Docker 应用实战案例--基于 registry 搭建私有仓库
- 前言
- 一、搭建基于http协议的私有仓库
- servera
- serverb
- 测试--serverb
- 二、搭建基于https协议的私有仓库
- servera
- serverb
- 测试--serverb
- 三、使用 UI 界面管理docker仓库
- Tips:servera、serverb 务必保持时间同步,所以在实践前,必须校准当前系统的时间
前言
本环境是基于 Centos 7.8 系统构建Docker-19.03.13环境
具体构建,请参考 构建Docker-19.03.13
docker 仓库,可以分为,私有仓库和公有仓库,但是,对于企业而言,考虑到网络传输质量、流量带宽的开销以及数据安全存储的需求,往往使用公司内部自己搭建的私有仓库,作为docker的镜像存放的仓库,接下来,我们介绍,基于registry搭建私有仓库
分类
- Sponsor Registry:第三方的registry,供客户和docker社区使用;
- mirror Registry:第三方的registry,只让客户使用;如docker cn和阿里云的镜像加速器;
- vendor Registry:服务商的registry,由发布docker镜像的供应商提供的registry;如红帽提供的专有的,收费提供;
- private Registry:通过设有防火墙和额外的安全层的私有实体提供的registry;自建的registry,在本地搭建registry,节省带宽
环境准备
- 2台部署有docker的Linux主机,具体配置,参考构建Docker-19.03.13 章节
- 2台主机名分别:servera.wan.host 、serverb.wan.host,
其中servera 是镜像源仓库Server,serverb是镜像源Client- 配置有hosts域名解析
一、搭建基于http协议的私有仓库
servera
拉取registry镜像
[root@servera ~]# docker pull registry
[root@servera ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
registry latest 2d4f4b5309b1 4 months ago 26.2MB
运行 registry
[root@servera ~]# docker run -d --name registry_server -p 5000:5000 -v /data/registry:/var/lib/registry registry
a14df3d75467f1fffda6b2c5197cd2c98f3bd73f7c0a21170a77f24995779968
[root@servera ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a14df3d75467 registry "/entrypoint.sh /etc…" 9 seconds ago Up 8 seconds 0.0.0.0:5000->5000/tcp registry_server
[root@servera ~]# netstat -lnutp | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 44473/docker-proxy
serverb
修改docker服务配置文件,将servera添加到docker安全仓库列表
[root@serverb ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn/"],
"insecure-registries": ["servera:5000"]
}
[root@serverb ~]# systemctl restart docker
打标签,提前准备一个需要上传的镜像
[root@serverb ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest f0b02e9d092d 3 weeks ago 1.23MB
[root@serverb ~]# docker tag busybox:latest servera.wan.host:5000/busybox:v1
[root@serverb ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest f0b02e9d092d 3 weeks ago 1.23MB
servera.wan.host:5000/busybox v1 f0b02e9d092d 3 weeks ago 1.23MB
上传镜像
[root@serverb ~]# docker push servera.wan.host:5000/busybox:v1
The push refers to repository [servera.wan.host:5000/busybox]
d2421964bad1: Pushed
v1: digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc size: 527
servera查看镜像
[root@servera ~]# ll /data/registry/docker/registry/v2/repositories/
total 0
drwxr-xr-x 5 root root 55 Nov 6 17:02 busybox
测试–serverb
删除本地镜像,拉取,镜像,并运行
[root@serverb ~]# docker rmi busybox:latest servera.wan.host:5000/busybox:v1
Untagged: busybox:latest
Untagged: busybox@sha256:a9286defaba7b3a519d585ba0e37d0b2cbee74ebfe590960b0b1d6a5e97d1e1d
Untagged: servera.wan.host:5000/busybox:v1
