忠告:请细心阅读本篇博客进行操作。
私有仓库registry的优势:
但有时候使用Docker Hub这样的公共仓库可能不方便,这种情况下用户可以使用registry创建一个本地仓库供私人使用,
这点跟Maven的管理类似。
使用私有仓库有许多优点:
1)节省网络带宽,针对于每个镜像不用每个人都去中央仓库上面去下载,只需要从私有仓库中下载即可;
2)提供镜像资源利用,针对于公司内部使用的镜像,推送到本地的私有仓库中,以供公司内部相关人员使用。
目前Docker Registry已经升级到了v2,最新版的Docker已不再支持v1。Registry v2使用Go语言编写,在性能和安全性
上做了很多优化,重新设计了镜像的存储格式。如果需要安装registry v2,只需下载registry:2.2即可。Docker官方提
供的工具docker-registry可以用于构建私有的镜像仓库。
配置私有仓库registry:
[root@foundation38 ns]# cd /home/kiosk/Desktop/
[root@foundation38 Desktop]# docker load -i registry.tar
[root@foundation38 Desktop]# docker images registry 加载registry镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest bca04f698ba8 2 years ago 423 MB
[root@foundation38 Desktop]# docker images registry 查看镜像
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest bca04f698ba8 2 years ago 423 MB
[root@foundation38 Desktop]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2 挂载方式运行docker容器
[root@foundation38 Desktop]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a0a3fc7dec2f registry:2 "/entrypoint.sh /e..." 26 seconds ago Up 24 seconds 0.0.0.0:5000->5000/tcp quirky_carson
c26d90e74bfb ubuntu "/bin/bash" 7 minutes ago Up 7 minutes vm1
[root@foundation38 Desktop]# vim /etc/hosts 写入本机解析
[root@foundation38 Desktop]# cat /etc/hosts | tail -n 1
172.25.38.250 westos.org 必须写入真机解析不然会出错
[root@foundation38 Desktop]# ping westos.org 可以直接ping通域名
[root@foundation38 Desktop]# docker tag nginx localhost:5000/nginx 先重命名
[root@foundation38 Desktop]# docker push localhost:5000/nginx 将本地镜像上传到仓库
制作证书:
[root@foundation38 Desktop]# cd /opt/registry/
[root@foundation38 registry]# docker pull localhost:5000/nginx 拉取镜像
Using default tag: latest
latest: Pulling from nginx
Digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f
Status: Image is up to date for localhost:5000/nginx:latest
[root@foundation38 registry]# docker tag localhost:5000/nginx nginx 重命名
[root@foundation38 registry]# ls
docker
[root@foundation38 registry]# ls
docker
[root@foundation38 registry]# rm -fr *
[root@foundation38 registry]# pwd
/opt/registry
[root@foundation38 registry]# ls
[root@foundation38 registry]# cd /tmp/docker/
[root@foundation38 docker]# ls
Dockerfile ssh supervisord.conf test web yum.repo
[root@foundation38 docker]# mkdir certs
[root@foundation38 docker]# cd certs/
[root@foundation38 certs]# ls
[root@foundation38 certs]# cd ..
[root@foundation38 docker]# ls
certs Dockerfile ssh supervisord.conf test web yum.repo
[root@foundation38 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days
365 -out certs/domain.crt 制作证书
[root@foundation38 docker]# cd certs/
[root@foundation38 certs]# ls 可以看到生成的domain.crt domain.key文件
domain.crt domain.key
[root@foundation38 certs]# ll
total 8
-rw-r--r-- 1 root root 2098 Aug 21 18:49 domain.crt
-rw-r--r-- 1 root root 3268 Aug 21 18:49 domain.key
[root@foundation38 certs]# cd ..
[root@foundation38 docker]# pwd
/tmp/docker
[root@foundation38 docker]# ls
certs Dockerfile ssh supervisord.conf test web yum.repo
[root@foundation38 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -p 443:443 \
> registry:2
dff160d34d7a0c78e732e758cb03d852c1abc0ed3c3c4e073ecb253a26d87853
[root@foundation38 docker]# ls
certs Dockerfile ssh supervisord.conf test web yum.repo
[root@foundation38 docker]# cd /etc/docker/
[root@foundation38 docker]# ls
daemon.json key.json
[root@foundation38 docker]# vim daemon.json
[root@foundation38 docker]# cat daemon.json
{
"registry-mirrors": ["https://w09mfhg3.mirror.aliyuncs.com"],
"insecure-registries": ["westos.org:5000"]
}
[root@foundation38 docker]# systemctl restart docker.service
[root@foundation38 docker]# docker ps 可以看到443端口
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ddcf633cde06 registry:2 "/entrypoint.sh /e..." About a minute ago Up About a minute 0.0.0.0:443->443/tcp, 5000/tcp registry
a0a3fc7dec2f registry:2 "/entrypoint.sh /e..." 26 minutes ago Up 26 minutes 0.0.0.0:5000->5000/tcp quirky_carson
c26d90e74bfb ubuntu "/bin/bash" 33 minutes ago Up 33 minutes vm1
[root@foundation38 docker]# docker rm -f a0 删除5000端口
a0
[root@foundation38 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ddcf633cde06 registry:2 "/entrypoint.sh /e..." 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
c26d90e74bfb ubuntu "/bin/bash" 34 minutes ago Up 34 minutes vm1
[root@foundation38 docker]# docker rm -f vm1
vm1
[root@foundation38 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ddcf633cde06 registry:2 "/entrypoint.sh /e..." 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@foundation38 docker]# cd /opt/registry/
[root@foundation38 registry]# iptables -t nat -nL 可以用iptables查看策略
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:443
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.17.0.4:443
[root@foundation38 registry]# netstat -antlp | grep :443
tcp 0 0 172.20.10.2:54900 113.200.111.221:443 ESTABLISHED 2354/firefox
tcp 0 0 172.20.10.2:47252 140.143.52.226:443 ESTABLISHED 2354/firefox
tcp6 0 0 :::443 :::* LISTEN 27854/docker-proxy
[root@foundation38 registry]# cd /etc/docker/
[root@foundation38 docker]# ls
daemon.json key.json
[root@foundation38 docker]# mkdir certs.d
[root@foundation38 docker]# cd certs.d/
[root@foundation38 certs.d]# ls
[root@foundation38 certs.d]# pwd
/etc/docker/certs.d
[root@foundation38 certs.d]# mkdir westos.org
[root@foundation38 certs.d]# cd westos.org/
[root@foundation38 westos.org]# ls
[root@foundation38 westos.org]# pwd
/etc/docker/certs.d/westos.org
[root@foundation38 westos.org]# cp /tmp/docker/certs/domain.crt ./ca.crt 必须保证证书一致
[root@foundation38 westos.org]# ls
ca.crt
[root@foundation38 westos.org]# ll
total 4
-rw-r--r-- 1 root root 2098 Aug 21 19:04 ca.crt
[root@foundation38 docker]# docker push westos.org/nginx 可以上传到私有仓库
The push refers to a repository [westos.org/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushing 53.7 MB/53.7 MB
cdb3f9544e4c: Pushing 55.25 MB/55.25 MB
open /var/lib/docker/overlay/d07460521b7974ed4d29461fcc95694c92357cb7fca558752a5a52db81646d42/root/etc/apt/trusted.gpg: no such file or directory