之前有强调过-需要有镜像管理,这里的镜像管理不是只单台上的,而是指N台服务器的镜像管理。
现状和考虑的事情
1)有多个封闭的环境-不能直接上外网
2)有很多服务器,当需要更新镜像时,要考虑如何更新
3)镜像的版本如何控制
因以上问题,建一个私有库肯定不够的,但建了多个私有库之后,库和库之间的信息要不要共享? 想想就头疼的来着。
还是先看下如何搭建私有仓库:
-
环境准备
192.168.220.123 centos7 已有Docker 1.12.1 (registry)
192.168.220.215 centos7 Docker 1.10
192.168.220.126 centos6.5 Docker 1.7.1 -
搭建私有库
docker pull registry
docker run -d -p 5000:5000 -v /var/lib/registry:/var/lib/registry registry
[root@wxtest1607 registry]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d480848f889b registry "/entrypoint.sh /etc/" 19 seconds ago Up 16 seconds 0.0.0.0:5000->5000/tcp goofy_mccarthy
因registry的dockerfile中定义的VOLUME ["/var/lib/registry"]
如本地无/var/lib/registry 目录,上传的镜像将保存在容器的/var/lib/registry目录,有可能会造成镜像的丢失。
vi /etc/docker/registry/config.yml
dev:
loglevel: info
storage: local
storage_path: /var/lib/registry
- 验证私有库
3.1 push镜像到私有库
在126服务器-docker客户端
docker pull hello-world
docker tag hello-world 192.168.220.123:5000/hellobyqq
docker push 192.168.220.123:5000/hellobyqq
在123服务器-docker registry
[root@wxtest1607 repositories]# pwd
/var/lib/registry/docker/registry/v2/repositories
[root@wxtest1607 repositories]# ls -lh
总用量 0
drwxr-xr-x 5 root root 52 8月 29 15:24 hellobyqq
3.2 从私有库pull镜像到本地
在215服务器-docker客户端
docker push 192.168.220.123:5000/hellobyqq
3.3 查询私有库
[root@localhost docker]# docker search 192.168.220.123:5000/hellobyqq
Error response from daemon: Unexpected status code 404
[root@localhost docker]# curl http://192.168.220.123:5000/v2/_catalog
{"repositories":["hellobyqq"]}
3.4 常见错误
Error response from daemon: invalid registry endpoint https://192.168.220.123:5000/v1/: Get https://192.168.220.123:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add
--insecure-registry 192.168.220.123:5000to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.220.123:5000/ca.crt
解决方式:
在客户端配置
126服务器的解决方式 docker1.7
vi /etc/sysconfig/docker
# /etc/sysconfig/docker
#
# Other arguments to pass to the docker daemon process
# These will be parsed by the sysv initscript and appended
# to the arguments list passed to docker -d
other_args="--selinux-enabled=true --insecure-registry 192.168.220.123:5000" #修改处
DOCKER_CERT_PATH=/etc/docker
# Resolves: rhbz#1176302 (docker issue #407)
DOCKER_NOWARN_KERNEL_VERSION=1
# Location used for temporary files, such as those created by
# # docker load and build operations. Default is /var/lib/docker/tmp
# # Can be overriden by setting the following environment variable.
# # DOCKER_TMPDIR=/var/tmp
重启docker
215服务器配置 docker 1.10
[root@localhost docker]# cat /etc/sysconfig/docker
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=journald'
DOCKER_CERT_PATH=/etc/docker
# If you want to add your own registry to be used for docker search and docker
# pull use the ADD_REGISTRY option to list a set of registries, each prepended
# with --add-registry flag. The first registry added will be the first registry
# searched.
#ADD_REGISTRY='--add-registry registry.access.redhat.com'
# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
# option and give it a set of registries, each prepended with --block-registry
# flag. For example adding docker.io will stop users from downloading images
# from docker.io
# BLOCK_REGISTRY='--block-registry'
# If you have a registry secured with https but do not have proper certs
# distributed, you can tell docker to not look for full authorization by
# adding the registry to the INSECURE_REGISTRY line and uncommenting it.
INSECURE_REGISTRY='--insecure-registry 192.168.220.123:5000' #修改处
# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1
# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false
#
# docker-latest daemon can be used by starting the docker-latest unitfile.
# To use docker-latest client, uncomment below line
#DOCKERBINARY=/usr/bin/docker-latest
重启docker
docker 1.12则需
Create or modify /etc/docker/daemon.json
{ "insecure-registries":["192.168.220.123:5000"] }
Restart docker daemon
systemctl restart docker.service
网友评论