Untagged: servera.wan.host:5000/busybox@sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Deleted: sha256:f0b02e9d092d905d0d87a8455a1ae3e9bb47b4aa3dc125125ca5cd10d6441c9f
Deleted: sha256:d2421964bad195c959ba147ad21626ccddc73a4f2638664ad1c07bd9df48a675
[root@serverb ~]# docker pull servera.wan.host:5000/busybox:v1
v1: Pulling from busybox
9758c28807f2: Pull complete
Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Status: Downloaded newer image for servera.wan.host:5000/busybox:v1
servera.wan.host:5000/busybox:v1
[root@serverb ~]# docker run --rm -it --name busybox_test servera.wan.host:5000/busybox:v1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # exit
二、搭建基于https协议的私有仓库
主机名、hosts协议,已经配置,此处不在演示
servera
仓库 server 生成公私秘钥
[root@servera mnt]# mkdir -p /opt/certs
[root@servera mnt]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout /opt/certs/domain.key \
> -x509 -days 36500 -out /opt/certs/domain.crt
Generating a 4096 bit RSA private key
..............++
...........................................................................++
writing new private key to '/opt/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHAN`XI
Locality Name (eg, city) [Default City]:XI`AN
Organization Name (eg, company) [Default Company Ltd]:SCHOLL
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:servera.wan.host
Email Address []:wan@123.com
[root@servera mnt]# ll /opt/certs/
total 8
-rw-r--r-- 1 root root 2098 Nov 6 17:12 domain.crt
-rw-r--r-- 1 root root 3268 Nov 6 17:12 domain.key
启动docker registry
镜像数据存储到本地:/mnt/registry
仓库公私钥文件存储到本地:/opt/certs
[root@servera mnt]# docker run -d \
> --restart=always \
> --name registry \
> -v /opt/certs:/certs \
> -v /mnt/registry:/var/lib/registry \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> -p 443:443 \
> registry
4503a20f9b1f4cf3bdad8fbaf4cff417765ef3fee624f0fb40503c6ede422d10
[root@servera mnt]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4503a20f9b1f registry "/entrypoint.sh /etc…" 2 minutes ago Up 2 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
7d6eaa8aac44 registry "/entrypoint.sh /etc…" 15 minutes ago Up 15 minutes 0.0.0.0:5000->5000/tcp registry_server
[root@servera mnt]#
serverb
拷贝证书文件到serverb
[root@serverb ~]# mkdir /etc/docker/certs.d/servera.wan.host -p
[root@serverb ~]# scp servera:/opt/certs/domain.crt /etc/docker/certs.d/servera.wan.host/ca.crt
The authenticity of host 'servera (192.168.5.11)' can't be established.
ECDSA key fingerprint is SHA256:8KoAXpPVTPc8T4wS2TQoTrAcVmbrZUqiI0UQ4L56zCQ.
ECDSA key fingerprint is MD5:48:a8:5d:58:f3:a7:c6:9b:b8:11:1a:1c:09:a8:55:04.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'servera,192.168.5.11' (ECDSA) to the list of known hosts.
