若物理机没有registry镜像,则需下载registry.tar,并将其导入容器为registry镜像。
1、导入仓库镜像
2、开启容器
[root@foundation81 ~]# mkdir /opt/registry
[root@foundation81 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry
3、上传
[root@foundation81 ~]# docker tag rhel7:v4 localhost:5000/rhel7:v4 ##修改镜像的tag
[root@foundation81 ~]# docker push localhost:5000/rhel7:v4 ##将本地镜像推送到私有仓库
查看仓库目录:
4、下载
注意:因为是本机下载,所有删除原有的镜像才能看到效果
[root@foundation81 ~]# docker rmi localhost:5000/rhel7:v4 ##这里其实并没有删除镜像,只是删除了刚刚修改过的镜像tag
[root@foundation81 ~]# docker rmi rhel7:v4
[root@foundation81 ~]# docker rmi rhel7:v3
[root@foundation81 ~]# docker rmi rhel7:v2
[root@foundation81 ~]# docker rmi rhel7:v1
[root@foundation81 ~]# docker pull localhost:5000/rhel7:v4
[root@foundation81 ~]# docker tag localhost:5000/rhel7:v4 rhel7:v1 ##修改镜像的tag
[root@foundation81 ~]# docker rmi localhost:5000/rhel7:v4
Docker仓库创建安全认证
1、创建certs证书,生成服务器私钥
[root@foundation81 ~]# cd /tmp/docker/
[root@foundation81 docker]# mkdir certs
[root@foundation81 docker]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crtGenerating a 4096 bit RSA private key
.....................................................................................................................................................................................++
.......................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:westos.org
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org
查看证书、私钥:
2、域名解析
[root@foundation81 certs]# vim /etc/hosts
172.25.81.250 westos.org
3、启动仓库
[root@foundation81 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry registry
3、更新CA证书
[root@foundation81 ~]# cd /etc/docker/
[root@foundation81 docker]# mkdir certs.d
[root@foundation81 docker]# cd certs.d/
[root@foundation81 certs.d]# mkdir westos.org
[root@foundation81 certs.d]# cd westos.org/
[root@foundation81 westos.org]# cp /tmp/docker/certs/westos.org.crt ca.crt
[root@foundation81 ~]# docker tag game2048 westos.org/game2048
[root@foundation81 ~]# docker push westos.org/game2048
5、另开一台虚拟机下载刚刚上传的镜像:
<1>域名解析
[root@server1 docker]# vim /etc/hosts
<2>下载镜像
直接下载镜像会报错
[root@server1 ~]# mkdir /etc/docker/certs.d/westos.org -p
[root@server1 ~]# cd /etc/docker/certs.d/westos.org/
[root@server1 westos.org]# scp 172.25.81.250:/etc/docker/certs.d/westos.org/ca.crt .
[root@server1 westos.org]# ls
ca.crt
[root@server1 westos.org]# docker pull westos.org/game2048
[root@server1 westos.org]# docker run -d -p 80:80 --name vm1 westos.org/game2048
Docker生产环境安全性——证书验证仓库客户端
1、生成鉴权密码文件
[root@foundation81 westos.org]# cd /tmp/docker/
[root@foundation81 docker]# mkdir auth
[root@foundation81 docker]# docker run --rm --entrypoint htpasswd registry -Bbn zyj westos > auth/htpasswd ##用户zyj密码westos
[root@foundation81 docker]# docker run --rm --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
2、关闭之前的仓库,防止冲突
[root@foundation81 docker]# docker ps
[root@foundation81 docker]# docker rm -f registry
3、启动Registry
[root@foundation81 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
4、上传镜像
登录认证成功后,才可进行push等操作
[root@foundation81 ~]# docker login westos.org
Username: zyj
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@foundation81 ~]# docker push westos.org/rhel7
认证成功后,认证信息保存在当前文件下
docker使用web界面管理Registry
在上步Registry运行的基础上:
[root@foundation81 images]# docker load -i docker-registry-web.tar
[root@foundation81 .docker]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="enlqOndlc3Rvcw==" -e REGISTRY_NAME=westos.org docker-registry-web
浏览器访问web页面:localhost:8080
默认是只读权限,不能执行对镜像的删除操作:
读写权限的实现:
<1>删除之前的两个容器
[root@foundation81 .docker]# docker rm -f `docker ps -aq`
<2>重新启动Registry和registry-web(修改参数)
[root@foundation81 docker]# pwd
/tmp/docker
[root@foundation81 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_STORAGE_DELETE_ENABLED=true registry
e6699eac233e5c2912905091a7be53060884aafd9b7cd9d3bdbd93b568e0adec
[root@foundation81 docker]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="enlqOndlc3Rvcw==" -e REGISTRY_NAME=westos.org -e REGISTRY_READONLY=false docker-registry-web
此时可以对镜像进行删除操作: