一、创建本地私有Registry,客户机进行push和pull。
wang@wang:~$ docker version
Client:
Version: 1.13.1
API version: 1.26
Go version: go1.6.2
Git commit: 092cba3
Built: Thu Nov 2 20:40:23 2017
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Go version: go1.6.2
Git commit: 092cba3
Built: Thu Nov 2 20:40:23 2017
OS/Arch: linux/amd64
Experimental: false
wang@wang:~$ docker run -d \
> -p 5000:5000 \
> -v /opt/data/registry:/var/lib/registry \
> registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
d6a5679aa3cf: Pull complete
ad0eac849f8f: Pull complete
2261ba058a15: Pull complete
f296fda86f10: Pull complete
bcd4a541795b: Pull complete
Digest: sha256:5a156ff125e5a12ac7fdec2b90b7e2ae5120fa249cf62248337b6d04abc574c8
Status: Downloaded newer image for registry:latest
de663b9ca264651bbf6d29964b77454004754d91fa07767261a4379a1a805039
wang@wang:~$ docker tag hello-world localhost:5000/hello-world:1.10
wang@wang:~$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2e2f252f3c88 2 months ago 33.3 MB
aberic/fabric-edge 1.0-RC5 efc2352c5da1 4 months ago 473 MB
aberic/fabric-edge latest efc2352c5da1 4 months ago 473 MB
aberic/fabric-edge 1.0-RC4 0510905d1cab 4 months ago 473 MB
hello-world latest f2a91732366c 12 months ago 1.85 kB
localhost:5000/hello-world 1.10 f2a91732366c 12 months ago 1.85 kB
wang@wang:~$ docker push localhost:5000/hello-world:1.10
打印:
The push refers to a repository [localhost:5000/hello-world]
f999ae22f308: Pushed
1.10: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
wang@wang:~$ curl http://localhost:5000/v2/hello-world/tags/list
打印:
{"name":"hello-world","tags":["1.10"]}
或
wang@wang:~$ curl http://localhost:5000/v2/_catalog
打印:
{"repositories":["hello-world"]}
wang@wang:~$ docker image rmi localhost:5000/hello-world:1.10
打印:
Untagged: localhost:5000/hello-world:1.10
Untagged: localhost:5000/hello-world@sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
wang@wang:~$ docker image ls
打印:
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2e2f252f3c88 2 months ago 33.3 MB
hello-world latest f2a91732366c 12 months ago 1.85 kB
wang@wang:~$ docker pull localhost:5000/hello-world:1.10
打印:
1.10: Pulling from hello-world
Digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
Status: Downloaded newer image for localhost:5000/hello-world:1.10
wang@wang:~$ docker image ls
打印:
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2e2f252f3c88 2 months ago 33.3 MB
hello-world latest f2a91732366c 12 months ago 1.85 kB
localhost:5000/hello-world 1.10 f2a91732366c 12 months ago 1.85 kB
公司内网另一ip上:
修改/etc/docker下的daemon.json文件,没有的创建。内容如下:
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"insecure-registries": ["本机ip:5000"]
}
需要符合json规范,否则Docker无法启动
重启docker服务:
sudo service docker restart
docker pull 本机ip:5000/hello-world:1.10
二、需要TLS认证的Registry
1、首先使用openssl生成自签名证书
root@wang:/home/wang# mkdir -p /opt/docker/registry/certs
root@wang:/home/wang# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/docker/registry/certs/domain.key -x509 -days 365 -out /opt/docker/registry/certs/domain.crt
Generating a 4096 bit RSA private key
...............................................................................................................................................++
.....................................++
writing new private key to '/opt/docker/registry/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dmxy
Organizational Unit Name (eg, section) []:cz
Common Name (e.g. server FQDN or YOUR name) []:registry.docker.com
Email Address []:[email protected]
2、生成具有TLS认证的Registry容器
root@wang:/home/wang# docker run -d --name registry2 -p 5000:5000 -v /opt/docker/registry/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
打印:
0e6ee055be9ab57971941b398daae81f6bf1072fd115cc618fc4e2cea3027d53
3、在每一个docker客户端宿主机上配置/etc/hosts,以使客户端宿主机可以解析域名”registry.docker.com”。并创建与这个registry服务器域名一致的目录(因为我这里的域名是假的)。
虽然用户名是一样的,但这是另一台机器了
wang@wang:~$ sudo gedit /etc/hosts
192.168.x.x registry.docker.com
wang@wang:/etc/docker/certs.d$ sudo mkdir registry.docker.com:5000
4、将证书 domain.crt 复制到每一个docker客户端宿主机/etc/docker/certs.d/registry.docker.com:5000/ca.crt,不需要重启docker
root@wang:/home/wang# scp -p /opt/docker/registry/certs/domain.crt [email protected]:/etc/docker/certs.d/registry.docker.com\:5000/ca.crt
5、尝试从客户端push镜像到Registry以及从Registry中pull
客户端:
wang@wang:~$ sudo gedit /etc/docker/daemon.json
这里将之前用到的部分删除,只留下:
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
重启一下docker服务:
wang@wang:~$ sudo service docker restart
(上面这两步看情况。因为之前为了跳过TLS认证添加了:"insecure-registries": ["本机ip:5000"])
wang@wang:~$ docker tag 192.168.x.x:5000/hello-world:1.11 registry.docker.com:5000/hello-world:v3
wang@wang:~$ docker images
打印:
registry.docker.com:5000/hello-world v2 f2a91732366c 12 months ago 1.85 kB
registry.docker.com:5000/hello-world v3 f2a91732366c 12 months ago 1.85 kB
wang@wang:~$ docker push registry.docker.com:5000/hello-world:v3
打印:
The push refers to a repository [registry.docker.com:5000/hello-world]
f999ae22f308: Layer already exists
v3: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
wang@wang:~$ docker rmi registry.docker.com:5000/hello-world:v3
打印:
Untagged: registry.docker.com:5000/hello-world:v3
wang@wang:~$ docker pull registry.docker.com:5000/hello-world:v3
打印:
v3: Pulling from hello-world
Digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
Status: Downloaded newer image for registry.docker.com:5000/hello-world:v3
6、在客户端主机上列Registry中所有镜像
wang@wang:~$ curl -X GET https://registry.docker.com:5000/v2/_catalog -k
{"repositories":["hello-world"]}
wang@wang:~$ sudo curl -X GET https://registry.docker.com:5000/v2/hello-world/tags/list -k
[sudo] password for wang:
打印:
{"name":"hello-world","tags":["v3","v2"]}
7、查看存储在registry:2宿主机上的镜像
在registry:2创建的私有仓库中,上传的镜像保存在容器的/var/lib/registry目录下。创建registry:2的容器时,会自动创建一个数据卷(Data Volumes),数据卷对应的宿主机下的目录一般为:/var/lib/docker/volumes/XXX/_data。
在volumes目录下找到对应日期目录
root@wang:/var/lib/docker/volumes/c9645e7699b5781fd473a2eda8c1e8630d6fafac99973d08371061159b24773a/_data/docker/registry/v2/repositories/hello-world# ls
_layers _manifests _uploads
可以在创建registry:2的容器时,通过-v参数,修改这种数据卷关系:
–v /opt/docker/registry/data:/var/lib/registry
如果不这样做的话,当Registry容器停止之后,就没办法从Registry中pull镜像了,即使再次启动Registry,之前push的镜像也已经不存在了。所以在启动Registry容器的时候用如下方式:
wang@wang:~$ docker run -d --name registry2 -p 5000:5000 -v /opt/docker/registry/certs:/certs -v /opt/docker/registry/data:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
打印:
605127aed5dbb87aa687694b15ecf33a6b2d7850b7ef5a179fe9e0211a529e6e
这样虽然Registry容器停止之后客户机没有办法pull和push,但是只要重新启动就可以了。如下:
关掉了Registry容器:
wang@wang:~$ docker pull registry.docker.com:5000/hello-world:v4
打印:
Error response from daemon: Get https://registry.docker.com:5000/v1/_ping: dial tcp 192.168.x.x:5000: getsockopt: connection refused
重新启动Registry容器:
wang@wang:~$ docker pull registry.docker.com:5000/hello-world:v4
打印:
v4: Pulling from hello-world
Digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
Status: Downloaded newer image for registry.docker.com:5000/hello-world:v4
除了可以将数据保存在当前主机的文件系统上,registry也支持其他基于云的存储系统,比如S3,Microsoft Azure, Ceph Rados, OpenStack Swift and Aliyun OSS等。可以在配置文件中进行配置:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
一般情况下,证书只支持域名访问,要使其支持IP地址访问,需要修改配置文件openssl.cnf。
在本人ubuntu系统中,文件所在位置是/etc/ssl/openssl.cnf。在其中的[ v3_ca]部分,添加subjectAltName选项:
[ v3_ca ]
subjectAltName = IP:192.168.1.104
生成证书:
...
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Registry的ip:5000
Email Address []:
三、添加认证
1、创建用户密码文件,testuser,testpassword
root@wang:/home/wang# docker run --entrypoint htpasswd registry:2 -Bbn testuser testpassword > /opt/docker/registry/auth/htpasswd
2、启动Registry容器
root@wang:/home/wang# docker run -d --name registry_native_auth -p 5000:5000 -v /opt/docker/registry/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /opt/docker/registry/certs:/certs -v /opt/docker/registry/data:/var/lib/registry -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
打印:
b69ead24a169ee49b7ecbc39db0e5860bf625d1cae39de633669abc99c35e714
3、从客户机push镜像
wang@wang:~$ docker push registry.docker.com:5000/hello-world:v3
打印:
The push refers to a repository [registry.docker.com:5000/hello-world]
f999ae22f308: Preparing
no basic auth credentials
没有证书,无法push
4、登录Registry,再push镜像
wang@wang:~$ docker login registry.docker.com:5000
Username: testuser
Password:
Login Succeeded
wang@wang:~$ docker push registry.docker.com:5000/hello-world:v3
打印:
The push refers to a repository [registry.docker.com:5000/hello-world]
f999ae22f308: Layer already exists
v3: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
四、高级认证
在Registry前使用代理,利用代理提供https的ssl的认证和basic authentication。
https://docs.docker.com/registry/recipes/
1、配置Nginx作为认证代理(https://docs.docker.com/registry/recipes/nginx/)
配置完成之后的结构基本如下:
wang@wang:/opt/nginx_proxy_registry$ tree
.
├── auth
│ ├── domain.crt
│ ├── domain.key
│ ├── nginx.conf
│ └── nginx.htpasswd
├── data
│ └── docker
│ └── registry
│ └── v2
│ ├── blobs
│ │ └── sha256
│ │ ├── 0b
│ │ │ └── 0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
│ │ │ └── data
│ │ ├── 42
│ │ │ └── 42ec4efe9047e40af69dbc4e9680480f333dd6fd6dd84bdf806f672c117c4eba
│ │ │ └── data
│ │ └── f2
│ │ └── f2a91732366c0332ccd7afd2a5c4ff2b9af81f549370f7a19acd460f87686bc7
│ │ └── data
│ └── repositories
│ └── hello-world
│ ├── _layers
│ │ └── sha256
│ │ ├── 42ec4efe9047e40af69dbc4e9680480f333dd6fd6dd84bdf806f672c117c4eba
│ │ │ └── link
│ │ └── f2a91732366c0332ccd7afd2a5c4ff2b9af81f549370f7a19acd460f87686bc7
│ │ └── link
│ ├── _manifests
│ │ ├── revisions
│ │ │ └── sha256
│ │ │ └── 0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
│ │ │ └── link
│ │ └── tags
│ │ └── v1.0
│ │ ├── current
│ │ │ └── link
│ │ └── index
│ │ └── sha256
│ │ └── 0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909
│ │ └── link
│ └── _uploads
└── docker-compose.yml
30 directories, 13 files
(1)创建所需目录
wang@wang:~$ sudo mkdir -p /opt/nginx_proxy_registry/{auth,data}
(2)创建Nginx主配置文件,即/auth/nginx.conf:
events {
worker_connections 1024;
}
http {
upstream docker-registry {
server registry:5000;
}
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
server {
listen 443 ssl;
server_name registry.docker.com;
# SSL
ssl_certificate /etc/nginx/conf.d/domain.crt;
ssl_certificate_key /etc/nginx/conf.d/domain.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
# To add basic authentication to v2 use auth_basic setting.
auth_basic "Registry realm";
auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
}
(3)创建密码认证文件
root@wang:/home/wang# docker run --rm --entrypoint htpasswd registry:2 -bn testuser testpassword > /opt/nginx_proxy_registry/auth/nginx.htpasswd
(4)分别copy之前生成的domain.crt和domain.key到auth目录下:
wang@wang:/opt/nginx_proxy_registry/auth$ sudo cp /opt/docker/registry/certs/domain.crt .
wang@wang:/opt/nginx_proxy_registry/auth$ sudo cp /opt/docker/registry/certs/domain.key .
(5)在/nginx_proxy_registry目录下创建docker-compose.yml文件:
nginx:
image: "nginx:1.9"
ports:
- 5043:443
links:
- registry:registry
volumes:
- ./auth:/etc/nginx/conf.d
- ./auth/nginx.conf:/etc/nginx/nginx.conf:ro
registry:
image: registry:2
ports:
- 127.0.0.1:5000:5000
volumes:
- ./data:/var/lib/registry
这个卷直接链到本地/opt/nginx_proxy_registry/data!
(6)启动
wang@wang:/opt/nginx_proxy_registry$ docker-compose up -d
打印:
Starting nginxproxyregistry_registry_1
Starting nginxproxyregistry_nginx_1
(7)验证启动的服务
wang@wang:/opt/nginx_proxy_registry$ docker-compose ps
打印:
Name Command State Ports
-------------------------------------------------------------------------
nginxproxyregist nginx -g daemon Up 0.0.0.0:5043->44
ry_nginx_1 off; 3/tcp, 80/tcp
nginxproxyregist /entrypoint.sh Up 127.0.0.1:5000->
ry_registry_1 /etc/docker ... 5000/tcp
wang@wang:/opt/nginx_proxy_registry$ docker ps
打印:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9ce978bd9348 nginx:1.9 "nginx -g 'daemon ..." 2 days ago Up 13 seconds 80/tcp, 0.0.0.0:5043->443/tcp nginxproxyregistry_nginx_1
05488046147e registry:2 "/entrypoint.sh /e..." 2 days ago Up 13 seconds 127.0.0.1:5000->5000/tcp nginxproxyregistry_registry_1
(8)找一个docker客户机进行测试
创建所需目录:
wang@wang:~$ sudo mkdir -p /etc/docker/certs.d/registry.docker.com:5043
把domaiin.crt传到生成的目录里:
root@wang:/home/wang# scp -p /opt/nginx_proxy_registry/auth/domain.crt [email protected]:/etc/docker/certs.d/registry.docker.com:5043/ca.crt
进行登录测试:
wang@wang:~$ docker login -u=testuser -p=testpassword registry.docker.com:5043
打印:
Login Succeeded
wang@wang:~$ docker tag 192.168.x.x:5000/hello-world:1.11 registry.docker.com:5043/hello-world:v1.0
wang@wang:~$ docker push registry.docker.com:5043/hello-world:v1.0
打印:
The push refers to a repository [registry.docker.com:5043/hello-world]
f999ae22f308: Pushed
v1.0: digest: sha256:0b1396cdcea05f91f38fc7f5aecd58ccf19fb5743bbb79cff5eb3c747b36d909 size: 524
(9)在服务端查看日志
wang@wang:/opt/nginx_proxy_registry$ docker-compose logs
打印:
Attaching to nginxproxyregistry_nginx_1, nginxproxyregistry_registry_1
nginx_1 | 192.168.x.x - - [07/Dec/2018:09:00:25 +0000] "GET /v2/ HTTP/1.1" 401 195 "-" "docker/1.13.1 go/go1.6.2 git-commit/092cba3 kernel/4.4.0-116-generic os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \x5C(linux\x5C))"
nginx_1 | 2018/12/07 09:00:25 [crit] 7#7: *2 crypt_r() failed (22: Invalid argument), client: 192.168.x.x, server: registry.docker.com, request: "GET /v2/ HTTP/1.1", host: "registry.docker.com:5043"
(10)停止服务
wang@wang:/opt/nginx_proxy_registry$ docker-compose stop
打印:
Stopping nginxproxyregistry_nginx_1 ... done
Stopping nginxproxyregistry_registry_1 ... done