Docker学习与实践

Posted 2020-11-04

四、仓库管理

1.创建本地仓库

①获取官方registry镜像

[[email protected] ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:2
Unable to find image ‘registry:2‘ locally
2: Pulling from library/registry
81033e7c1d6a: Pull complete 
b235084c2315: Pull complete 
c692f3a6894b: Pull complete 
ba2177f3a70e: Pull complete 
a8d793620947: Pull complete 
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2
f59d18d8302b6589d5e94f901c1161a48854593cc32ee3259c806bc648c437df

#默认情况下，仓库会被创建在容器的/var/lib/registry目录下，可以通过-v将镜像文件存放在宿主机的指定目录下。

docker run -d -p 5000:5000 --restart=always –v /opt/docker/registry/data:/var/lib/registry --name registry registry:2

② 推送一个镜像到镜像仓库

[[email protected] ~]# docker tag nginx:latest 192.168.10.131:5000/nginx:latest
[[email protected] ~]# docker push 192.168.10.131:5000/nginx:latest
The push refers to repository [192.168.10.131:5000/nginx]
Get https://192.168.10.131:5000/v2/: http: server gave HTTP response to HTTPS client

#对于Centos7来说需要配置docker允许https的方式来访问仓库，并重启docker

[[email protected] ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com"
    ],
"insecure-registries": [
"192.168.10.131:5000"
    ]
}
[[email protected] ~]# systemctl restart docker.service

[[email protected] ~]# docker push 192.168.10.131:5000/nginx:latest
The push refers to repository [192.168.10.131:5000/nginx]
e89b70d28795: Pushed 
832a3ae4ac84: Pushed 
014cf8bfcb2d: Pushed 
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948
[[email protected] ~]# curl 192.168.10.131:5000/v2/_catalog
{"repositories":["nginx"]}

③删除本地镜像，从仓库重新下载该镜像

[[email protected] ~]# docker image rm 192.168.10.131:5000/nginx:latest
[[email protected] ~]# docker pull 192.168.10.131:5000/nginx:latest
latest: Pulling from nginx
8176e34d5d92: Pull complete 
5b19c1bdd74b: Pull complete 
4e9f6296fa34: Pull complete 
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest

---

2.配置需要证书认证的私有仓库

①修改/etc/pki/tls/openssl.cnf文件使证书支持IP访问

[ v3_ca ]
subjectAltName = IP:192.168.10.131

②使用openssl生成证书和密钥

[[email protected] registry]# mkdir -p certs 
[[email protected] registry]# openssl req > -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key > -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...........++
..............................................................................................++
writing new private key to ‘certs/domain.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:192.168.10.131:5000
Email Address []:

③将刚生成的domain.crt复制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt，并重启docker

[[email protected] registry]# mkdir -p /etc/docker/certs.d/192.168.100.9:5000
[[email protected] registry]# cp certs/domain.crt /etc/docker/certs.d/192.168.100.9:5000/ca.crt
[[email protected] registry]# systemctl restart docker

④运行registry

[[email protected] registry]# docker run -d -u root -p 5000:5000 > --name private_registry  --restart=always > -v /opt/docker/registry/data:/var/lib/registry > -v /opt/docker/registry/certs:/certs > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt > -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key > registry:2
9d145ea538fda7687734a2a170ff21524bc8fc65fee81b2a12c43ef3a43a576a

⑤push一个到registry上

[[email protected] ~]# docker push 192.168.10.131:5000/nginx
The push refers to repository [192.168.10.131:5000/nginx]
e89b70d28795: Pushed 
832a3ae4ac84: Pushed 
014cf8bfcb2d: Pushed 
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948

⑥换台机器下载刚上传的镜像

[[email protected] ~]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
Error response from daemon: Get https://192.168.10.131:5000/v2/: x509: certificate signed by unknown authority

#发现报错，原因是没有证书，将192.168.10.131上的证书拷贝到这台机器为/etc/docker/certs.d/192.168.10.131:5000/ca.crt，并重启docker

[[email protected] 192.168.10.131:5000]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
latest: Pulling from nginx
8176e34d5d92: Pull complete 
5b19c1bdd74b: Pull complete 
4e9f6296fa34: Pull complete 
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest