1.环境描述
[root@localhost docker.registry:5000]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)[root@localhost docker.registry:5000]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@localhost docker.registry:5000]# docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
Go version: go1.9.4
Git commit: 94f4240/1.13.1
Built: Fri May 18 15:44:33 2018
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-63.git94f4240.el7.centos.x86_64
Go version: go1.9.4
Git commit: 94f4240/1.13.1
Built: Fri May 18 15:44:33 2018
OS/Arch: linux/amd64
Experimental: false2.搭建方式
- 无需验证的镜像中心
- https鉴权的镜像中心
- 用户名密码登录的镜像中心
3.搭建步骤:
3.1 无需验证的镜像中心
拉取镜像:
docker pull registry:2.6.2不需要验证的启动:
docker run -d -p 5000:5000 --name registry2-noauth --restart=always -v /usr/local/docker/registry/auth/:/auth/ -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2--restart=always docker重启容器自启动客户端配置免https
- 修改 /etc/docker/daemon.json
[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146:5000"] }' > /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146:5000"] }- 重载docker
root@localhost ~]# service docker restart如果不配置,客户端使用时候会报错:
Error response from daemon: Get https:// 172.16.1.146:5000/v1/_ping: http: server gave HTTP response to HTTPS client
使用:
- tag镜像并上传
使用docker tag将一个镜像标记,格式如下:
172.16.1.146:5000/registry:2.6.2,其中172.16.1.146是本地仓库地址,5000为仓库端口,registry是镜像标签, 2.6.2是版本号
这里的172.16.1.146可以是本地的ip也可以是域名,如:www.xxx.net
[root@gitlab conf]# docker tag docker.io/registry:2.6.2 172.16.1.146:5000/registry:2.6.2当标记完成后,本地的images中会存放一个和标记名称一样的镜像,我们将这个镜像上传即可
- 上传镜像到镜像中心
[root@localhost local]# docker push 172.16.1.146:5000/registry:2.6.2
The push refers to a repository [172.16.1.146:5000/registry]
9113493eaae1: Pushed
621c2399d41a: Pushed
59e80739ed3f: Pushed
febf19f93653: Pushed
e53f74215d12: Pushed
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364
- 判断镜像是否存在
api:
- 列出所有存储库
GET http://127.0.0.1:5000/v2/_catalog
{
● repositories:
[
○ "mongo",
○ "registry"
]
}- 列出镜像所有tags
GET http://127.0.0.1:5000/v2/registry/tags/list
{
● name: "registry",
● tags:
[
○ "2.6.2",
○ "2.6.3"
]
}registry是镜像的名称,可以看出来镜像已经上传成功。
- 从私有镜像中心拉取镜像
[root@localhost local]# docker pull 172.16.1.146:5000/registry:2.6.2
Trying to pull repository 172.16.1.146:5000/registry ...
2.6.2: Pulling from 172.16.1.146:5000/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146:5000/registry:2.6.23.2 https鉴权的镜像中心:
注意:客户端不需要配置免https- 创建key
mkdir -p /usr/local/docker/registry/certs/
cd /usr/local/docker/registry/certs/
openssl genrsa -out docker.registry.key 2048- 创建crt
openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt部分信息填写示例如下:
[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.............................++
writing new private key to 'docker.registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Anhui
Locality Name (eg, city) [Default City]:Hefei
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:docker.registry
Email Address []:[email protected]- 查看证书失效时间。
[root@localhost docker.registry:5000]# openssl x509 -in docker.registry.crt -noout -dates
notBefore=Jul 5 06:58:36 2018 GMT
notAfter=Jul 5 06:58:36 2019 GMT- 加入docker信任
由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker 的根证书中,Docker在CentOS 7中,证书存放路径是 :
mkdir -p /etc/docker/certs.d/docker.registry:5000
cp /usr/local/docker/registry/certs/docker.registry.crt /etc/docker/certs.d/docker.registry:5000/docker.registry:5000为实际访问域名和端口
- 启动
docker run -d -p 5000:5000 --name registry2-sslauth -v /usr/local/docker/registry/certs/:/certs/ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.registry.crt -e REGISTRY_HTTP_TLS_KEY=/certs/docker.registry.key -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2- 验证:
docker tag docker.io/registry:2.6.2 docker.registry:5000/registry:2.6.2
docker push docker.registry:5000/registry:2.6.2
docker rmi docker.registry:5000/registry:2.6.2
docker pull docker.registry:5000/registry:2.6.2其他类似,api操作,需要使用https。
3.3 用户名密码登录的镜像中心
- > 生成用户名:密码
mkdir -p /usr/local/docker/registry/auth
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin 1qaz\!QAZ >> /usr/local/docker/registry/auth/htpasswd上面这条命令是为admin用户名生成密码为1qaz!QAZ的一条用户信息,存在/usr/local/docker/registry/auth/htpasswd文件里面,文件中存的密码是被加密过的。
- > 启动:
docker run -d -p 5000:5000 --name registry2-httpauth --restart=always -v /usr/local/docker/registry/auth/:/auth/ -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2
- http登录:
docker login 172.16.1.146:5000同样需要配置客户端免https,其他类似,api操作,需要输入用户名、密码。