企业运维容器之 docker 仓库
1. 什么是仓库?
- Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
- Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
Docker 的运行流程如下图所示:
2. Docker hub
Docker hub 是 docker 公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库。
- 首先在https://hub.docker.com/网站注册一个账号;在docker hub上新建一个公共仓库。
- 接下来要从docker主机上传镜像,首先需要登录:
[root@server1 ~]# docker login
Username: yakexi007
Password: <填写密码> - docker hub为了区分不同用户的同名镜像,要求镜像的格式是:[username]/xxx.tag
#docker tag busybox:latest yakexi007/busybox:latest - 上传镜像到docker hub
#docker push yakexi007/busybox:latest - 从docker hub拉取镜像
#docker pull yakexi007/busybox:latest - 删除本地镜像
#docker rmi yakexi007/busybox:latest
3. Registry 工作原理
- 一次docker pull 或 push背后发生的事情
index 服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去 index 服务上做认证,然后查找镜像所在的 registry的地址并放回给 docker 客户端,docker 客户端再从 registry 下载镜像,在下载过程中 registry 会去 index 校验客户端 token 的合法性,不同镜像可以保存在不同的 registry 服务上,其索引信息都放在 index 服务上。
- Docker Registry有三个角色,分别是index、registry和registry client。
index :负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
Web UI、元数据存储、认证服务、符号化。
registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
Registry Client:Docker充当registry客户端来维护推送和拉取,以及客户端的授权。 - 情景A:用户要获取并下载镜像。
- 情景B:用户要推送镜像到registry中。
- 情景C:用户要从index或registry中删除镜像。
docker hub 虽然方便,但是还是有限制;需要 internet 连接,速度慢;所有人都可以访问;由于安全原因企业不允许将镜像放到外网,好消息是docker公司已经将registry开源,我们可以快速构建企业私有仓库。https://docs.docker.com/registry/deploying/
之前搭建的仓库没有认证,相对来说可用度不是很高;接下来搭建私有仓库;
私有仓库的搭建:
[root@server1 ~]# docker search registry ##搜索
[root@server1 ~]# docker pull registry ##拉取镜像
[root@server1 ~]# docker history registry:latest ##可以看到其容器的端口信息
IMAGE CREATED CREATED BY SIZE COMMENT
1fd8e1b0bb7e 5 weeks ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B
<missing> 5 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B
<missing> 5 weeks ago /bin/sh -c #(nop) EXPOSE 5000 0B
<missing> 5 weeks ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB
<missing> 5 weeks ago /bin/sh -c set -ex && apk add --no-cache… 549kB
<missing> 5 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 5 weeks ago /bin/sh -c #(nop) ADD file:282b9d56236cae296… 5.62MB
[root@server1 ~]# docker run -d --name registry -p 5000:5000 registry
##端口映射来运行仓库,前面的是宿主机的端口,后面为容器的端口
7bb13092f4e40a9bc129a7a94a71d188b0360e1dc244d834372580fea6857d4f
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bb13092f4e4 registry "/entrypoint.sh /etc…" 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry
[root@server1 ~]# docker inspect registry
##用此命令来查看挂载信息,没有指定会用docker 引擎自带的卷
[root@server1 ~]# docker images
[root@server1 ~]# docker tag yakexi007/game2048:latest localhost:5000/game2048
##重新打标签用于区分不同用户的同名镜像
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v4 b3388a690329 6 hours ago 31.9MB
<none> <none> 4cf308c51260 6 hours ago 146MB
rhel7 v3 00f0b93070b1 7 hours ago 141MB
rhel7 v2 55fd86415086 7 hours ago 255MB
rhel7 v1 c8aeebec1de9 7 hours ago 296MB
nginx latest d1a364dc548d 18 hours ago 133MB
busybox v1 ec156da50087 43 hours ago 1.24MB
busybox latest d3cd072556c2 8 days ago 1.24MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
yakexi007/game2048 latest 19299002fdbe 4 years ago 55.5MB
localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
##此时查看可以看到新加入的镜像,两个镜像只是名称不一样,号还是一样的
[root@server1 ~]# docker push localhost:5000/game2048:latest ##上传
[root@server1 ~]# cd /var/lib/docker/volumes/c6ab78e2115ecc13a0b019bd902d9c7a1576d034e7b63669068ac75e05e98108/_data
[root@server1 _data]# ls
docker ##实际上是存在了挂接的卷中
