企业运维容器之 docker仓库
Posted 123坤
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了企业运维容器之 docker仓库相关的知识,希望对你有一定的参考价值。
企业运维容器之 docker 仓库
1. 什么是仓库?
- Docker 仓库是用来包含镜像的位置,Docker提供一个注册服务器(Register)来保存多个仓库,每个仓库又可以包含多个具备不同tag的镜像。
- Docker运行中使用的默认仓库是 Docker Hub 公共仓库。
Docker 的运行流程如下图所示:
2. Docker hub
Docker hub 是 docker 公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库。
- 首先在https://hub.docker.com/网站注册一个账号;在docker hub上新建一个公共仓库。
- 接下来要从docker主机上传镜像,首先需要登录:
[root@server1 ~]# docker login
Username: yakexi007
Password: <填写密码> - docker hub为了区分不同用户的同名镜像,要求镜像的格式是:[username]/xxx.tag
#docker tag busybox:latest yakexi007/busybox:latest - 上传镜像到docker hub
#docker push yakexi007/busybox:latest - 从docker hub拉取镜像
#docker pull yakexi007/busybox:latest - 删除本地镜像
#docker rmi yakexi007/busybox:latest
3. Registry 工作原理
- 一次docker pull 或 push背后发生的事情
index 服务主要提供镜像索引以及用户认证的功能。当下载一个镜像的时候,首先会去 index 服务上做认证,然后查找镜像所在的 registry的地址并放回给 docker 客户端,docker 客户端再从 registry 下载镜像,在下载过程中 registry 会去 index 校验客户端 token 的合法性,不同镜像可以保存在不同的 registry 服务上,其索引信息都放在 index 服务上。
- Docker Registry有三个角色,分别是index、registry和registry client。
index :负责并维护有关用户帐户、镜像的校验以及公共命名空间的信息。
Web UI、元数据存储、认证服务、符号化。
registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证,通过Index Auth service的Token的方式进行认证。
Registry Client:Docker充当registry客户端来维护推送和拉取,以及客户端的授权。 - 情景A:用户要获取并下载镜像。
- 情景B:用户要推送镜像到registry中。
- 情景C:用户要从index或registry中删除镜像。
docker hub 虽然方便,但是还是有限制;需要 internet 连接,速度慢;所有人都可以访问;由于安全原因企业不允许将镜像放到外网,好消息是docker公司已经将registry开源,我们可以快速构建企业私有仓库。
https://docs.docker.com/registry/deploying/
之前搭建的仓库没有认证,相对来说可用度不是很高;接下来搭建私有仓库;
私有仓库的搭建:
[root@server1 ~]# docker search registry ##搜索
[root@server1 ~]# docker pull registry ##拉取镜像
[root@server1 ~]# docker history registry:latest ##可以看到其容器的端口信息
IMAGE CREATED CREATED BY SIZE COMMENT
1fd8e1b0bb7e 5 weeks ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B
<missing> 5 weeks ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B
<missing> 5 weeks ago /bin/sh -c #(nop) EXPOSE 5000 0B
<missing> 5 weeks ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B
<missing> 5 weeks ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB
<missing> 5 weeks ago /bin/sh -c set -ex && apk add --no-cache… 549kB
<missing> 5 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 5 weeks ago /bin/sh -c #(nop) ADD file:282b9d56236cae296… 5.62MB
[root@server1 ~]# docker run -d --name registry -p 5000:5000 registry
##端口映射来运行仓库,前面的是宿主机的端口,后面为容器的端口
7bb13092f4e40a9bc129a7a94a71d188b0360e1dc244d834372580fea6857d4f
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7bb13092f4e4 registry "/entrypoint.sh /etc…" 3 seconds ago Up 2 seconds 0.0.0.0:5000->5000/tcp registry
[root@server1 ~]# docker inspect registry
##用此命令来查看挂载信息,没有指定会用docker 引擎自带的卷
[root@server1 ~]# docker images
[root@server1 ~]# docker tag yakexi007/game2048:latest localhost:5000/game2048
##重新打标签用于区分不同用户的同名镜像
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v4 b3388a690329 6 hours ago 31.9MB
<none> <none> 4cf308c51260 6 hours ago 146MB
rhel7 v3 00f0b93070b1 7 hours ago 141MB
rhel7 v2 55fd86415086 7 hours ago 255MB
rhel7 v1 c8aeebec1de9 7 hours ago 296MB
nginx latest d1a364dc548d 18 hours ago 133MB
busybox v1 ec156da50087 43 hours ago 1.24MB
busybox latest d3cd072556c2 8 days ago 1.24MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
yakexi007/game2048 latest 19299002fdbe 4 years ago 55.5MB
localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
##此时查看可以看到新加入的镜像,两个镜像只是名称不一样,号还是一样的
[root@server1 ~]# docker push localhost:5000/game2048:latest ##上传
[root@server1 ~]# cd /var/lib/docker/volumes/c6ab78e2115ecc13a0b019bd902d9c7a1576d034e7b63669068ac75e05e98108/_data
[root@server1 _data]# ls
docker ##实际上是存在了挂接的卷中
上传的仓库之后,此时删除本地的镜像;看是否能再次拉取下来;
[root@server1 ~]# docker rmi localhost:5000/game2048:latest
Untagged: localhost:5000/game2048:latest
Untagged: localhost:5000/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
[root@server1 ~]# docker rmi yakexi007/game2048:latest
Untagged: yakexi007/game2048:latest
Untagged: yakexi007/game2048@sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> 4cf308c51260 6 hours ago 146MB
rhel7 v4 b3388a690329 6 hours ago 31.9MB
rhel7 v3 00f0b93070b1 7 hours ago 141MB
rhel7 v2 55fd86415086 7 hours ago 255MB
rhel7 v1 c8aeebec1de9 7 hours ago 296MB
nginx latest d1a364dc548d 18 hours ago 133MB
busybox v1 ec156da50087 43 hours ago 1.24MB
busybox latest d3cd072556c2 8 days ago 1.24MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
[root@server1 ~]# docker pull localhost:5000/game2048:latest
##成功拉取本机仓库的镜像
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for localhost:5000/game2048:latest
localhost:5000/game2048:latest
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
143abac135cb registry "/entrypoint.sh /etc…" 11 minutes ago Up 11 minutes 0.0.0.0:5000->5000/tcp registry
此时的仓库只能用于本机的上传下载;默认情况下远程不可以;如果远端需要访问就需要告诉是非安全的;
为了远程可以访问,此时再开一台虚拟机观察效果;先在第二台虚拟机上搭建 docker 软件仓库以及安装docker 工具;
[root@server2 yum.repos.d]# ls
docker.repo dvd.repo redhat.repo
[root@server2 yum.repos.d]# cat docker.repo
[docker]
name=docker-ce
baseurl=http://172.25.25.250/docker-ce
gpgcheck=0
[root@server2 ~]# yum install -y docker-ce
[root@server2 docker]# systemctl enable --now docker.service
[root@server2 sysctl.d]# cat dokcer.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@server2 docker]# sysctl --system
[root@server2 sysctl.d]# docker info
##此时查看基本信息没有错误
完成以上之后,我们还需要告诉docker 所拉取的是一个非安全的仓库;
[root@server2 ~]# cd /etc/docker/
[root@server2 docker]# ls
key.json
[root@server2 docker]# vim daemon.json
[root@server2 docker]# cat daemon.json
{
"insecure-registries": ["172.25.25.1:5000"]
}
[root@server2 docker]# systemctl reload docker
[root@server2 docker]# docker info
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries: ##此时可以看其非安全的仓库信息
172.25.25.1:5000
127.0.0.0/8
Live Restore Enabled: false
[root@server2 docker]# docker pull 172.25.25.1:5000/game2048:latest
##此时远程主机便可以拉取其镜像
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for 172.25.25.1:5000/game2048:latest
172.25.25.1:5000/game2048:latest
[root@server2 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.25.25.1:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
以上是本地的最简单的仓库,没有涉及到加密认证的信息。
4. 配置镜像加速器
从docker hub上下载镜像的速度太慢,需要配置镜像加速器,这里以阿里云为例:(需要提前注册阿里云帐号)
配置docker daemon文件:
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
重载docker服务:
#systemctl daemon-reload
#systemctl restart docker
5. 搭建私有仓库
删除之前的仓库,以及卷;
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# docker volume ls
DRIVER VOLUME NAME
local 7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532
[root@server1 ~]# docker volume prune ##删掉所有没有用的卷
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Volumes:
7ee3956be7d3474e7bc2111d81fbee8db3422789fb64831342e65d2408ef5532
Total reclaimed space: 17.75MB
[root@server1 ~]# docker container prune ##删除没有运行的容器
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Total reclaimed space: 0B
[root@server1 ~]# docker image prune ##删除所有不用的镜像
WARNING! This will remove all dangling images.
