文章目录
- 前言
- 一、docker镜像优化
- 二、Docker仓库
- 配置镜像加速器
- 搭建私有仓库并添加证书加密
前言
由于我们使用dockerfile进行镜像的构建虽然可以正常使用,但是相比于官方镜像还是过于冗杂,所以我们要进行镜像的优化
一、docker镜像优化
我们首先优化镜像可以减少它的层数,也就是将原来的几个层用&&连接来变成一个层,在编译完成之后可以删除yum缓存,以及镜像包,从而达到优化镜像的目的,我们可以看到经过这样的操作,比之前我们的478M减少了不少,说明达到了目的
[root@docker1 docker]# docker images nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v1 3a67b9aaf157 34 seconds ago 317MB
nginx latest 51086ed63d8c 2 weeks ago 142MB
[root@docker1 docker]# cat Dockerfile
FROM centos:7
ADD nginx-1.21.6.tar.gz /mnt
WORKDIR /mnt/nginx-1.21.6
RUN yum install -y gcc openssl-devel pcre-devel make && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="CFLAGS -g"/g' auto/cc/gcc && ./configure --with-http_ssl_module --with-http_stub_status_module && make && make install && yum clean all && rm -fr /mnt/nginx-1.21.6
COPY index.html /usr/local/nginx/html
EXPOSE 80
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"]我们也可以采用多阶段构建来达到优化镜像的目的,可以看到v2比v1小了100
M左右,说明达到了目的
[root@docker1 docker]# docker images nginx
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v2 c777c8120e74 3 seconds ago 205MB
nginx v1 3a67b9aaf157 9 minutes ago 317MB
nginx latest 51086ed63d8c 2 weeks ago 142MB
[root@docker1 docker]# cat Dockerfile
FROM centos:7 as build
ADD nginx-1.21.6.tar.gz /mnt
WORKDIR /mnt/nginx-1.21.6
RUN yum install -y gcc openssl-devel pcre-devel make && sed -i 's/CFLAGS="$CFLAGS -g"/#CFLAGS="CFLAGS -g"/g' auto/cc/gcc && ./configure --with-http_ssl_module --with-http_stub_status_module && make && make install && yum clean all && rm -fr /mnt/nginx-1.21.6
FROM centos:7
COPY --from=build /usr/local/nginx /usr/local/nginx
COPY index.html /usr/local/nginx/html
EXPOSE 80
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"]当然,我们想更大程度的优化,就需要找到更加小的底层base,比如下面这个镜像,封装完成就只有33MB,足够的小,而且能够成功运行,达到了我们的优化目标
[root@docker1 new]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v4 5efc50772cb8 24 seconds ago 33.8MB
<none> <none> 20f4365b8b21 25 seconds ago 155MB
nginx v3 0be1cbf8ecd3 21 hours ago 78.8MB
ubuntu latest cdb68b455a14 36 hours ago 77.8MB
nginx v2 c777c8120e74 2 days ago 205MB
nginx v1 3a67b9aaf157 2 days ago 317MB
<none> <none> a36ad28b53f0 4 days ago 475MB
<none> <none> b871d85284df 4 days ago 474MB
nginx latest 51086ed63d8c 3 weeks ago 142MB
busybox latest ff4a8eb070e1 3 weeks ago 1.24MB
centos 7 eeb6ee3f44bd 13 months ago 204MB
yakexi007/game2048 latest 19299002fdbe 5 years ago 55.5MB
gcr.io/distroless/base-debian11 latest 24787c1cd2e4 52 years ago 20.3MBSuccessfully built 93c9043dd3fe
Successfully tagged nginx:v4
[root@docker1 new]# docker run -d --name demo nginx:v4
4ced6090dc2244e18f204aec18bb93823d85eb2444f15759e35e580682991e55
[root@docker1 new]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4ced6090dc22 nginx:v4 "/docker-entrypoint.…" 5 seconds ago Up 3 seconds 80/tcp demo
[root@docker1 new]# cat Dockerfile
FROM nginx:latest as base
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
ARG TIME_ZONE
RUN mkdir -p /opt/var/cache/nginx && \
cp -a --parents /usr/lib/nginx /opt && \
cp -a --parents /usr/share/nginx /opt && \
cp -a --parents /var/log/nginx /opt && \
cp -aL --parents /var/run /opt && \
cp -a --parents /etc/nginx /opt && \
cp -a --parents /etc/passwd /opt && \
cp -a --parents /etc/group /opt && \
cp -a --parents /usr/sbin/nginx /opt && \
cp -a --parents /usr/sbin/nginx-debug /opt && \
cp -a --parents /lib/x86_64-linux-gnu/ld-* /opt && \
cp -a --parents /usr/lib/x86_64-linux-gnu/libpcre* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libz.so.* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libc* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libdl* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libpthread* /opt && \
cp -a --parents /lib/x86_64-linux-gnu/libcrypt* /opt二、Docker仓库
可以用下面这个方式将我们刚刚封装好的镜像输出为tar包,如果系统上暂时没有这个镜像,那我们可以使用docker load -i将tar包导入
**[root@docker1 ~]# docker save -o nginx-v4.tar nginx:v4
[root@docker1 ~]# ls
anaconda-ks.cfg base-debian11.tar docker nginx-v4.tar
**配置镜像加速器
首先在阿里云上复制自己的镜像加速器地址,然后写入文件,重启docker就完成了配置
[root@docker1 ~]# systemctl daemon-reload
[root@docker1 ~]# systemctl restart docker
[root@docker1 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors":["https://lrt6zeoe.mirror.aliyuncs.com"]
}搭建私有仓库并添加证书加密
我们搭建私有仓库的原因是docker hub虽然很方便,但是存在很多限制,比如需要互联网的连接,速度慢,所有人都可以访问,不安全,而且会由于安全原因企业不允许将镜像放到外网。所以我们需要搭建私有仓库
首先拉取registry
[root@docker1 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete
0d96da54f60b: Pull complete
5b27040df4a2: Pull complete
e2ead8259a04: Pull complete
3790aef225b9: Pull complete
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest做一个端口映射,并且挂载宿主机的一个目录
[root@docker1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
c1a3b20fe38dfcb4f5e2c4e01923c6f5eea20d2dc7650c4a9c5def9ec4d7ca2f首先上传一个镜像到我们的私有仓库
[root@docker1 ~]# docker tag yakexi007/game2048:latest localhost:5000/game2048:latest
[root@docker1 ~]# docker push localhost:5000/game2048
Using default tag: latest
The push refers to repository [localhost:5000/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364我们使用tree命令就可以查看我们的镜像层
.
└── registry
└── v2
├── blobs
│ └── sha256
│ ├── 19
│ │ └── 19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
│ │ └── data
│ ├── 3f
│ │ └── 3f120f6a2bf86552ccf8aeff9ea5f3b1e79047656cdc636bf58d1f3ca0ea1cab
│ │ └── data
│ ├── 4b
│ │ └── 4ba4e6930ea5b57ba9d06cb23105f37de40f2678c385db1cddee560b47a1a4b9
│ │ └── data
│ ├── 53
│ │ └── 534e72e7cedcc7f1a7643fa9ec34706f32de866e663874a1f58bdd059ccd859d
│ │ └── data
│ ├── 8a
│ │ └── 8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
│ │ └── data
│ ├── f6
│ │ └── f62e2f6dfeef60a2983e8794e3de4f369de740d6cea09f72647988edf287c49d
│ │ └── data
│ └── fe
│ └── fe7db6293242e96deb130e0cd1d729ac3f94ed086fc9e414587f369b81c42580
│ └── data
└── repositories
└── game2048
├── _layers
│ └── sha256
│ ├── 19299002fdbedc133c625488318ba5106b8a76ca6e34a6a8fec681fb54f5e4c7
│ │ └── link
│ ├── 3f120f6a2bf86552ccf8aeff9ea5f3b1e79047656cdc636bf58d1f3ca0ea1cab
│ │ └── link
│ ├── 4ba4e6930ea5b57ba9d06cb23105f37de40f2678c385db1cddee560b47a1a4b9
│ │ └── link
│ ├── 534e72e7cedcc7f1a7643fa9ec34706f32de866e663874a1f58bdd059ccd859d
│ │ └── link
│ ├── f62e2f6dfeef60a2983e8794e3de4f369de740d6cea09f72647988edf287c49d
│ │ └── link
│ └── fe7db6293242e96deb130e0cd1d729ac3f94ed086fc9e414587f369b81c42580
│ └── link
├── _manifests
│ ├── revisions
│ │ └── sha256
│ │ └── 8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
│ │ └── link
│ └── tags
│ └── latest
│ ├── current
│ │ └── link
│ └── index
│ └── sha256
│ └── 8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
│ └── link
└── _uploads
39 directories, 16 files[root@docker2 ~]# vim /etc/yum.conf
[root@docker2 ~]# cat /etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=1 保留rpm包的缓存
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3为docker仓库添加证书加密功能,生成证书
[root@docker1 ~]# openssl11 req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -addext "subjectAltName = DNS:reg.westos.org" -x509 -days 365 -out certs/westos.org.crt
Can't load /root/.rnd into RNG
139795939268416:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/root/.rnd
Generating a RSA private key
.............................++++
.........................++++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:root@westos.org重建registry容器
[root@docker1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry -v /root/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry
13b3fb9f6ccb1a3bd103ff4b32d67b46e97932e96f4b9f36a0eb080c394c0d93
[root@docker1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
13b3fb9f6ccb registry "/entrypoint.sh /etc…" 6 seconds ago Up 4 seconds 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp registry上传镜像,并且查看确保上传成功
[root@docker1 ~]# docker tag nginx:latest reg.westos.org/nginx:latest
[root@docker1 reg.westos.org]# docker push reg.westos.org/nginx:latest
The push refers to repository [reg.westos.org/nginx]
d6a3537fc36a: Pushed
819eb3a45632: Pushed
5eda6fa69be4: Pushed
6f4f3ce1dca0: Pushed
58a06a0d345c: Pushed
fe7b1e9bf792: Pushed
latest: digest: sha256:bab399017a659799204147065aab53838ca6f5aeed88cf7d329bc4fda1d2bac7 size: 1570
[root@docker1 reg.westos.org]# curl -k https://localhost/v2/_catalog
{"repositories":["game2048","nginx"]}在另一台主机上配置好docker容器平台后,通过私有仓库拉取镜像就会比通过外网拉取镜像快的多
[root@docker2 ~]# docker pull reg.westos.org/nginx:latest
latest: Pulling from nginx
bd159e379b3b: Pull complete
8d634ce99fb9: Pull complete
98b0bbcc0ec6: Pull complete
6ab6a6301bde: Pull complete
f5d8edcd47b1: Pull complete
fe24ce36f968: Pull complete
Digest: sha256:bab399017a659799204147065aab53838ca6f5aeed88cf7d329bc4fda1d2bac7
Status: Downloaded newer image for reg.westos.org/nginx:latest
reg.westos.org/nginx:latest
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
