Docker學習與實踐(四)
阿新 • • 發佈:2018-05-11
registry docker 四、倉庫管理
1.創建本地倉庫
①獲取官方registry鏡像
[root@dockertest ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:2 Unable to find image ‘registry:2‘ locally 2: Pulling from library/registry 81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 Status: Downloaded newer image for registry:2 f59d18d8302b6589d5e94f901c1161a48854593cc32ee3259c806bc648c437df
#默認情況下,倉庫會被創建在容器的/var/lib/registry目錄下,可以通過-v將鏡像文件存放在宿主機的指定目錄下。
docker run -d -p 5000:5000 --restart=always –v /opt/docker/registry/data:/var/lib/registry --name registry registry:2
② 推送一個鏡像到鏡像倉庫
[root@dockertest ~]# docker tag nginx:latest 192.168.10.131:5000/nginx:latest [root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latest The push refers to repository [192.168.10.131:5000/nginx] Get https://192.168.10.131:5000/v2/: http: server gave HTTP response to HTTPS client
#對於Centos7來說需要配置docker允許https的方式來訪問倉庫,並重啟docker
[root@dockertest ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com"
],
"insecure-registries": [
"192.168.10.131:5000"
]
}
[root@dockertest ~]# systemctl restart docker.service
[root@dockertest ~]# docker push 192.168.10.131:5000/nginx:latest The push refers to repository [192.168.10.131:5000/nginx] e89b70d28795: Pushed 832a3ae4ac84: Pushed 014cf8bfcb2d: Pushed latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948 [root@dockertest ~]# curl 192.168.10.131:5000/v2/_catalog {"repositories":["nginx"]}
③刪除本地鏡像,從倉庫重新下載該鏡像
[root@dockertest ~]# docker image rm 192.168.10.131:5000/nginx:latest
[root@dockertest ~]# docker pull 192.168.10.131:5000/nginx:latest
latest: Pulling from nginx
8176e34d5d92: Pull complete
5b19c1bdd74b: Pull complete
4e9f6296fa34: Pull complete
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest
2.配置需要證書認證的私有倉庫
①修改/etc/pki/tls/openssl.cnf文件使證書支持IP訪問
[ v3_ca ]
subjectAltName = IP:192.168.10.131
②使用openssl生成證書和密鑰
[root@dockertest registry]# mkdir -p certs
[root@dockertest registry]# openssl req > -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key > -x509 -days 365 -out certs/domain.crt
Generating a 4096 bit RSA private key
...........++
..............................................................................................++
writing new private key to ‘certs/domain.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:192.168.10.131:5000
Email Address []:
③將剛生成的domain.crt復制到/etc/docker/certs.d/192.168.100.9:5000/ca.crt,並重啟docker
[root@dockertest registry]# mkdir -p /etc/docker/certs.d/192.168.100.9:5000
[root@dockertest registry]# cp certs/domain.crt /etc/docker/certs.d/192.168.100.9:5000/ca.crt
[root@dockertest registry]# systemctl restart docker
④運行registry
[root@dockertest registry]# docker run -d -u root -p 5000:5000 > --name private_registry --restart=always > -v /opt/docker/registry/data:/var/lib/registry > -v /opt/docker/registry/certs:/certs > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt > -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key > registry:2
9d145ea538fda7687734a2a170ff21524bc8fc65fee81b2a12c43ef3a43a576a
⑤push一個到registry上
[root@dockertest ~]# docker push 192.168.10.131:5000/nginx
The push refers to repository [192.168.10.131:5000/nginx]
e89b70d28795: Pushed
832a3ae4ac84: Pushed
014cf8bfcb2d: Pushed
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948
⑥換臺機器下載剛上傳的鏡像
[root@localhost ~]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
Error response from daemon: Get https://192.168.10.131:5000/v2/: x509: certificate signed by unknown authority
#發現報錯,原因是沒有證書,將192.168.10.131上的證書拷貝到這臺機器為/etc/docker/certs.d/192.168.10.131:5000/ca.crt,並重啟docker
[root@localhost 192.168.10.131:5000]# docker pull 192.168.10.131:5000/nginx
Using default tag: latest
latest: Pulling from nginx
8176e34d5d92: Pull complete
5b19c1bdd74b: Pull complete
4e9f6296fa34: Pull complete
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for 192.168.10.131:5000/nginx:latest
Docker學習與實踐(四)