Are you sure you want to continue? [y/N] y
Deleted Images:
deleted: sha256:4cf308c51260643b216ebfa2ad0c853f0a190de24645d0031d3d20e687801a80
deleted: sha256:d8eefca77d25ab5621bb75f669ee3ed19a98cf336586d89e9d09c74f37e1711e
deleted: sha256:9824bd8622ef082374d053fb2fb1cef2b24042390155c0d86c58e947a0f952f2
Total reclaimed space: 12.72MB
[root@server1 ~]# docker rmi rhel7:v4 ##依次删除不需要的镜像
Untagged: rhel7:v4
Deleted: sha256:b3388a690329390dacbdcd45df04a82df802b02f5c87548318f916aa88d64dab
Deleted: sha256:52d6aca444a9b645652020d25a103009851df5bc6d18f054a47d97932ec4b74b
Deleted: sha256:55d6bb5728eb74472779ae0efd045b8bb46c29176157d1c8416ce047d50b1cda
Deleted: sha256:36cd5ddf7ad3cdb0bf355bb689422f2935f5a93039b30bfb9dacacc978250022
Deleted: sha256:e675a6f01e302b423efb94d625945041619b4cdd5fc5a52b2495a0a042065323
对于私有仓库的搭建,可以从官网查看:docs.docker.com/registry 获得帮助;
- 为Docker仓库添加证书加密功能
生成证书(域名westos.org要求在主机上有解析)
[root@server1 ~]# mkdir -p certs ##新建一个目录
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
##用来生成证书
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org
[root@server1 ~]# ls certs/
westos.org.crt westos.org.key
##重建registry容器
[root@server1 ~]# docker run -d \\ ##运行容器。
> --restart=always \\ ##开机自启
> --name registry \\
> -v "$(pwd)"/certs:/certs \\ ##挂载,-v要写绝对路径
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \\ ##端口
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \\
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \\
> -p 443:443 \\ ##端口映射
> -v /opt/registry:/var/lib/registry registry ##指定挂载的数据目录
648da93dda348129139e9a3910b33139ef59f7e27f9aaca387d8137d645b6f10
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
648da93dda34 registry "/entrypoint.sh /etc…" About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 ~]# cd /opt/registry/ ##挂载时自动新建的目录
[root@server1 registry]# ls
[root@server1 registry]# docker volume ls ##将之前的挂载卷覆盖
DRIVER VOLUME NAME
要连接就需要做解析
[root@server1 registry]# vim /etc/hosts ##写入解析
[root@server1 registry]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.15.250 foundation15.ilt.example.com
172.25.15.1 server1 reg.westos.org
172.25.15.2 server2
172.25.15.3 server3
172.25.15.4 server4
172.25.15.5 server5
172.25.15.6 server6
上传
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest f0b8a9a54136 10 days ago 133MB
registry latest 1fd8e1b0bb7e 5 weeks ago 26.2MB
localhost:5000/game2048 latest 19299002fdbe 4 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 6 years ago 140MB
gcr.io/distroless/base-debian10 latest d48fcdd54946 51 years ago 19.2MB
[root@server1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest
##改名
[root@server1 ~]# docker push reg.westos.org/nginx:latest
##上传此时会有问题,没有认证
The push refers to repository [reg.westos.org/nginx]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority
让docker 自动获取到证书信息;
[root@server1 ~]# cd certs/
[root@server1 certs]# ls
westos.org.crt westos.org.key
[root@server1 certs]# cd /etc/docker/
[root@server1 docker]# ls
daemon.json key.json
[root@server1 docker]# mkdir certs.d
[root@server1 docker]# cd certs.d/
[root@server1 certs.d]# mkdir reg.westos.org
[root@server1 certs.d]# cd reg.westos.org/
[root@server1 reg.westos.org]# cp ~/certs/westos.org.crt ca.crt
[root@server1 reg.westos.org]# ls
ca.crt
此时再次上传查看
[root@server1 reg.westos.org]# docker push reg.westos.org/nginx:latest
##做完证书认证再次上传此时为加密上传的方式
The push refers to repository [reg.westos.org/nginx]
f0f30197ccf9: Pushed
eeb14ff930d4: Pushed
c9732df61184: Pushed
4b8db2d7f35a: Pushed
431f409d4c5a: Pushed
02c055ef67f5: Pushed
latest: digest: sha256:eba373a0620f68ffdc3f217041ad25ef084475b8feb35b992574cd83698e9e3c size: 1570
- 为Docker仓库添加用户认证功能
[root@server1 ~]# yum install httpd-tools.x86_64 -y ##安装加密插件
[root@server1 ~]# mkdir auth
[root@server1 ~]# htpasswd -cB auth/htpasswd admin
##生成用户密码文件
New password:
Re-type new password:
Adding password for user admin
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
[root@server1 ~]# htpasswd -B auth/htpasswd zxk
##注:-c 只有在第一次需要添加,后面用户要时依然加-c 会覆盖之前的;-B 是强制的意思
New password:
Re-type new password:
Adding password for user zxk
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$xcuFrJ8i4.5h8mWViTE0mONnMdPgm0SW6INIOWpQfD.L1RjaxcO92
zxk:$2y$05$vDNpTjzreUkjfnzxfpZBYuB63W16zXPOl0mwu97sFIrKb0idr3c/2
删除之前的仓库再运行,删除仓库并不会删除数据;
[root@server1 ~]# docker rm -f registry
registry
[root@server1 ~]# ll -d /opt/registry/
drwxr-xr-x 3 root root 20 May 23 10:02 /opt/registry/
[root@server1 ~]# cd /data/
[root@server1 data]# ls
[root@server1 data]# mv ~/auth/ .
[root@server1 data]# ls
auth
[root@server1 data]# mv ~/certs/ .
[root@server1 data]# ls
auth certs ##避免运行时的相对路径
重建registry容器,加入密码认证来运行容器
[root@server1 ~]# docker run -d \\
--restart=always \\
--name registry \\
-v /data/certs:/certs \\
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \\
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \\
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \\
-p 443:443 -v /opt/registry:/var/lib/registry -v /data/以上是关于企业运维容器之 docker仓库的主要内容,如果未能解决你的问题,请参考以下文章