一、公共仓库
这里用的是阿里云镜像。其他还有docker官网仓库
1、搜索阿里云服务
登陆 -> 控制台 -> 产品与服务 -> 容器镜像服务 -> 镜像加速器 -> 复制加速器地址
2、加载加速器地址
[root@foundation38 docker]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://pr84gvty.mirror.aliyuncs.com"]
}
重启
[root@foundation38 docker]# systemctl daemon-reload
[root@foundation38 docker]# systemctl restart docker
测试:可以从网上搜寻到镜像
[root@foundation38 docker]# docker search nginx
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
nginx Official build of Nginx. 11075 [OK]
二、私有仓库的搭建
registry的工作过程,token的使用
1、导入registry 镜像,或者从网上下载
docker load -i registry.tar
2、建立目录,这个目录使用来存放本地数据的
mkdir /opt/registry
3、搭建registry仓库
[root@foundation38 registry]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
5ebc1b20c9b0edfcb1decbfc06eb222073209f3642cc4ec64f47e0f01b778d8a
必须映射到5000端口,这里的5000映射到5000,是本机5000映射到容器内的5000.
4、上传镜像
docker tag busybox:latest localhost:5000/busybox:latest ##复制镜像
[root@foundation38 registry]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v1 dd194834bb9c 3 hours ago 193MB
registry latest f32a97de94e1 8 days ago 25.8MB
busybox latest 59788edf1f3e 5 months ago 1.15MB
localhost:5000/busybox latest 59788edf1f3e 5 months ago 1.15MB
nginx latest e548f1a579cf 12 months ago 109MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
registry 2.3.1 83139345d017 3 years ago 166MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
gcr.io/distroless/base latest 9a255d5fe262 49 years ago 16.8MB
[root@foundation38 registry]# docker push localhost:5000/busybox:latest ##上传镜像
The push refers to repository [localhost:5000/busybox]
8a788232037e: Pushed
latest: digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5 size: 527
测试:查看镜像
[root@foundation38 registry]# cd /opt/registry/
[root@foundation38 registry]# ls
docker
[root@foundation38 registry]# cd docker/
[root@foundation38 docker]# ls
registry
[root@foundation38 docker]# tree . ##不是简单的复制,可以看树结构
.
└── registry
└── v2
├── blobs
│ └── sha256
│ ├── 59
│ │ └── 59788edf1f3e78cd0ebe6ce1446e9d10788225db3dedcfd1a59f764bad2b2690
│ │ └── data
│ ├── 90
│ │ └── 90e01955edcd85dac7985b72a8374545eac617ccdddcc992b732e43cd42534af
│ │ └── data
│ └── 91
│ └── 915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
│ └── data
└── repositories
└── busybox ##存放的文件
├── _layers
│ └── sha256
│ ├── 59788edf1f3e78cd0ebe6ce1446e9d10788225db3dedcfd1a59f764bad2b2690
│ │ └── link
│ └── 90e01955edcd85dac7985b72a8374545eac617ccdddcc992b732e43cd42534af
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ └── 915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
│ │ └── link
│ └── tags
│ └── latest
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
│ └── link
└── _uploads
27 directories, 8 files
删除本地镜像
[root@foundation38 docker]# docker rmi localhost:5000/busybox
Untagged: localhost:5000/busybox:latest
Untagged: localhost:5000/busybox@sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
查看没有了
[root@foundation38 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v1 dd194834bb9c 4 hours ago 193MB
registry latest f32a97de94e1 8 days ago 25.8MB
busybox latest 59788edf1f3e 5 months ago 1.15MB
nginx latest e548f1a579cf 12 months ago 109MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
registry 2.3.1 83139345d017 3 years ago 166MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
gcr.io/distroless/base latest 9a255d5fe262 49 years ago 16.8MB
从仓库拉取镜像
[root@foundation38 docker]# docker pull localhost:5000/busybox:latest
latest: Pulling from busybox
Digest: sha256:915f390a8912e16d4beb8689720a17348f3f6d1a7b659697df850ab625ea29d5
Status: Downloaded newer image for localhost:5000/busybox:latest
[root@foundation38 docker]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v1 dd194834bb9c 4 hours ago 193MB
registry latest f32a97de94e1 8 days ago 25.8MB
busybox latest 59788edf1f3e 5 months ago 1.15MB
localhost:5000/busybox latest 59788edf1f3e 5 months ago 1.15MB
nginx latest e548f1a579cf 12 months ago 109MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
registry 2.3.1 83139345d017 3 years ago 166MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
gcr.io/distroless/base latest 9a255d5fe262 49 years ago 16.8MB
三、私有仓库认证
1、生成509证书
[root@foundation38 docker]# pwd
/opt/docker
[root@foundation38 docker]# mkdir -p certs
[root@foundation38 docker]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
............................................................................................................................................................................................................................++
.....................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:westos.org
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:[email protected]
[root@foundation38 docker]# ls certs/ ##查看证书
westos.org.crt westos.org.key
2、添加证书
cd /etc/docker/
mkdir certs.d
cd certs.d/
mkdir westos.org
cd westos.org/
cp /opt/docker/certs/westos.org.crt ca.crt