root@servera's password:
domain.crt 100% 2098 2.3MB/s 00:00
[root@serverb ~]# ll /etc/docker/certs.d/servera.wan.host/
total 8
-rw-r--r--. 1 root root 2098 Nov 6 17:21 ca.crt
打标签,提前准备一个需要上传的镜像
注:docker registry 默认为https 此处可以省略443端口
[root@serverb ~]# docker tag busybox:latest servera.wan.host/busybox:v0.1
[root@serverb ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest f0b02e9d092d 3 weeks ago 1.23MB
servera.wan.host/busybox v0.1 f0b02e9d092d 3 weeks ago 1.23MB
servera.wan.host:5000/busybox v1 f0b02e9d092d 3 weeks ago 1.23MB
上传镜像
[root@serverb ~]# docker push servera.wan.host/busybox:v0.1
The push refers to repository [servera.wan.host/busybox]
d2421964bad1: Pushed
v0.1: digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc size: 527
servera查看镜像
[root@servera ~]# ll /mnt/registry/docker/registry/v2/repositories/
total 0
drwxr-xr-x 5 root root 55 Nov 6 17:24 busybox
测试–serverb
删除本地镜像,拉取,镜像,并运行
[root@serverb ~]# docker rmi servera.wan.host/busybox:v0.1 servera.wan.host:5000/busybox:v1 busybox:latest
[root@serverb ~]# docker pull servera.wan.host/busybox:v0.1
v0.1: Pulling from busybox
9758c28807f2: Pull complete
Digest: sha256:c9249fdf56138f0d929e2080ae98ee9cb2946f71498fc1484288e6a935b5e5bc
Status: Downloaded newer image for servera.wan.host/busybox:v0.1
servera.wan.host/busybox:v0.1
[root@serverb ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
servera.wan.host/busybox v0.1 f0b02e9d092d 3 weeks ago 1.23MB
[root@serverb ~]# docker run --rm -d --name buxybox_test servera.wan.host/busybox:v0.1 /bin/sh
729e88416b9d8371619ef0c11f2963d462b10d18360c53c8000bd400b7bb437b
[root@serverb ~]# docker run --rm -it --name buxybox_test servera.wan.host/busybox:v0.1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # exit
三、使用 UI 界面管理docker仓库
拉取并运行 registry-web
[root@servera ~]# docker run -d -p 8080:8080 --name registry-web \
> --link registry \
> -e REGISTRY_URL=https://registry/v2 \
> -e REGISTRY_TRUST_ANY_SSL=true \
> -e REGISTRY_NAME=localhost \
> hyper/docker-registry-web
Unable to find image 'hyper/docker-registry-web:latest' locally
latest: Pulling from hyper/docker-registry-web
04c996abc244: Pull complete
d394d3da86fe: Pull complete
bac77aae22d4: Pull complete
b48b86b78e97: Pull complete
09b3dd842bf5: Pull complete
69f4c5394729: Pull complete
b012980650e9: Pull complete
7c7921c6fda1: Pull complete
e20331c175ea: Pull complete
40d5e82892a5: Pull complete
a414fa9c865a: Pull complete
0304ae3409f3: Pull complete
13effc1a664f: Pull complete
e5628d0e6f8c: Pull complete
0b0e130a3a52: Pull complete
d0c73ab65cd2: Pull complete
240c0b145309: Pull complete
f1fd6f874e5e: Pull complete
40b5e021928e: Pull complete
88a8c7267fbc: Pull complete
f9371a03010e: Pull complete
Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae
Status: Downloaded newer image for hyper/docker-registry-web:latest
6959b212f3244f185b8606c91884795b4c916f0af3edef98c479b259995f024
浏览器登录:
http://192.168.5.11:8080/
拷贝公钥
[root@servera ~]# mkdir /etc/docker/certs.d/servera.wan.host -p
[root@servera ~]# cp /opt/certs/domain.crt /etc/docker/certs.d/servera.wan.host/ca.crt
尝试打包,上传镜像
[root@servera ~]# docker push servera.wan.host/docker-registry-web:v1
The push refers to repository [servera.wan.host/docker-registry-web]
8779b4998d0c: Pushed
9eb22ef427e2: Pushed
64d1c65ea33e: Pushed
d6c3b0e63834: Pushed
1315f14832fa: Pushed
d16096ccf0bb: Pushed
463a4bd8f8c1: Pushed
be44224e76b9: Pushed
d96a8038b794: Pushed
f469fc28e82e: Pushed
8418a42306ef: Pushed
03457c5158e2: Pushed
7ef05f1204ee: Pushed
f7049feabf0b: Pushed
5ee52271b8b7: Pushed
8b1153b14d3a: Pushed
367b9c52c931: Pushed
3567b2f05514: Pushed
292a66992f77: Pushed
641fcd2417bc: Pushed
78ff13900d61: Pushed
v1: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695
浏览器查看:
进一步查看docker-registry-web镜像
查看docker-registry-web镜像的分层信息
Tips:servera、serverb 务必保持时间同步,所以在实践前,必须校准当前系统的时间
