地点沟通,registry负责我们的镜像,它存储基本的镜像和继承的层。当registry,给我们的客户发出者要说明是token授权的。我们的index会放回正确或错误,给我们的redistry,这样用户就可以下载想要的镜像了。
2、推送时,流程大概相同,需要我们的推送着来,进行请求,发送认证。认证成功给一个临时token,用户将要推送的和临时token一起上传给,registery。registery载于index相互认证。然后客户端会将镜像数据传送到registry指定的库中。
3、删除镜像。index接受删除库的信号。附带这验证信息,如有验证成功,它将删除这个库,并返回一个临时的token。客户端到registry,registry接受到有删除库的信号,在与index核实后,然后删除库以及所有相关的信息。index在认证时会噶送给true或false给给registry,确定是否有效。如果有效果。docker会统治有关删除的index,然后移除库中的信息。
设置镜像加速器
官网的我们来构建
1、登陆网站
2、推送的镜像的名字一样。用户+镜像名

[aaa@qq.com ~]# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: gonghaozhong
Password: 
Login Succeeded
[aaa@qq.com ~]# docker tag busybox:latest gonghaozhong/busybox:tagname        贴标签
[aaa@qq.com ~]# docker push gonghaozhong/busybox
The push refers to repository [docker.io/gonghaozhong/busybox]
8a788232037e: Pushed 
tagname: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527

企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。

我们来下载镜像从官方


[aaa@qq.com ~]# docker rmi gonghaozhong/busybox:tagname    将前面的删掉,我们重新打标签
[aaa@qq.com ~]# docker tag busybox:latest gonghaozhong/busybox:latest
[aaa@qq.com ~]# docker pull gonghaozhong/busybox:latest                 从官网上下在
latest: Pulling from gonghaozhong/busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for gonghaozhong/busybox:latest
[aaa@qq.com ~]# docker images
REPOSITORY             TAG                 IMAGE ID            CREATED             SIZE
gonghaozhong/busybox   latest              59788edf1f3e        12 months ago       1.15MB

从官方的仓库中拉取镜像会比较慢,可以设置镜像加速器,相当反向代理。用阿里云来示范
注册阿里云帐号,。进入阿里云的镜像中心,镜像加速器,得到一个进行加速区地址。
配置docker daemon文件
配置完成后可以尝试下个软件尝试。查找镜像的速度是否加快

[aaa@qq.com ~]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://fr5fp7qg.mirror.aliyuncs.com"]
}
[aaa@qq.com ~]# 
[aaa@qq.com ~]# systemctl daemon-reload 
[aaa@qq.com ~]# systemctl restart docker.service
[aaa@qq.com ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
b8f262c62ec6: Pull complete 
e9218e8f93b1: Pull complete 
7acba7289aa3: Pull complete 
Digest: sha256:aeded0f2a861747f43a01cf1018cf9efe2bdd02afd57d2b11fcc7fcadc16ccd1
Status: Downloaded newer image for nginx:latest

企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。
docker私有仓库的搭建。也就是本地仓库的搭建。因为共有的可能不安全。不能定制。
私有镜像的搭建。
下载registry镜像

[aaa@qq.com ~]# docker pull registry
[aaa@qq.com ~]# docker images registry:latest 
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
registry            latest              f32a97de94e1        7 months ago        25.8MB



运行容器,设置端口,物理卷所在地点

[aaa@qq.com ~]# docker run -d -p 5000:5000 --name registry registry
588fad0d829c49d567caac3d2cb6a00f511f6f875d8363d2a29f7218274f7544
[aaa@qq.com ~]# docker volume ls
DRIVER              VOLUME NAME
local               d2f9b17eaa9be49d8f332d3c9712b31bbcb46af6865384ff2e1a8219b094c31e



查看容器运行情况和映射端口开启情况

[aaa@qq.com ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
588fad0d829c        registry            "/entrypoint.sh /etc…"   2 minutes ago       Up 2 minutes        0.0.0.0:5000->5000/tcp   registry

[aaa@qq.com ~]# netstat -tnlp
tcp6       0      0 :::5000                 :::*                    LISTEN      3575/docker-proxy  


上传镜像到本地仓库。
需要对本地需要上传的镜像进行修改标签


[aaa@qq.com ~]# docker tag nginx:latest localhost:5000/nginx:latest
[aaa@qq.com ~]# docker images | grep nginx
nginx                  latest              f949e7d76d63        9 days ago          126MB
localhost:5000/nginx   latest              f949e7d76d63        9 days ago          126MB
[aaa@qq.com ~]# 

上传修改过标签的镜像到本地仓库


[aaa@qq.com ~]# docker push localhost:5000/nginx
The push refers to repository [localhost:5000/nginx]
509a5ea4aeeb: Pushed 
3bb51901dfa3: Pushed 
2db44bce66cd: Pushed 
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948

[aaa@qq.com ~]# curl localhost:5000/v2/_catalog
{"repositories":["nginx"]}

查看其数据卷挂在点


[aaa@qq.com ~]# cd /var/lib/docker/volumes/d2f9b17eaa9be49d8f332d3c9712b31bbcb46af6865384ff2e1a8219b094c31e/_data
[aaa@qq.com _data]# ls
docker
[aaa@qq.com _data]# cd docker/registry/
[aaa@qq.com registry]# ls
v2
[aaa@qq.com registry]# cd v2/repositories/
[aaa@qq.com repositories]# ls
nginx


这样私有数据库就搭建完成但是无法运用,因为不够安全,因此,可以采用私有仓库加证书加方式来加密
dockerTLS加密。docker远程主机访问私有仓库采用TLS加密。
生成证书。


[aaa@qq.com ~]# mkdir -p certs
[aaa@qq.com ~]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
[aaa@qq.com ~]# cd certs/
[aaa@qq.com certs]# ls
westos.org.crt  westos.org.key

重起registry,删除之前开启的容器。开启加密的容器。


[aaa@qq.com ~]# docker rm -f registry 
registry
[aaa@qq.com ~]# 
[aaa@qq.com certs]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> registry
a0128757bd84238cc59d4f414970b25d77e34576f9897b2a918615bf0e49ac61


查看容器运行情况以及端口开启的情况。


[aaa@qq.com ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                         PORTS               NAMES
44b7eb381afa        registry            "/entrypoint.sh /etc…"   9 seconds ago       Restarting (1) 2 seconds ago                       registry
[aaa@qq.com ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1252/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      957/sshd            
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      943/cupsd           
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 :::80                   :::*                    LISTEN      14699/httpd         
tcp6       0      0 :::22                   :::*                    LISTEN      957/sshd            
tcp6       0      0 ::1:631                 :::*                    LISTEN      943/cupsd           
tcp6       0      0 :::443                  :::*                    LISTEN      20253/docker-proxy 

加密完成。docker客户端要连接这个库,需要相同的证书才能访问。docker端进行设置
设置docker客户端的证书


[aaa@qq.com westos.org]# cp /root/certs/westos.org.crt .
[aaa@qq.com westos.org]# ls
westos.org.crt
[aaa@qq.com westos.org]# pwd
/etc/docker/certs.d/westos.org
[aaa@qq.com westos.org]# mv westos.org.crt ca.crt
[aaa@qq.com westos.org]# ls
ca.crt
[aaa@qq.com westos.org]# 


证书的域名解析更改

[aaa@qq.com ~]# vim /etc/hosts
[aaa@qq.com ~]# cat /etc/host
cat: /etc/host: 没有那个文件或目录
[aaa@qq.com ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.71      doundation.com
172.25.254.1       server1 westos.org
172.25.254.2       server2



查看部署是否成功。修改本地镜像标签为特定的格式。

[aaa@qq.com ~]# docker tag nginx:latest westos.org/nginx:latest

上传镜像。


[aaa@qq.com westos.org]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
509a5ea4aeeb: Pushed 
3bb51901dfa3: Pushed 
2db44bce66cd: Pushed 
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948


Docker仓库添加用户认证功能。
1、创建用户的密码,认证功能。

[aaa@qq.com ~]# mkdir auth
[aaa@qq.com ~]# docker run \
> --entrypoint htpasswd \
> registry -Bbn admin westos > auth/htpasswd
[aaa@qq.com ~]# cd auth/
[aaa@qq.com auth]# ls
htpasswd
[aaa@qq.com auth]# cat htpasswd 
admin:$2y$05$smcEgJHF1mYOVJY2zoDUR.dEDQPEaL41pZP9H7TgZVGWwD1GWszhG



