docker容器埠對映,容器間關聯,倉庫搭建(不加密,加密,加密認證)
阿新 • • 發佈:2018-12-26
一,容器埠對映:
[root@foundation92 Desktop]# docker run -d --name web -p 8080:80 nginx #將本機的8080埠對映到容器的80埠
[root@foundation92 Desktop]# docker inspect web #檢視容器資訊,獲取容器IP
瀏覽器測試:
可以看見使用本機:172.25.254.92:8080和使用容器:172.17.0.2:80訪問可以看見同樣的效果。
同樣:可以檢視iptables的nat表看見埠對映的情況:iptables -nL -t nat
在nat網路模式下進行容器埠對映的時候要防止和本機的埠衝突
二,容器間互聯:
--link 引數可以在不對映埠的前提下為兩個容器間建立安全連線, --link 引數可以連線一個或多個容器到將要建立的容器。
--link 引數的格式為 --link name:alias,其中 name 是要連結的容器的名稱,alias 是這個連線的別名
[[email protected] Desktop]# docker run -d --name web1 nginx
[email protected] Desktop]# docker run -it --name web2 --link web1:web3 nginx bash #新建容器web2,並將web1連線到web2,取名為web3,但是web3本身不是容器
[email protected]891278bc09b3:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 web3 cbf7dff3dfb2 web1
172.17.0.3 891278bc09b3
[email protected]:/# ping web3 #pingweb3可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.049 ms
^C--- web3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.049/0.060/0.071/0.000 ms
[email protected]:/# ping web2
^C
[email protected]:/# ping web1 #可以ping通
PING web3 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.071 ms
^C--- web3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.071/0.071/0.071/0.000 ms
#說明web1和web3時同一個容器
在使用Docker的時候,經常可能需要連線到其他的容器,比如:web服務需要連線資料庫。按照往常的做法,需要先啟動資料庫的容器,映射出埠來,然後配置好客戶端的容器,再去訪問。其實針對這種場景,Docker提供了--link 引數來滿足
三,docker私有倉庫的搭建並配置倉庫認證:
為什麼還要搭建私有倉庫?
dockerhub上映象的上傳和下載速度可能會有影響,而且依賴與網路頻寬。
[[email protected] Desktop]# docker push nginx
The push refers to a repository [docker.io/library/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
unauthorized: authentication required
可以看見上傳映象受阻。
原因是網路受阻:
[[email protected] Desktop]# ping docker.io
PING docker.io (**34.234.103.99**) 56(84) bytes of data
#建立倉庫(臨時測試(不安全,未新增認證)):
docker run -d -p 5000:5000 --name registry registry:2.3.1 #用倉庫映象registry:2.3.1建立倉庫registry
docker tag game2048 172.25.254.92:5000/game2048 #將本地映象game2048修改名字為172.25.254.92:5000/game2048
[[email protected] Desktop]# docker push 172.25.254.92:5000/game2048 #上傳172.25.254.92:5000/game2048映象到本地倉庫,發現報錯,只支援HTTPS上傳
The push refers to a repository [172.25.254.92/game2048]
Get https://172.25.254.92/v1/_ping: dial tcp 172.25.254.92:443: getsockopt: connection refused
臨時解決方案:
vim /etc/docker/daemon.json
{
"insecure-registries": ["172.25.254.92:5000"]
}
再次上傳成功:
[[email protected] Desktop]# docker push 172.25.254.92:5000/game2048
The push refers to a repository [172.25.254.92:5000/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushing [======> ] 6.742 MB/50.1 MB
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364
#建立加密的倉庫:
建立公鑰和私鑰:
mkdir /tmp/docker/certs
cd /tmp/docker
[email protected] docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt #建立金鑰
Generating a 4096 bit RSA private key
.....++
................................................................................................................................................................................................................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi;an
Organization Name (eg, company) [Default Company Ltd]:redhat
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:mytestregistry.com
Email Address []:[email protected]:mytestregistry.com
[[email protected] docker]# cd certs/
[[email protected] certs]# ls
domain.crt domain.key
建立加密倉庫:
mkdir -p /etc/docker/certs.d/mytestregistry.com
cp /tmp/docker/domain.crt /etc/docker/certs.d/mytestregistry.com/ca.crt
vim /etc/hosts
172.25.254.92 mytestregistry.com
