由于docker hub为官方仓库,速度较慢,虽然可以配置加速器,但对于隐密性,安全性来说,私有仓库会更加方便。
创建私有仓库
1.下载registry镜像
虚拟机联网
[root@server1 ~]# docker pull registry:2
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 4 months ago 25.8MB
查看镜像封装是暴露的端口,以便于端口映射
[root@server1 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry:2
f0fe21e6d5f6c739ba972187b2e099eed8b28f96c7494a9690d0cb9446e95e8b
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4bdb8de8ef34 registry:2 "/entrypoint.sh /etc…" 32 seconds ago Up 31 seconds 0.0.0.0:5000->5000/tcp registry
[root@server1 ~]# netstat -ntlp | grep 5000
tcp6 0 0 :::5000 :::* LISTEN 12350/docker-proxy
[root@server1 ~]# docker load -i game2048.tar
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 5 months ago 25.8MB
registry latest f32a97de94e1 5 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
[root@server1 ~]# docker tag game2048:latest localhost:5000/game2048 修改game2048:latest镜像名,要上传到主机
[root@server1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry 2 f32a97de94e1 5 months ago 25.8MB
registry latest f32a97de94e1 5 months ago 25.8MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
localhost:5000/game2048 latest 19299002fdbe 2 years ago 55.5MB
[root@server1 ~]# docker push localhost:5000/game2048 #将命名的镜像上传到本机5000端口,也就是容器端口内
[root@server1 ~]# curl localhost:5000/v2/_catalog #查看私人仓库是否有game2048
{"repositories":["game2048"]}
[root@serve1 repositories]# ls
game2048
[root@server2 repositories]# pwd #根据挂载位置查看是否存在game数据
/opt/registry/docker/registry/v2/repositories
此时创建的私有仓库远程主机无法使用,并且不够安全,此时则可以采用私有仓库加证书加密的方式来创建私有仓库
私有仓库的TLS加密
生成证书
[root@server1 ~]# mkdir -p certs #创建加密证书存放目录
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/haha.com.key -x509 -days 365 -out certs/haha.com.crt
Generating a 4096 bit RSA private key
........++
.........................................................................................................................................................................++
writing new private key to 'certs/haha.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:redhat
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:haha.com
Email Address []:root@haha.com
[root@server1 ~]# ls certs/ #证书和密钥生成
haha.com.crt haha.com.key
[root@server1 ~]# vim /etc/hosts #做好地址解析
172.25.25.1 server1 haha.com
构建加密仓库
docker rm -f registry
docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/haha.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/haha.com.key -p 443:443 registry
#以加密方式运行仓库,并进行端口映射
docker ps #查看进程
cd /etc/docker/
mkdir certs.d/haha.com #创建docker TSL认证证书
cd certs.d/haha.com/
cp /root/certs/haha.com.crt ca.crt #复制认证证书到当前文件,并改名
systemctl restart docker #重启docker服务,由于重新加入认证证书
验证部署是否成功
docker images
docker load -i ubuntu.tar #加载镜像
docker tag ubuntu:latest haha.com/ubuntu:latest #修改镜像名为仓库名
docker push haha.com/ubuntu#上传镜像
Docker仓库添加用户认证功能
1.创建认证功能
[root@server1 ~]# mkdir auth #创建用户认证目录
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn admin redhat > auth/htpasswd
#容器运行认证用户admin信息存放到auth/htpasswd
[root@server1 ~]# cat auth/htpasswd
admin:$2y$05$MrxBOhunWu.VfMkPr2lKG.QleK6d8CBocYD7Jv6Wt6cE62i.agJ8q
[root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn xixi redhat >> auth/htpasswd ##追加认证用户及密码
[root@server1 ~]# docker ps ##查看当前docker容器进程
[root@server1 ~]# docker rm -f ef61c36b8c89 ##删除原有的registry,否则再次创建registry会出现报错
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/haha.com.crt -e REGISTRY_HTTP_TLS_KEY=/certs/haha.com.key -p 443:443 -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
[root@server1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bea51c3c3c50 registry "/entrypoint.sh /etc…" 42 seconds ago Up 41 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@server1 ~]# docker login haha.com
#用户认证登陆
[root@server1 ~]# docker push haha.com/ubuntu #上传镜像
[root@server1 ~]# docker logout haha.com #退出
[root@server1 ~]# docker push westos.org/nginx #镜像上传不成功,原因是没有登录
远程主机连接当前仓库
远程登陆:
条件:远程主机必须要有域名解析,以及生成docker的密钥证书。
仓库(server2):
vim /etc/hosts
172.25.25.2 server2 haha.com
172.25.25.3 server3
scp -r /etc/docker/certs.d/ server3:/etc/docker/
远程主机:
配置yum源
安装docker
vim /etc/hosts
172.25.25.2 server2 haha.com
172.25.25.3 server3
docker login haha.com #由于使用了用户认证,就必须先登陆,后拉取
docker pull haha.com/ubuntu #下载镜像
[root@server3 docker]# docker images ##查看镜像拉取是否成功