容器云----docker-registry+docker-registry-web（镜像仓库+镜像仓库管理界面）

Posted 2021-01-19 光を追うのCaius

容器云----docker-registry+docker-registry-web（镜像仓库+镜像仓库管理界面）

 

一.配置环境

下载仓库镜像

docker pull registry:registry

docker pull hyper/docker-registry-web

配置主机名解析

vim  /etc/hosts

docker-registry  172.22.6.241

 

二.创建镜像仓库

证书认证：

创建证书存放目录

mkdir /opt/docker/data/registry_dir/certs -p

创建自签名证书

openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=docker-registry" -nodes -x509 -keyout /opt/docker/data/registry_dir/certs/auth.key -out /opt/docker/data/registry_dir/certs/auth.cert

创建带有证书认证的镜像仓库

docker run -d -p 5000:5000 --restart=always --name registry-srv \\

-v /opt/docker/data/registry_dir/registry:/var/lib/registry/ \\

-v /opt/docker/data/registry_dir/certs:/certs \\

-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/auth.cert \\

-e REGISTRY_HTTP_TLS_KEY=/certs/auth.key \\

registry:2.4.1

访问仓库

curl https://docker-registry:5000/v2/_catalog --insecure

尝试推送镜像到镜像仓库

docker  push  docker-registry:5000/busybox:latest

出现如下报错

unable to ping registry endpoint https:/docker-registry:5000/v0/

v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority

v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authority

这是因为节点还没有安装证书

节点安装证书

mkdir /etc/docker/certs.d/docker-registry:5000/ -p

cp /opt/docker/data/registry_dir/certs/auth.cert  /etc/docker/certs.d/docker-registry:5000/ca.crt

system daemon-reload

systemctl restart docker

再次尝试推送镜像

docker  push  docker-registry:5000/busybox:latest

The push refers to a repository [docker-registry:5000/busybox]
8a788232037e: Layer already exists
latest: digest: sha256:e2d9acbe92a6def141a9f9f2584468206735308df6a696430e25947882385fb2 size: 527

 

证书+密码鉴权：

创建密码文件存放目录

mkdir  /opt/docker/data/registry_dir/auth/ -p

创建密码文件

docker run --entrypoint htpasswd registry:2.4.1 -Bbn linkcm 123456 > /opt/docker/data/registry_dir/auth/htpasswd

启动带有证书+密码鉴权的仓库：

docker run -d -p 5000:5000 --restart=always --name registry-srv \\

-v /opt/docker/data/registry_dir/registry:/var/lib/registry/ \\

-v /opt/docker/data/registry_dir/certs:/certs \\

-v /opt/docker/data/registry_dir/auth:/auth \\

-e REGISTRY_AUTH=htpasswd \\

-e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm \\

-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  \\

-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/auth.cert \\

-e REGISTRY_HTTP_TLS_KEY=/certs/auth.key \\

registry:2.4.1

尝试推送镜像到镜像仓库

docker  push  docker-registry:5000/busybox:latest

https://docker-registry:5000/v2/tonybai/busybox/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: no basic auth credentials

这是因为没有登录到docker

登录docker

docker  login  docker-registry:5000

username:test

password:

login  succeed！

再次尝试推送镜像到镜像仓库

docker  push  docker-registry:5000/busybox:latest

 

三.创建镜像仓库管理界面

此方法是建立在镜像仓库只有证书认证的模式下的，需要密码认证的方式请自动网上搜索。

docker run -d -p 8080:8080 --name registry-web --link registry-srv \\

-e REGISTRY_URL=https://registry-srv:5000/v2 \\

-e REGISTRY_TRUST_ANY_SSL=true  \\

-e REGISTRY_NAME=localhost:5000 \\

hyper/docker-registry-web

访问镜像仓库

http://172.22.6.241:8080/