docker run -d --restart=always --name=mytestregistry -v /tmp/docker/certs:/certs -v /opt/mytestregistry:/var/lib/registry -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #建立加密倉庫,並將本地倉庫/opt/mytestregistry對映到容器的/var/lib/registry目錄
docker tag game2048 mytestregistry.com/game2048 #將所需要上傳的映象重新命名
mv /etc/docker/daemon.json #移除解決臨時上傳的檔案
[email protected] certs]# docker push mytestregistry.com/game2048 #可以看出成功完成加密上傳。
The push refers to a repository [mytestregistry.com/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5 size: 1364
[[email protected] repositories]# cd /opt/mytestregistry/docker/registry/v2/repositories #進入本地倉庫目錄檢視上傳的映象
[[email protected] repositories]# ls
game2048
#從本地倉庫中獲取映象:
docker rmi mytestregistry.com/game2048 #刪除本第改名的game2048映象
Untagged: mytestregistry.com/game2048:latest
Untagged: mytestregistry.com/[email protected]:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5
docker rmi game2048 #刪除原本的game2048映象
Untagged: game2048:latest
Deleted: sha256:19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
Deleted: sha256:a8ba4f00c5b89c2994a952951dc7b043f18e5ef337afdb0d4b8b69d793e9ffa7
Deleted: sha256:e2ea5e1f4b9cfe6afb588167bb38d833a5aa7e4a474053083a5afdca5fff39f0
Deleted: sha256:1b2dc5f636598b4d6f54dbf107a3e34fcba95bf08a7ab5a406d0fc8865ce2ab2
Deleted: sha256:af457147a7ab56e4d77082f56d1a0d6671c1a44ded1f85fea99817231503d7b4
Deleted: sha256:011b303988d241a4ae28a6b82b0d8262751ef02910f0ae2265cb637504b72e36
docker pull mytestregistry.com/game2048 #從本地倉庫中下載上傳的game2048(修改過映象名稱)jingx
Using default tag: latest
latest: Pulling from game2048
3690ec4760f9: Pull complete
2e2d6e8f545b: Pull complete
aa8a6a9d7067: Pull complete
173507b749da: Pull complete
dc19969f59b2: Pull complete
Digest: sha256:50161c2b145b2b0b39db214e873393ce71c666d7d69cea1941bb009115dda2e5
Status: Downloaded newer image for mytestregistry.com/game2048:latest
docker tag mytestregistry.com/game2048 game2048 #重新改回映象名稱,恢復映象
#倉庫認證:
cd /tmp/docker/
mkdir auth #建立存放認證帳號密碼檔案的目錄
[[email protected] docker]# docker run --entrypoint htpasswd registry:2.3.1 -Bbn authtest authtestpasswd > auth/htpasswd #建立認證的帳號和密碼
[[email protected] docker]# cd auth/
[[email protected] auth]# ls
htpasswd
[[email protected] auth]# cat htpasswd #檢視存放認證帳號和密碼的檔案
authtest:$2y$05$ymWyu11dw/TG9.3xEAWWA.9YfYSQo.x6KV2DYzmg2hLvnC0eAojGa
[[email protected] docker]# cd /opt/
[[email protected] opt]# mkdir mytestregistryauth #建立認證倉庫的本地目錄
[[email protected] auth]# docker run -d --restart=always --name=mytestregistryauth -v /tmp/docker/certs:/certs -v /opt/mytestregistryauth/:/var/lib/registry -v /tmp/docker/auth/:/auth -e REGISTRY_AUTH=htpasswd -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 registry:2.3.1 #建立加密和認證倉庫
244f10f6b5c9e92343a9faae3a8710070c0822b678c4bd18d1959dd9d0e68d79
[[email protected] auth]# docker tag nginx mytestregistry.com/nginx
[[email protected] auth]# docker push mytestregistry.com/nginx #上傳映象,上傳不成功,是因為倉庫需要認證
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Preparing
3f3324023e75: Preparing
f0d7d68f89e5: Preparing
917c0fc99b35: Preparing
no basic auth credentials
[[email protected] auth]# docker login -u authtest -p authtestpasswd mytestregistry.com #登陸倉庫
Login Succeeded
[[email protected] auth]# docker push mytestregistry.com/nginx #成功上傳映象
The push refers to a repository [mytestregistry.com/nginx]
5f70bf18a086: Pushed
3f3324023e75: Pushed
f0d7d68f89e5: Pushed
917c0fc99b35: Pushed
latest: digest: sha256:32d30bd4dd97cddf9c476ea4665149577601741fedf6e91256f552b2975005f9 size: 1978
#檢視倉庫的映象:
[[email protected] repositories]# cd /opt/mytestregistryauth/docker/registry/v2/repositories
[[email protected] repositories]# ls
nginx