2、验证认证功能。


[aaa@qq.com ~]# docker run -d -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
4a9ce3d3d4faf3263185be16b609146854f1659b6c02448ea3bbf19b91c70ef8
[aaa@qq.com ~]# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
4a9ce3d3d4fa        registry            "/entrypoint.sh /etc…"   6 seconds ago       Up 3 seconds        0.0.0.0:443->443/tcp, 5000/tcp   boring_darwin

[aaa@qq.com ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1252/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      957/sshd            
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      943/cupsd           
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 :::80                   :::*                    LISTEN      14699/httpd         
tcp6       0      0 :::22                   :::*                    LISTEN      957/sshd            
tcp6       0      0 ::1:631                 :::*                    LISTEN      943/cupsd           
tcp6       0      0 :::443                  :::*                    LISTEN      22275/docker-proxy  


测试

[aaa@qq.com ~]# docker login westos.org
Username: admin
Password: 
Login Succeeded
[aaa@qq.com ~]# 
[aaa@qq.com ~]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
509a5ea4aeeb: Pushed 
3bb51901dfa3: Pushed 
2db44bce66cd: Pushed 
latest: digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76 size: 948


企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。
用户的登陆信息


[aaa@qq.com ~]# cat /root/.docker/config.json 
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "Z29uZ2hhb3pob25nOjg1MmdvbmdoYW96aG9uZw=="
		},
		"westos.org": {
			"auth": "YWRtaW46d2VzdG9z"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.03.1-ce (linux)"
	}
}[aaa@qq.com ~]# 


远程连接当前的仓库。
需要两台虚拟机。
远程主机配置。
1、安装docker

[aaa@qq.com docker]# yum install libsemanage-*
[aaa@qq.com docker]# yum install containerd.io-1.2.5-3.1.el7.x86_64.rpm container-selinux-2.21-1.el7.noarch.rpm docker-ce-18.03.1.ce-1.el7.centos.x86_64.rpm pigz-2.3.4-1.el7.x86_64.rpm policycoreutils-2.5-17.1.el7.x86_64.rpm policycoreutils-python-2.5-17.1.el7.x86_64.rpm -y

2、添加解析


[aaa@qq.com westos.org]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.71      doundation.com
172.25.254.1       server1 westos.org


3、添加认证证书,从server1中直接拷贝


[aaa@qq.com ~]# scp -r /etc/docker/certs.d/westos.org/ca.crt aaa@qq.com:/etc/docker/certs.d/westos.org

在server2中查看

[aaa@qq.com docker]# systemctl start docker
[aaa@qq.com docker]# docker login westos.org
Username: admin
Password: 
Login Succeeded
[aaa@qq.com docker]# docker pull westos.org/nginx
Using default tag: latest
latest: Pulling from nginx
b8f262c62ec6: Pull complete 
e9218e8f93b1: Pull complete 
7acba7289aa3: Pull complete 
Digest: sha256:066edc156bcada86155fd80ae03667cf3811c499df73815a2b76e43755ebbc76
Status: Downloaded newer image for westos.org/nginx:latest



企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。
下来我们可以添加一个简单的界面来看管理我们的仓库
我们从docker官网下载软件插件


[aaa@qq.com ~]# docker pull hyper/docker-registry-web
[aaa@qq.com ~]# cat .docker/config.json   查看登陆信息
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "Z29uZ2hhb3pob25nOjg1MmdvbmdoYW96aG9uZw=="
		},
		"westos.org": {
			"auth": "YWRtaW46d2VzdG9z"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.03.1-ce (linux)"
	}
}[aaa@qq.com ~]# 

运行这个容器


[aaa@qq.com ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
4a9ce3d3d4fa        registry            "/entrypoint.sh /etc…"   About an hour ago   Up About an hour    0.0.0.0:443->443/tcp, 5000/tcp   boring_darwin
[aaa@qq.com ~]# docker run -it -p 8080:8080 --name registry-web --link boring_darwin:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="YWRtaW46d2VzdG9z" -e REGISTRY_NAME=westos.org hyper/docker-registry-web

企业13、docker仓库的介绍,公有私有仓库。在私有仓库中我们加密,以页面的方法来看仓库。