文章目录

  • 环境
  • 简介
  • 准备
  • 下载
  • 启动
  • 无密码
  • 测试
  • 解决方案
  • 映射是否生效
  • pull
  • 有密码
  • 测试
  • 启动Secure Registry
  • 证书
  • 安装证书
  • 登录测试
  • 客户端[local-12]push
  • API
  • 最佳实践
  • 关键点
  • 命令瀑布
  • 服务端
  • 客户端
  • 清理
  • 清空所有
  • 精准
  • 参考


环境

Docker

版本

CentOS

7

Docker

19.03.2

docker-registry

2.7.0

Registry服务器信息

IP:192.168.0.122 主机名: uat Domain:uat.cnswb.com

服务器端口映射

18080:5000

Registry客户端信息

IP:192.168.0.12 主机名: local-12

简介

Docke官方提供了Docker Hub网站来作为一个公开的集中仓库。然而,本地访问Docker Hub速度往往很慢,并且很多时候我们需要一个本地的私有仓库只供网内使用。
Docker仓库实际上提供两方面的功能,一个是镜像管理,一个是认证。前者主要由docker-registry项目来实现,通过http服务来上传下载;后者可以通过docker-index(闭源)项目或者利用现成认证方案(如nginx)实现http请求管理。

 

准备

为了方便以后清理,需要指定文件夹用以映射镜像存储路径/var/lib/registry,创建文件夹/var/lib/registry

mkdir -p /var/lib/registry

注:/var/lib/registry是默认的根目录,可以通过修改环境变量REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY自定义 

REGISTRY_HOME=/var/lib/registry写入/etc/profile并重置:resource /etc/profile

下载

docker pull registry:2.7.0

启动

无密码

docker run -d --restart=unless-stopped -v /var/lib/registry:/var/lib/registry -p 18080:5000 registry:2.7.0

测试

docker tag swb-svc-house:uat-5 192.168.0.122:18080/swb-svc-house:dev-35
docker push 192.168.0.122:18080/swb-svc-house:dev-35

此时会报错:

The push refers to repository [192.168.0.122:18080/swb-svc-house]
Get https://192.168.0.122:18080/v2/: http: server gave HTTP response to HTTPS client
解决方案
vim /usr/lib/systemd/system/docker.service
  1. 找到ExecStart开头一行,并在最后添加--insecure-registry=192.168.0.12:18080

docker注册表导入 docker-registry_Docker

  1. 重启Docker
systemctl daemon-reload && systemctl restart docker

重新push

docker push 192.168.0.122:18080/swb-svc-house:dev-35

docker注册表导入 docker-registry_docker注册表导入_02

映射是否生效
ll /var/lib/registry/docker/registry/v2/repositories/
pull
docker rmi 192.168.0.122:18080/swb-svc-house:dev-35
docker pull 192.168.0.122:18080/swb-svc-house:dev-35

出现类似如下信息表示成功

[root@uat ~]# docker rmi 192.168.0.122:18080/swb-svc-house:dev-35
Untagged: 192.168.0.122:18080/swb-svc-house:dev-35
Untagged: 192.168.0.122:18080/swb-svc-house@sha256:a54c22bbfa197639032d88b198bfe57966a95799dcfc9637f929c88e07078925
[root@uat ~]# docker pull 192.168.0.122:18080/swb-svc-house:dev-35
dev-35: Pulling from swb-svc-house
Digest: sha256:a54c22bbfa197639032d88b198bfe57966a95799dcfc9637f929c88e07078925
Status: Downloaded newer image for 192.168.0.122:18080/swb-svc-house:dev-35
192.168.0.122:18080/swb-svc-house:dev-35

有密码

生成用户名为swb密码为swbyouwant2019htpasswd

mkdir $REGISTRY_HOME/auth
docker run --entrypoint htpasswd registry:2.7.0 -Bbn swb swbyouwant2019  > $REGISTRY_HOME/auth/htpasswd

启动带鉴权功能的Registry:

docker run -d --restart=unless-stopped \
   -v $REGISTRY_HOME:$REGISTRY_HOME \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=$REGISTRY_HOME/auth/htpasswd \
   -p 18080:5000 registry:2.7.0

测试登录:

docker login 192.168.0.122:18080

Username: swb
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
测试

参考上一小节测试。

启动Secure Registry

如果你拥有一个域名,域名下主机提供Registry服务,并且你拥有某知名CA签署的证书文件,那么你可以建立起一个Secure Registry。也就是说可以删除docker.service中启动项参数--insecure-registry=192.168.0.12:18080了。

不过局域网没有现成的证书,只能使用自签署的证书。严格来讲,使用自签署的证书在Docker官方眼中依旧属于Insecure,不过这里只是借助自签署的证书来说明一下Secure Registry的部署步骤罢了。

证书

自签名证书

mkdir $REGISTRY_HOME/certs
openssl req -newkey rsa:2048 -nodes -sha256 -keyout $REGISTRY_HOME/certs/domain.key -x509 -days 3650 -out $REGISTRY_HOME/certs/domain.crt

填写相关信息:

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShaanXi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:swb
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:uat.cnswb.com
Email Address []:uat@cnswb.com

修改/etc/hosts配置自签名证书中CN(Common Name)所对应域名uat.cnswb.com的映射

echo "192.168.0.122 uat.cnswb.com" >> /etc/hosts

启动:

docker run -d \
   --restart=unless-stopped \
   -v $REGISTRY_HOME:$REGISTRY_HOME \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=$REGISTRY_HOME/auth/htpasswd \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=$REGISTRY_HOME/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=$REGISTRY_HOME/certs/domain.key \
   -p 18080:5000 registry:2.7.0
安装证书

本机(服务端)

mkdir -p /etc/docker/certs.d/uat.cnswb.com:18080
cp $REGISTRY_HOME/certs/domain.crt /etc/docker/certs.d/uat.cnswb.com:18080/ca.crt

客户端

# 添加主机映射
echo "192.168.0.122 uat.cnswb.com" >> /etc/hosts

mkdir -p /etc/docker/certs.d/uat.cnswb.com:18080
scp root@uat.cnswb.com:$REGISTRY_HOME/certs/domain.crt /etc/docker/certs.d/uat.cnswb.com:18080/ca.crt
登录测试
docker login --username=swb --password=swbyouwant2019 uat.cnswb.com:18080
客户端[local-12]push

docker注册表导入 docker-registry_docker注册表导入_03

API

官方给出了目前所支持的所有Http API总结,参考Detail

# 无密码,无鉴权
curl http://192.168.0.122:18080/v2/_catalog
curl http://192.168.0.122:18080/v2/swb-svc-house/tags/list

# 有密码,有鉴权
curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 https://uat.cnswb.com:18080/v2/_catalog

curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 https://uat.cnswb.com:18080/v2/swb-svc-house/tags/list
## 查看Manifest信息,/v2/<name>/manifests/<reference>,当pull完成会有一个degist返回,就是最后一个参数<reference>
curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 -XGET https://uat.cnswb.com:18080/v2/swb-svc-house/manifests/sha256:12ec47e9755c821ec68b06c0772c4cd6c8258a3d9ac901a482c222cb97636cb8

最佳实践

关键点

  1. 指定端口
  2. 指定映射目录
  3. 重启策略
  4. 有密码
  5. 有证书

命令瀑布

服务端
mkdir $REGISTRY_HOME

mkdir $REGISTRY_HOME/auth
docker run --entrypoint htpasswd registry:2.7.0 -Bbn swb swbyouwant2019  > $REGISTRY_HOME/auth/htpasswd

mkdir $REGISTRY_HOME/certs
openssl req -newkey rsa:2048 -nodes -sha256 -keyout $REGISTRY_HOME/certs/domain.key -x509 -days 3650 -out $REGISTRY_HOME/certs/domain.crt

echo "192.168.0.122 uat.cnswb.com" >> /etc/hosts

docker run -d \
   --restart=unless-stopped \
   -v $REGISTRY_HOME:$REGISTRY_HOME \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=$REGISTRY_HOME/auth/htpasswd \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=$REGISTRY_HOME/certs/domain.crt \
   -e REGISTRY_HTTP_TLS_KEY=$REGISTRY_HOME/certs/domain.key \
   -p 18080:5000 registry:2.7.0
客户端
echo "192.168.0.122 uat.cnswb.com" >> /etc/hosts

## 颁发证书
scp root@uat.cnswb.com:$REGISTRY_HOME/certs/domain.crt /etc/docker/certs.d/uat.cnswb.com:18080/ca.crt

## 其他docker操作
docker login uat.cnswb.com:18080
docker push ...
docker pull ...

清理

清空所有

进入本机映射目录rm -rf /var/lib/registry/*

精准

通过HTTP API,但是删除功能特别难用,博主总是出现UNSUPPORTED错误,具体参考https://docs.docker.com/registry/spec/api/

这里记录操作如下

  • push获取digest,这里以tomcat为例
docker push uat.cnswb.com:18080/tomcat:latest

此时得到digest:sha256:0e5dd4e1cf10a3f4684b797547aa4b376b2eeb6ac983c7a7046be5eba636ddb1

  • 查看manifests信息
curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 -XGET https://uat.cnswb.com:18080/v2/tomcat/manifests/sha256:0e5dd4e1cf10a3f4684b797547aa4b376b2eeb6ac983c7a7046be5eba636ddb1

此时得到blobs摘要信息sha256:6e30b06a90d3206519a5ea730057001a1b830b9169e1baf76a97e1767efc0db7

  • 查看blobs信息
curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 -XGET https://uat.cnswb.com:18080/v2/tomcat/blobs/sha256:6e30b06a90d3206519a5ea730057001a1b830b9169e1baf76a97e1767efc0db7

截图如下

docker注册表导入 docker-registry_Docker_04

  • 删除blobs
curl --cacert /etc/docker/certs.d/uat.cnswb.com\:18080/ca.crt --basic --user swb:swbyouwant2019 -XDELETE https://uat.cnswb.com:18080/v2/tomcat/blobs/sha256:6e30b06a90d3206519a5ea730057001a1b830b9169e1baf76a97e1767efc0db7

此时获得UNSUPPORTED错误

{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}