docker 私有映象倉庫搭建
如果大家在操作的時候發現本文中的問題,敬請留言,爭取把這邊文章弄成可用性比較高的文章!!!!!!!!!!!!!!
我的環境相關設定如下
環境:centos7
IP地址:10.211.55.30
dockere版本:1.10.3
映象倉庫:v2
首先在10.211.55.30機器上下載registry映象
$ docker pull registry
也可以進行映象匯入的方法進行離線的安裝,可以去我的網盤中下載:https://pan.baidu.com/s/1mhY0YDy
然後進入docker中進行匯入
$ docker load -i registry.tar
下載完之後我們通過該映象啟動一個容器
$ docker run -d -p 5000:5000 registry
預設情況下,會將倉庫存放於容器內的/tmp/registry目錄下,這樣如果容器被刪除,則存放於容器中的映象也會丟失,所以我們一般情況下會指定本地一個目錄掛載到容器內的/tmp/registry下,我將/opt/data/registry目錄掛載到/tmp/registry目錄下,如果你本地沒有這個目錄需要新建立,同時需要給/opt/data/registry目錄擴大許可權
chmod +777 /opt/data/registry
此處有坑:預設情況下是在容器內的/tmp/registry目錄下,但是我的容器映象是存放在容器中的/var/lib/registry
我是搭建完畢之後,上傳一個映象之後然後使用 find / -name ***查到的位置
[[email protected] ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registry registry
55c60589cb0e2d094d5371c4dd650127cfeae1b361477d50cfe48552e6308830
可以看到我們啟動了一個容器,地址為:10.211.55.30:5000。
測試
接下來我們就要操作把一個本地映象push到私有倉庫中。首先在10.211.55.30機器下pull一個比較小的映象來測試(此處使用的是busybox)
$ sudo docker pull busybox
接下來修改一下該映象的tag,映象的格式為映象倉庫IP:埠/映象名稱
$ sudo docker tag busybox 10.211.55.30:5000/busybox
接下來把打了tag的映象上傳到私有倉庫。
$ sudo docker push 10.211.55.30:5000/busybox
可以看到push失敗,具體錯誤如下:
2015/01/05 11:01:17 Error: Invalid registry endpoint https://192.168.112.136:5000/v1/: Get https://192.168.112.136:5000/v1/_ping: dial tcp 192.168.112.136:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 192.168.112.136:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.112.136:5000/ca.crt
因為Docker從1.3.X之後,與docker registry互動預設使用的是https,然而此處搭建的私有倉庫只提供http服務,所以當與私有倉庫互動時就會報上面的錯誤。為了解決這個問題需要在啟動docker server時增加啟動引數為預設使用http訪問。修改docker啟動配置檔案(此處是修改10.211.55.30機器的配置)centos7下配置檔案地址為:/usr/lib/systemd/system/docker.service,在其中增加–insecure-registry 10.211.55.30:5000如下所示:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.socket
Wants=docker-storage-setup.service
[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/usr/bin/docker-current daemon \
--exec-opt native.cgroupdriver=systemd \
--insecure-registry=10.211.55.30:5000 \
$OPTIONS \
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$ADD_REGISTRY \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
MountFlags=slave
Restart=on-abnormal
[Install]
WantedBy=multi-user.target
修改完之後,重啟Docker服務。
$ restart docker
重啟完之後我們再次執行推送命令,把本地映象推送到私有伺服器上。
$ sudo docker push 10.211.55.30:5000/busybox
可以看到映象已經push到私有倉庫中去了。
進行到這一步的時候也不一定能夠成功,使用journalctl -f 可以檢視日誌資訊,通過日誌資訊可以檢視到如下資訊,關注標紅的部分,顯示的是SELinux 的問題,我的處理方法是直接關閉SELinux
Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T08:08:16Z" level=error msg="response completed with error" err.code="blob unknown" err.detail=sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729 err.message="blob unknown to registry" go.version=go1.7.3 http.request.host="10.211.55.30:5000" http.request.id=a2dbff10-2937-4e9e-94f3-16275739ad61 http.request.method=HEAD http.request.remoteaddr="10.211.55.30:48256" http.request.uri="/v2/centos_20170127/blobs/sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729" http.request.useragent="docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.4262ms http.response.status=404 http.response.written=157 instance.id=f9f97de9-15bc-41e3-9ec3-f1033e57a77e vars.digest="sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729" vars.name="centos_20170127" version=v2.6.0
Jan 27 16:08:16 server01 docker-current[15241]: 10.211.55.30 - - [27/Jan/2017:08:08:16 +0000] "HEAD /v2/centos_20170127/blobs/sha256:45a2e645736c4c66ef34acce2407ded21f7a9b231199d3b92d6c9776df264729 HTTP/1.1" 404 157 "" "docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64"
Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T08:08:16Z" level=error msg="response completed with error" err.code=unknown err.detail="filesystem: mkdir /var/lib/registry/docker: permission denied" err.message="unknown error" go.version=go1.7.3 http.request.host="10.211.55.30:5000" http.request.id=158612a0-39f5-41f5-9985-c80db7da911f http.request.method=POST http.request.remoteaddr="10.211.55.30:48258" http.request.uri="/v2/centos_20170127/blobs/uploads/" http.request.useragent="docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.671997ms http.response.status=500 http.response.written=164 instance.id=f9f97de9-15bc-41e3-9ec3-f1033e57a77e vars.name="centos_20170127" version=v2.6.0
Jan 27 16:08:16 server01 docker-current[15241]: 10.211.55.30 - - [27/Jan/2017:08:08:16 +0000] "POST /v2/centos_20170127/blobs/uploads/ HTTP/1.1" 500 164 "" "docker/1.10.3 go/go1.6.3 git-commit/cb079f6-unsupported kernel/3.10.0-327.36.3.el7.x86_64 os/linux arch/amd64"
Jan 27 16:08:16 server01 docker-current[15241]: time="2017-01-27T16:08:16.115997771+08:00" level=error msg="Upload failed, retrying: Received unexpected HTTP status: 500 Internal Server Error"
Jan 27 16:08:16 server01 setroubleshoot[5771]: failed to retrieve rpm info for /opt/data/registry
Jan 27 16:08:16 server01 setroubleshoot[5771]: SELinux is preventing /bin/registry from write access on the directory /opt/data/registry. For complete SELinux messages. run sealert -l 748743d8-dd8a-4482-9771-94a403bccf18
Jan 27 16:08:16 server01 python[5771]: SELinux is preventing /bin/registry from write access on the directory /opt/data/registry.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow registry to have write access on the registry directory
Then you need to change the label on /opt/data/registry
Do
# semanage fcontext -a -t FILE_TYPE '/opt/data/registry'
where FILE_TYPE is one of the following: cgroup_t, docker_var_lib_t, svirt_home_t, svirt_sandbox_file_t, virt_home_t.
Then execute:
restorecon -v '/opt/data/registry'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that registry should be allowed write access on the registry directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep registry /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
關閉方法如下
檢視SELinux狀態:
1、/usr/sbin/sestatus -v ##如果SELinux status引數為enabled即為開啟狀態
SELinux status: enabled
2、getenforce ##也可以用這個命令檢查
關閉SELinux:
1、臨時關閉(不用重啟機器):
setenforce 0 ##設定SELinux 成為permissive模式 setenforce 1 設定SELinux 成為enforcing模式
2、修改配置檔案需要重啟機器:
修改/etc/selinux/config 檔案
將SELINUX=enforcing改為SELINUX=disabled
重啟機器即可
接下來我們刪除本地映象,然後從私有倉庫中pull下來該映象。
$ sudo docker pull 10.211.55.30:5000/busybox
到此就搭建好了Docker私有倉庫。上面搭建的倉庫是不需要認證的。
管理倉庫中的映象
查詢
在Private Registry2中檢視或檢索Repository或images,將不能用docker search,會報下邊的錯誤
$ docker search 10.211.55.30:5000/busybox/
Error response from daemon: Unexpected status code 404
但通過v2版本的API,我們可以實現相同目的,必須按照IP:port/v2/_catalog格式:
[[email protected] ~]# curl http://10.211.55.30:5000/v2/_catalog
{"repositories":["centos"]}
[[email protected] ~]# curl http://10.211.55.30:5000/v2/centos/tags/list
{"name":"centos","tags":["latest"]}
拉取映象如下
[[email protected] ~]# docker pull 10.211.55.30:5000/centos
Using default tag: latest
Trying to pull repository 10.211.55.30:5000/centos ...
latest: Pulling from 10.211.55.30:5000/centos
Digest: sha256:7dfffa13a2addc317ac3bdfbddbd4604ea629decea19c271481e5c45245b7612
Status: Downloaded newer image for 10.211.55.30:5000/centos:latest