上传的仓库之后,此时删除本地的镜像;看是否能再次拉取下来;
[root@server1 ~]# docker rmi localhost:5000/game2048:latest
Untagged: localhost:5000/game2048:latest
Untagged: localhost:5000/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
[root@server1 ~]# docker rmi yakexi007/game2048:latest
Untagged: yakexi007/game2048:latest
Untagged: yakexi007/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 4cf308c51260 6 hours ago 146MB
rhel7 v4 b3388a690329 6 hours ago 31.9MB
rhel7 v3 00f0b93070b1 7 hours ago 141MB
rhel7 v2 55fd86415086 7 hours ago 255MB
rhel7 v1 c8aeebec1de9 7 hours ago 296MB
nginx latest d1a364dc548d 18 hours ago 133MB
busybox v1 ec156da50087 43 hours ago 1.24MB
busybox latest d3cd072556c2 8 days ago 1.24MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
[root@server1 ~]# docker pull localhost:5000/game2048:latest
##成功拉取本机仓库的镜像
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for localhost:5000/game2048:latest
localhost:5000/game2048:latest
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
143abac135cb registry "/entrypoint.sh /etc…" 11 minutes ago Up 11 minutes 0.0.0.0:5000->5000/tcp registry
此时的仓库只能用于本机的上传下载;默认情况下远程不可以;如果远端需要访问就需要告诉是非安全的;
为了远程可以访问,此时再开一台虚拟机观察效果;先在第二台虚拟机上搭建 docker 软件仓库以及安装docker 工具;
[root@server2 yum.repos.d]# ls
docker.repo dvd.repo redhat.repo
[root@server2 yum.repos.d]# cat docker.repo
[docker]
name=docker-ce
baseurl=http://172.25.25.250/docker-ce
gpgcheck=0
[root@server2 ~]# yum install -y docker-ce
[root@server2 docker]# systemctl enable --now docker.service
[root@server2 sysctl.d]# cat dokcer.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@server2 docker]# sysctl --system
[root@server2 sysctl.d]# docker info
##此时查看基本信息没有错误
完成以上之后,我们还需要告诉docker 所拉取的是一个非安全的仓库;
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"insecure-registries": ["172.25.25.1:5000"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker info
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries: ##此时可以看其非安全的仓库信息
172.25.25.1:5000
127.0.0.0/8
Live Restore Enabled: false
[root@server2 docker]# docker pull 172.25.25.1:5000/game2048:latest
##此时远程主机便可以拉取其镜像
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for 172.25.25.1:5000/game2048:latest
172.25.25.1:5000/game2048:latest
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.25.25.1:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
以上是本地的最简单的仓库,没有涉及到加密认证的信息。
4. 配置镜像加速器
从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
重载docker服务:
#systemctl daemon-reload
#systemctl restart docker
5. 搭建私有仓库
删除之前的仓库,以及卷;
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker volume ls
DRIVER VOLUME NAME
local 7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532
[root@server1 ~]# docker volume prune ##删掉所有没有用的卷
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Volumes:
7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532
Total reclaimed space: 17.75MB
[root@server1 ~]# docker container prune ##删除没有运行的容器
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Total reclaimed space: 0B
[root@server1 ~]# docker image prune ##删除所有不用的镜像
WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
Deleted Images:
deleted: sha256:4cf308c51260643b216ebfa2ad0c853f0a190de24645d0031d3d20e687801a80
deleted: sha256:d8eefca77d25ab5621bb75f669ee3ed19a98cf336586d89e9d09c74f37e1711e
deleted: sha256:9824bd8622ef082374d053fb2fb1cef2b24042390155c0d86c58e947a0f952f2
Total reclaimed space: 12.72MB
[root@server1 ~]# docker rmi rhel7:v4 ##依次删除不需要的镜像
Untagged: rhel7:v4
Deleted: sha256:b3388a690329390dacbdcd45df04a82df802b02f5c87548318f916aa88d64dab
Deleted: sha256:52d6aca444a9b645652020d25a103009851df5bc6d18f054a47d97932ec4b74b
Deleted: sha256:55d6bb5728eb74472779ae0efd045b8bb46c29176157d1c8416ce047d50b1cda
Deleted: sha256:36cd5ddf7ad3cdb0bf355bb689422f2935f5a93039b30bfb9dacacc978250022
Deleted: sha256:e675a6f01e302b423efb94d625945041619b4cdd5fc5a52b2495a0a042065323
对于私有仓库的搭建,可以从官网查看:docs.docker.com/registry
获得帮助;
- 为Docker仓库添加证书加密功能
生成证书(域名westos.org要求在主机上有解析)
[root@server1 ~]# mkdir -p certs ##新建一个目录
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
##用来生成证书
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org
[root@server1 ~]# ls certs/
westos.org.crt westos.org.key
##重建registry容器
[root@server1 ~]# docker run -d \ ##运行容器。
> --restart=always \ ##开机自启
> --name registry \
> -v "$(pwd)"/certs:/certs \ ##挂载,-v要写绝对路径
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ ##端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \ ##端口映射
> -v /opt/registry:/var/lib/registry registry ##指定挂载的数据目录
648da93dda348129139e9a3910b33139ef59f7e27f9aaca387d8137d645b6f10
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
648da93dda34 registry "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 ~]# cd /opt/registry/ ##挂载时自动新建的目录
[root@server1 registry]# ls
[root@server1 registry]# docker volume ls ##将之前的挂载卷覆盖
DRIVER VOLUME NAME
要连接就需要做解析
[root@server1 registry]# vim /etc/hosts ##写入解析
[root@server1 registry]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.15.250 foundation15.ilt.example.com
172.25.15.1 server1 reg.westos.org
172.25.15.2 server2
172.25.15.3 server3
172.25.15.4 server4
172.25.15.5 server5
172.25.15.6 server6
上传
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest f0b8a9a54136 10 days ago 133MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
[root@server1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest
##改名
[root@server1 ~]# docker push reg.westos.org/nginx:latest
##上传此时会有问题,没有认证
The push refers to repository [reg.westos.org/nginx]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
让docker 自动获取到证书信息;
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
[root@server1 certs]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir reg.westos.org
[root@server1 certs.d]# cd reg.westos.org/
[root@server1 reg.westos.org]# cp ~/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org]# ls
ca.crt
此时再次上传查看
[root@server1 reg.westos.org]# docker push reg.westos.org/nginx:latest
##做完证书认证再次上传此时为加密上传的方式
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Pushed
eeb14ff930d4: Pushed
c9732df61184: Pushed
4b8db2d7f35a: Pushed
431f409d4c5a: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
- 为Docker仓库添加用户认证功能
[root@server1 ~]# yum install httpd-tools.x86_64 -y ##安装加密插件
[root@server1 ~]# mkdir auth
[root@server1 ~]# htpasswd -cB auth/htpasswd admin
##生成用户密码文件
New password:
Re-type new password:
Adding password for user admin
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
[root@server1 ~]# htpasswd -B auth/htpasswd zxk
##注:-c 只有在第一次需要添加,后面用户要时依然加-c 会覆盖之前的;-B 是强制的意思
New password:
Re-type new password:
Adding password for user zxk
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
zxk:$2y$05$vDNpTjzreUkjfnzxfpZBYuB63W16zXPOl0mwu97sFIrKb0idr3c/2
删除之前的仓库再运行,删除仓库并不会删除数据;
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 May 23 10:02 /opt/registry/
[root@server1 ~]# cd /data/
[root@server1 data]# ls
[root@server1 data]# mv ~/auth/ .
[root@server1 data]# ls
auth
[root@server1 data]# mv ~/certs/ .
