簡介
docker hub使用hub.docker.com作為公共倉庫,與之相對應全谤,我們可以通過registry來搭建自己的私有倉庫,提升鏡像倉庫的訪問速度。
1.環(huán)境描述
[root@localhost docker.registry:5000]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
2.搭建方式
- 無需驗證的鏡像中心
- https鑒權(quán)的鏡像中心
- 用戶名密碼登錄的鏡像中心
3.搭建步驟:
3.1 無需驗證的鏡像中心
拉取鏡像:
docker pull registry:2.6.2
不需要驗證的啟動:
docker run -d -p 5000:5000 --name registry2-noauth --restart=always -v /usr/local/docker/registry/auth/:/auth/ -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
--restart=always docker重啟容器自啟動
客戶端配置免https
- 修改 /etc/docker/daemon.json
[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146:5000"] }' > /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146:5000"] }
- 重載docker
sudo systemctl daemon-reload
sudo systemctl restart docker
如果不配置颓帝,客戶端使用時候會報錯
使用:
- tag鏡像并上傳
使用docker tag將一個鏡像標記,格式如下:
172.16.1.146:5000/registry:2.6.2躬拢,其中172.16.1.146是本地倉庫地址躲履,5000為倉庫端口,registry是鏡像標簽, 2.6.2是版本號
這里的172.16.1.146可以是本地的ip也可以是域名聊闯,如:www.xxx.net
[root@gitlab conf]# docker tag docker.io/registry:2.6.2 172.16.1.146:5000/registry:2.6.2
當標記完成后工猜,本地的images中會存放一個和標記名稱一樣的鏡像,我們將這個鏡像上傳即可
- 上傳鏡像到鏡像中心
[root@localhost local]# docker push 172.16.1.146:5000/registry:2.6.2
The push refers to a repository [172.16.1.146:5000/registry]
9113493eaae1: Pushed
621c2399d41a: Pushed
59e80739ed3f: Pushed
febf19f93653: Pushed
e53f74215d12: Pushed
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364
- 判斷鏡像是否存在
api:
- 列出所有存儲庫
GET http://127.0.0.1:5000/v2/_catalog
{
● repositories:
[
○ "mongo",
○ "registry"
]
}
- 列出鏡像所有tags
GET http://127.0.0.1:5000/v2/registry/tags/list
{
● name: "registry",
● tags:
[
○ "2.6.2",
○ "2.6.3"
]
}
registry是鏡像的名稱菱蔬,可以看出來鏡像已經(jīng)上傳成功篷帅。
- 從私有鏡像中心拉取鏡像
[root@localhost local]# docker pull 172.16.1.146:5000/registry:2.6.2
Trying to pull repository 172.16.1.146:5000/registry ...
2.6.2: Pulling from 172.16.1.146:5000/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146:5000/registry:2.6.2
3.2 https鑒權(quán)的鏡像中心:
注意:客戶端不需要配置免https
- 創(chuàng)建key
mkdir -p /usr/local/docker/registry/certs/
cd /usr/local/docker/registry/certs/
openssl genrsa -out docker.registry.key 2048
- 創(chuàng)建crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
部分信息填寫示例如下:
[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.............................++
writing new private key to 'docker.registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Anhui
Locality Name (eg, city) [Default City]:Hefei
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:docker.registry
Email Address []:xxx@xxx.com
- 查看證書失效時間。
[root@localhost docker.registry:5000]# openssl x509 -in docker.registry.crt -noout -dates
notBefore=Jul 5 06:58:36 2018 GMT
notAfter=Jul 5 06:58:36 2019 GMT
- 加入docker信任
由于是自簽名證書,默認是不受Docker信任的,故而需要將證書添加到Docker 的根證書中,Docker在CentOS 7中,證書存放路徑是 :
mkdir -p /etc/docker/certs.d/docker.registry:5000
cp /usr/local/docker/registry/certs/docker.registry.crt /etc/docker/certs.d/docker.registry:5000/
docker.registry:5000為實際訪問域名和端口
- 啟動
docker run -d -p 5000:5000 --name registry2-sslauth -v /usr/local/docker/registry/certs/:/certs/ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/docker.registry.key -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
- 驗證:
docker tag docker.io/registry:2.6.2 docker.registry:5000/registry:2.6.2
docker push docker.registry:5000/registry:2.6.2
docker rmi docker.registry:5000/registry:2.6.2
docker pull docker.registry:5000/registry:2.6.2
其他類似拴泌,api操作魏身,需要使用https。
3.3 用戶名密碼登錄的鏡像中心
生成用戶名:密碼
mkdir -p /usr/local/docker/registry/auth
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin ****** >> /usr/local/docker/registry/auth/htpasswd
上面這條命令是為admin用戶名生成密碼為******的一條用戶信息蚪腐,存在/usr/local/docker/registry/auth/htpasswd文件里面箭昵,文件中存的密碼是被加密過的。
啟動:
docker run -d -p 5000:5000 --name registry2-httpauth --restart=always -v /usr/local/docker/registry/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
- http登錄:
docker login 172.16.1.146:5000
同樣需要配置客戶端免https回季,其他類似家制,api操作,需要輸入用戶名泡一、密碼颤殴。