3、生成仓库,并添加认证
[root@foundation85 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry
66e55e5d7092e2c634108be6d730aa9309bebfd6b79faaf3a912938a95be4866
可以看到443端口打开了
[root@foundation85 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
66e55e5d7092 registry "/entrypoint.sh /etc…" 6 seconds ago Up 4 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@foundation85 docker]# pwd
/opt/docker
4、修改本地解析,并存储镜像
[root@foundation85 westos.org]# docker tag registry westos.org/registy
[root@foundation85 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest f32a97de94e1 8 days ago 25.8MB
westos.org/registy latest f32a97de94e1 8 days ago 25.8MB
nginx latest e548f1a579cf 12 months ago 109MB
docker-registry-web latest 0db5683824d8 2 years ago 599MB
registry 2.3.1 83139345d017 3 years ago 166MB
[root@foundation85 westos.org]# vim /etc/hosts
172.25.85.250 foundation85.ilt.example.com westosorg westos.org
存储镜像
[root@foundation85 westos.org]# docker push westos.org/registy
The push refers to repository [westos.org/registy]
73d61bf022fd: Pushed
5bbc5831d696: Pushed
d5974ddb5a45: Pushed
f641ef7a37ad: Pushed
d9ff549177a9: Pushed
latest: digest: sha256:b1165286043f2745f45ea637873d61939bff6d9a59f76539d6228abf79f87774 size: 1363
5、打开一个虚拟机172.25.85.1,server1,安装docker,创建证书存放的目录,并修改本地解析
[root@server1 ~]# mkdir /etc/docker/certs.d/westos.org/ -p
[root@server1 westos.org]# vim /etc/hosts
172.25.85.250 foundation85.ilt.example.com westos.org
6、传送证书
[root@foundation85 docker]# cd /etc/docker/certs.d/westos.org/
[root@foundation85 westos.org]# ls
ca.crt
[root@foundation85 westos.org]# scp ca.crt [email protected]:/etc/docker/certs.d/westos.org/
[email protected]'s password:
ca.crt
[root@server1 westos.org]# ls
ca.crt
测试:可以提取镜像
[root@server1 westos.org]# docker pull westos.org/registy
Using default tag: latest
latest: Pulling from registy
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:b1165286043f2745f45ea637873d61939bff6d9a59f76539d6228abf79f87774
Status: Downloaded newer image for westos.org/registy:latest
[root@server1 westos.org]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v1 68d93c7d9569 4 days ago 169MB
westos.org/registy latest f32a97de94e1 11 days ago 25.8MB
四、加密
1、添加用户
[root@foundation85 docker]# mkdir auth
[root@foundation85 docker]# docker run --entrypoint htpasswd registry -Bbn wxh westos > auth/htpasswd
[root@foundation85 docker]# docker run --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
[root@foundation85 docker]# cat auth/htpasswd
wxh:$2y$05$KxJeHDlTzv0UL7yzk4DnauwjGQG3/89dqqepngZzvufFAcRV0VaI.
admin:$2y$05$.rgISYmP/PPZxzjb9GXLX.nEoHgWWWym6mmCZYqrmdWtmUI8GMwT.
2、删除原来的本地库
[root@foundation38 docker]# docker rm -f registry
registry
3、添加新的仓库
[root@foundation38 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
c36819bcfce7077d33a7575cb1aa07a7002f905d1cf38baeea09322f4c649fb4
[root@foundation38 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c36819bcfce7 registry "/entrypoint.sh /etc…" 22 seconds ago Up 20 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@foundation38 docker]# netstat -antlp | grep 443
tcp6 0 0 :::443 :::* LISTEN 22748/docker-proxy
测试:
1、起初传送,失败
[root@foundation38 docker]# docker tag nginx:latest westos.org/nginx
[root@foundation38 docker]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
e89b70d28795: Preparing
832a3ae4ac84: Preparing
014cf8bfcb2d: Preparing
no basic auth credentials
2、登陆,传送成功
[root@foundation38 ~]# docker login westos.org
Username: wxh
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@foundation38 ~]# cd .docker/
[root@foundation38 .docker]# ls
config.json
[root@foundation38 .docker]# cat config.json
{
"auths": {
"westos.org": {
"auth": "d3hoOndlc3Rvcw=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
}[root@foundation38 .docker]#
[root@foundation38 .docker]# docker push westos.org/nginx
The push refers to repository [westos.org/nginx]
e89b70d28795: Pushed
832a3ae4ac84: Pushed
014cf8bfcb2d: Pushed
latest: digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c size: 948
3、远端提取
[root@server1 westos.org]# docker pull westos.org/nginx
Using default tag: latest
latest: Pulling from nginx
8176e34d5d92: Pull complete
5b19c1bdd74b: Pull complete
4e9f6296fa34: Pull complete
Digest: sha256:600bff7fb36d7992512f8c07abd50aac08db8f17c94e3c83e47d53435a1a6f7c
Status: Downloaded newer image for westos.org/nginx:latest
五、web ui
1、载入ui界面的镜像
[root@foundation38 images]# docker load -i docker-registry-web.tar
2、删除原来的数据库
[root@foundation85 docker]# docker rm -f registry
registry
3、搭建仓库
docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_STORAGE_DELETE_ENABLED=true registry
解释
-e REGISTRY_STORAGE_DELETE_ENABLED=true ##允许删除
4、搭建webui界面
docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="d3hoOndlc3Rvcw==" -e REGISTRY_NAME=westos.org -e REGISTRY_READONLY=false docker-registry-web
REGISTRY_READONLY=false ##关闭只读