[root@server1 data]# ls
auth certs ##避免运行时的相对路径
重建registry容器,加入密码认证来运行容器
[root@server1 ~]# docker run -d \
--restart=always \
--name registry \
-v /data/certs:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
-p 443:443 -v /opt/registry:/var/lib/registry -v /data/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
9c565b84e8420f4a2222f978a549dff290f477fde8f81d31c5a40943386c06f8
##此次运行加入了认证之后既有加密又有用户认证
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9c565b84e842 registry "/entrypoint.sh /etc…" 38 seconds ago Up 37 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
完成之后,上传镜像测试;
[root@server1 ~]# docker push reg.westos.org/nginx:latest
##此时在上传时有问题
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Preparing
eeb14ff930d4: Preparing
c9732df61184: Preparing
4b8db2d7f35a: Preparing
431f409d4c5a: Preparing
02c055ef67f5: Preparing
no basic auth credentials ##提示没有认证
此时用加密过的用户登陆之后,再次上传便没有问题;
[root@server1 ~]# docker login reg.westos.org
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 ~]# cat /root/.docker/config.json
##此认证信息会存在该文件中,只需要认证一次即可
{
"auths": {
"reg.westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.15 (linux)"
}
}
[root@server1 ~]#docker push reg.westos.org/nginx:latest
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Layer already exists
eeb14ff930d4: Layer already exists
c9732df61184: Layer already exists
4b8db2d7f35a: Layer already exists
431f409d4c5a: Layer already exists
02c055ef67f5: Layer already exists
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
此时来测试远程的,将之前的非安全的改为指定的仓库;或者直接指定访问的地址;不管那种方法,都需要先做解析;
1)直接访问的地址:
[root@server2 docker]# vim /etc/hosts
[root@server2 docker]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.25.250 foundation39.ilt.example.com
172.25.25.1 server1 reg.westos.org
172.25.25.2 server2
172.25.25.3 server3
172.25.25.4 server4
172.25.25.5 server5
172.25.25.6 server6
172.25.25.7 server7
172.25.25.8 server8
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
##此时在拉取镜像时提示没有认证
Error response from daemon: Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
[root@server2 docker]# ls ##将前面主机的证书复制过来
certs.d key.json daemon.json
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
##此时在拉取的过程中需要认证
Error response from daemon: Get https://reg.westos.org/v2/nginx/manifests/latest: no basic auth credentials
[root@server2 docker]# docker login reg.westos.org
Username: zxk ##登陆
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 docker]# docker pull reg.westos.org/nginx:latest
##登陆成功之后即可拉取
latest: Pulling from nginx
69692152171a: Pull complete
30afc0b18f67: Pull complete
596b1d696923: Pull complete
febe5bd23e98: Pull complete
8283eee92e2f: Pull complete
351ad75a6cfa: Pull complete
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for reg.westos.org/nginx:latest
reg.westos.org/nginx:latest
2)修改文件:
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"registry-mirrors": ["https://reg.westos.org"]
}
[root@server2 docker]# systemctl restart docker.service
[root@server2 docker]# docker info
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://reg.westos.org/ ##仓库地址
Live Restore Enabled: false
###在这个过程中也会和前面一样需要认证,然后再拉取
[root@server2 docker]# docker logout reg.westos.org
##登出
以上的过程仓库已经搭建好了,并且也实现了认证和加密;但是是对于仓库中的所有信息都同时加密,每次拉取都需要认证,对于企业中一些比较常用的镜像,最好允许匿名拉取,会节省很多的时间和精力;
- 全功能的仓库搭建:harbor 仓库
此处用 harbor 的离线包来实现;也可以从https://github.com/goharbor/harbor/releases
上下载;
[root@server1 ~]# ls
base-debian10.tar docker-compose-Linux-x86_64-1.27.0 rhel7.tar
docker harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
##将二进制程序移动到对应位置,并给一个执行权限
[root@server1 ~]# chmod +x /usr/local/bin/docker-compose
[root@server1 ~]# docker-compose ##查看二进制文件的情况
[root@server1 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz
[root@server1 ~]# ls
base-debian10.tar docker harbor harbor-offline-installer-v1.10.1.tgz rhel7.tar
[root@server1 ~]# cd harbor/
[root@server1 harbor]# ls
common.sh harbor.v1.10.1.tar.gz harbor.yml install.sh LICENSE prepare
[root@server1 harbor]# vim harbor.yml
5 hostname: reg.westos.org
17 certificate: /data/certs/westos.org.crt ##证书和key
18 private_key: /data/certs/westos.org.key
27 harbor_admin_password: admin ##web 界面登陆密码
[root@server1 harbor]# cd /data/
[root@server1 data]# ls
auth certs ##移走证书
[root@server1 data]# mv auth/ /mnt/
[root@server1 data]# ls
certs
完成之后便可以安装,--with-notary
做镜像签名信任, --with-clair
对镜像做扫描;--with-chartmuseum
用来存hub 的包;
[root@server1 harbor]# ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https.
