Docker搭建仓库

若物理机没有registry镜像，则需下载registry.tar，并将其导入容器为registry镜像。

1、导入仓库镜像

2、开启容器

[root@foundation81 ~]# mkdir /opt/registry

[root@foundation81 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry:/var/lib/registry registry

 

 

3、上传

 

[root@foundation81 ~]# docker tag rhel7:v4 localhost:5000/rhel7:v4     ##修改镜像的tag

[root@foundation81 ~]# docker push localhost:5000/rhel7:v4              ##将本地镜像推送到私有仓库

查看仓库目录：

4、下载

注意：因为是本机下载，所有删除原有的镜像才能看到效果

[root@foundation81 ~]# docker rmi localhost:5000/rhel7:v4    ##这里其实并没有删除镜像，只是删除了刚刚修改过的镜像tag

[root@foundation81 ~]# docker rmi rhel7:v4

[root@foundation81 ~]# docker rmi rhel7:v3

[root@foundation81 ~]# docker rmi rhel7:v2

[root@foundation81 ~]# docker rmi rhel7:v1

[root@foundation81 ~]# docker pull localhost:5000/rhel7:v4

[root@foundation81 ~]# docker tag localhost:5000/rhel7:v4 rhel7:v1     ##修改镜像的tag

[root@foundation81 ~]# docker rmi localhost:5000/rhel7:v4

 

Docker仓库创建安全认证

https://docs.docker.com/

1、创建certs证书，生成服务器私钥

[root@foundation81 ~]# cd /tmp/docker/

[root@foundation81 docker]# mkdir certs

[root@foundation81 docker]# openssl req \
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt

Generating a 4096 bit RSA private key
.....................................................................................................................................................................................++
.......................................................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:westos.org
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:root@westos.org

查看证书、私钥:

2、域名解析

[root@foundation81 certs]# vim /etc/hosts

172.25.81.250 westos.org

3、启动仓库

[root@foundation81 docker]# docker run -d \
> --restart=always \
> --name registry \
> -v "$(pwd)"/certs:/certs \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \
> -p 443:443 \
> -v /opt/registry:/var/lib/registry registry

3、更新CA证书

[root@foundation81 ~]# cd /etc/docker/

[root@foundation81 docker]# mkdir certs.d

[root@foundation81 docker]# cd certs.d/

[root@foundation81 certs.d]# mkdir westos.org

[root@foundation81 certs.d]# cd westos.org/

[root@foundation81 westos.org]# cp /tmp/docker/certs/westos.org.crt ca.crt

4、上传westos.org/game2048

[root@foundation81 ~]# docker tag game2048 westos.org/game2048

[root@foundation81 ~]# docker push westos.org/game2048

5、另开一台虚拟机下载刚刚上传的镜像：

<1>域名解析

[root@server1 docker]# vim /etc/hosts

<2>下载镜像

直接下载镜像会报错

[root@server1 ~]# mkdir /etc/docker/certs.d/westos.org -p

[root@server1 ~]# cd /etc/docker/certs.d/westos.org/

[root@server1 westos.org]# scp 172.25.81.250:/etc/docker/certs.d/westos.org/ca.crt .

[root@server1 westos.org]# ls
ca.crt

[root@server1 westos.org]# docker pull westos.org/game2048

 

[root@server1 westos.org]# docker run -d -p 80:80 --name vm1 westos.org/game2048

 

Docker生产环境安全性——证书验证仓库客户端

1、生成鉴权密码文件

[root@foundation81 westos.org]# cd /tmp/docker/

[root@foundation81 docker]# mkdir auth

[root@foundation81 docker]# docker run --rm --entrypoint htpasswd registry -Bbn zyj westos > auth/htpasswd   ##用户zyj密码westos

[root@foundation81 docker]# docker run --rm --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd

2、关闭之前的仓库，防止冲突

[root@foundation81 docker]# docker ps

[root@foundation81 docker]# docker rm -f registry

3、启动Registry

[root@foundation81 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry

 

4、上传镜像

登录认证成功后，才可进行push等操作

[root@foundation81 ~]# docker login westos.org
Username: zyj
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

 

 

[root@foundation81 ~]# docker push westos.org/rhel7

 

认证成功后，认证信息保存在当前文件下

 

docker使用web界面管理Registry

在上步Registry运行的基础上：

[root@foundation81 images]# docker load -i docker-registry-web.tar

[root@foundation81 .docker]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="enlqOndlc3Rvcw==" -e REGISTRY_NAME=westos.org docker-registry-web

浏览器访问web页面：localhost:8080

默认是只读权限，不能执行对镜像的删除操作：

读写权限的实现：

<1>删除之前的两个容器

[root@foundation81 .docker]# docker rm -f `docker ps -aq`

<2>重新启动Registry和registry-web（修改参数）

[root@foundation81 docker]# pwd
/tmp/docker
[root@foundation81 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_STORAGE_DELETE_ENABLED=true registry
e6699eac233e5c2912905091a7be53060884aafd9b7cd9d3bdbd93b568e0adec

 

[root@foundation81 docker]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="enlqOndlc3Rvcw==" -e REGISTRY_NAME=westos.org -e REGISTRY_READONLY=false docker-registry-web

此时可以对镜像进行删除操作：