Please set --with-clair if needs enable Clair in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
[root@server1 harbor]# ./install.sh ##执行脚本开始安装
[root@server1 harbor]# ls
common docker-compose.yml harbor.yml LICENSE
common.sh harbor.v1.10.1.tar.gz install.sh prepare
[root@server1 harbor]# docker-compose ps
##此命令的用法类类似于docker,但是一定要在对应的目录中,会读取对应的文件,此文件为执行脚本之后生成的文件。
##此时还可以看到其端口信息
[root@server1 harbor]# docker-compose start
##开启之后,此时便可在网页中访问
harbor 仓库不能自动从外王下载镜像,必须手工操作来管理;
做个加速器来加快其速度;
[root@server1 harbor]# cd /etc/docker/
[root@server1 docker]# ls
certs.d daemon.json key.json
[root@server1 docker]# cat daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
[root@server1 harbor]# docker login reg.westos.org ##此时登陆是用的是 harbor 的用户和密码
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server1 harbor]# docker push reg.westos.org/library/game2048:latest
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
上传完成之后,此时在网页查看:
然后在另外一他主机上登出之前的认证,删除之前的镜像拉取最新上传的镜像;
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@server2 docker]# docker logout reg.westos.org
Removing login credentials for reg.westos.org
[root@server2 docker]# docker pull game2048:latest
##在客户拉取不需要认证,可以从网页的认证信息看
latest: Pulling from library/game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for game2048:latest
docker.io/library/game2048:latest
也可以在网页上看用户信息;可以看到是匿名拉取;
还可以再次上传一个镜像来观察效果;
[root@server1 ~]# docker rmi reg.westos.org/nginx:latest
Untagged: reg.westos.org/nginx:latest
[root@server1 ~]# docker tag nginx:latest reg.westos.org/library/nginx:latest
[root@server1 ~]# docker push reg.westos.org/library/nginx:latest
[root@server2 docker]# docker pull reg.westos.org/library/nginx:latest
对于 harbor 的其他功能的介绍:
[root@server1 harbor]# docker-compose stop ##停掉仓库
[root@server1 harbor]# docker-compose rm ##删除所有的容器
[root@server1 harbor]# ./install.sh --with-notary --with-clair --with-chartmuseum
##再次安装
[root@server1 harbor]# docker-compose ps ##此时查看是会多一些东西
此时再次安装完成之后,会多一功能:
完成之后对已有的进行扫描查看是否有漏洞;
可以看到通过加入参数可以对镜像进行扫描,;当勾选自动扫描镜像之后,当上传镜像时会自动扫描;
也可以对其进行信任管理,对其做签名;当勾选内容信任之后,此时再次拉取镜像时就提示如下所示:
[root@server2 docker]# docker pull reg.westos.org/library/game2048:latest
Error response from daemon: unknown: The image is not signed in Notary.
在开启docker内容信任之后,在网页中删除 nginx ,清除缓存,然后上传查看对其签名;
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
[root@server1 harbor]# export DOCKER_CONTENT_TRUST=1
##启用内容信任
[root@server1 harbor]# export DOCKER_CONTENT_TRUST_SERVER=https://reg.westos.org:4443
##内容信任的服务器在什么位置
[root@server1 harbor]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
075508cf8f04: Pushed
5c865c78bc96: Pushed
134e19b2fac5: Pushed
83634f76e732: Pushed
766fe2c3fc08: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa size: 1570
Signing and pushing trust metadata
Error: error contacting notary server: x509: certificate signed by unknown authority
做认证,然后再次上传:
当上传的是全新的时就需要输入两个密码;当镜像不变只是,更新版本时只需要输入一个密码;
[root@server1 ~]# cd .docker/
[root@server1 .docker]# ls
config.json trust
[root@server1 .docker]# mkdir tls ##做认证
[root@server1 .docker]# cd tls/
[root@server1 tls]# mkdir reg.westos.org:4443
[root@server1 tls]# cd reg.westos.org\:4443/
[root@server1 reg.westos.org:4443]# cp /data/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org:4443]# ls
ca.crt
[root@server1 reg.westos.org:4443]# docker push reg.westos.org/library/nginx:latest
The push refers to repository [reg.westos.org/library/nginx]
f0f30197ccf9: Layer already exists
eeb14ff930d4: Layer already exists
c9732df61184: Layer already exists
4b8db2d7f35a: Layer already exists
431f409d4c5a: Layer already exists
02c055ef67f5: Layer already exists
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID 72900f3:
Repeat passphrase for new root key with ID 72900f3:
Enter passphrase for new repository key with ID 2d31532:
Repeat passphrase for new repository key with ID 2d31532:
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest
完成之后,此时在网页查看新上传的镜像时,自动扫描,并且已经签名完成;
签名完成之后,此时再次拉取查看:
签名的作用是对镜像的信任,没有签名的可以放在仓库,但是不能被下载布如生产环境中。
[root@server2 ~]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
69692152171a: Pull complete
30afc0b18f67: Pull complete
596b1d696923: Pull complete
febe5bd23e98: Pull complete
8283eee92e2f: Pull complete
351ad75a6cfa: Pull complete
Digest: sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
对仓库中已经有的镜像做签名:
[root@server1 ~]# docker push reg.westos.org/library/game2048:latest
The push refers to repository [reg.westos.org/library/game2048]
88fca8ae768a: Layer already exists
6d7504772167: Layer already exists
192e9fad2abc: Layer already exists
36e9226e74f8: Layer already exists
011b303988d2: Layer already exists
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
Signing and pushing trust metadata
Enter passphrase for root key with ID 40db6c1:
Enter passphrase for new repository key with ID a55c78f:
Repeat passphrase for new repository key with ID a55c78f:
Finished initializing "reg.westos.org/library/game2048"
Successfully signed reg.westos.org/library/game2048:latest
对于已经存在的镜像版本的更新:
[root@server1 ~]# cd docker/
[root@server1 docker]# mkdir test
[root@server1 docker]# cd test/
[root@server1 test]# vim Dockerfile
[root@server1 test]# cat Dockerfile
FROM nginx
COPY index.html /usr/share/nginx/html
[root@server1 test]# cp ../index.html .
[root@server1 test]# ls
Dockerfile index.html
[root@server1 test]# cat index.html
www.westos.org
[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# docker build -t nginx:v1 . ##构建镜像
Sending build context to Docker daemon 3.072kB
Step 1/2 : FROM nginx
---> d1a364dc548d
Step 2/2 : COPY index.html /usr/share/nginx/html
---> 3167572bbc25
Successfully built 3167572bbc25
Successfully tagged nginx:v1
[root@server1 test]# docker tag nginx:v1 reg.westos.org/library/nginx:v1 ##改名
[root@server1 test]# export DOCKER_CONTENT_TRUST=1
[root@server1 test]# docker push reg.westos.org/library/nginx:v1
The push refers to repository [reg.westos.org/library/nginx]
47c5645eaeea: Pushed
075508cf8f04: Layer already exists
5c865c78bc96: Layer already exists
134e19b2fac5: Layer already exists
83634f76e732: Layer already exists
766fe2c3fc08: Layer already exists
02c055ef67f5: Layer already exists
v1: digest: sha256:a19f00ff8772f68dd96f1bab4482ec70c636adfdfc3867e49bca2ba7fe2c9a25 size: 1777
Signing and pushing trust metadata
Enter passphrase for repository key with ID fdacdce: ##此时只需要输入一个密码
Successfully signed reg.westos.org/library/nginx:v1
[root@server2 ~]# docker pull nginx:v1 ##拉取测试
新建项目:
上传镜像测试:
[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# export DOCKER_CONTENT_TRUST=0
[root@server1 test]# docker tag reg.westos.org/library/game2048:latest reg.westos.org/westos/game2048:latest
[root@server1 test]# docker push reg.westos.org/westos/game2048:latest
The push refers to repository [reg.westos.org/westos/game2048]
88fca8ae768a: Mounted from library/game2048
6d7504772167: Mounted from library/game2048
192e9fad2abc: Mounted from library/game2048
36e9226e74f8: Mounted from library/game2048
011b303988d2: Mounted from library/game2048
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
对于此镜像的拉取需要做认证登陆用户,在网页创建一个用户;
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest
Error response from daemon: pull access denied for reg.westos.org/westos/game2048, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
添加完之后,还需要给用户一定的权限;开发人员和访客可对于镜像进行拉取,但是不能上传;
添加用户之后,做认证,再次拉取:
[root@server2 ~]# docker login reg.westos.org
Username: zxk
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@server2 ~]# docker pull reg.westos.org/westos/game2048:latest
latest: Pulling from westos/game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for reg.westos.org/westos/game2048:latest
reg.westos.org/westos/game2048:latest
此时虽然可以拉取,但是访客不能上传。
前面加了扫描参数之后,当数据发生变化之后,会再存一份,时间长了虚拟机就有点卡,现在从新编译。
[root@server1 harbor]# docker-compose stop
[root@server1 harbor]# docker-compose rm
[root@server1 harbor]# ./install.sh --with-chartmuseum
[root@server1 harbor]# docker-compose ps
5. 总结
学习了 docker 仓库的工作原理、并实践了docker 私有仓库的构建。
- docker 仓库子命令
docker search 查询镜像
docker pull 拉取镜像
docker push 上传镜像
docker login 登录仓库
docker logout 登出仓库