美文网首页
Docker - 私有镜像库

Docker - 私有镜像库

作者: 埃尔温薛定谔不养猫 | 来源:发表于2020-05-07 18:11 被阅读0次

官方文档

执行 docker 命令拉取镜像库镜像,并运行起来。这样一个可用于测试的镜像库就搭建起来了。如果要用到生产上,还需要做好 TLS 和 权限管理 措施。具体可以参考 镜像库配置。(后面我也会稍微在本文中补充)

[root@master ~]# docker --version
Docker version 18.09.7, build 2d0083d
[root@master ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
486039affc0a: Pulling fs layer 
ba51a3b098e6: Pulling fs layer 
8bb4c43d6c8e: Pulling fs layer 
6f5f453e5f2d: Waiting 
42bc10b72f42: Waiting 
2: Pulling from library/registry
486039affc0a: Pull complete 
ba51a3b098e6: Pull complete 
8bb4c43d6c8e: Pull complete 
6f5f453e5f2d: Pull complete 
42bc10b72f42: Pull complete 
Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7
Status: Downloaded newer image for registry:2
ca0753f710515d20c692811b72a868f589ececa8a719af5e15f0885c3c822242
[root@master ~]#

复制一个镜像到你的镜像库中

目前我机器上有以下从官方拉取下来的镜像,这里要做的是,将 consul 镜像推到我的私有镜像库中,然后将本地的 consul 镜像删除,从私有镜像库重新拉取下来。

[root@master ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
consul                               latest              197999eb696c        12 days ago         116MB
registry                             2                   708bc6af7e5e        3 months ago        25.8MB
[root@master ~]# 
# 对指定镜像重新打标签 re-tag ,新的标签指定为要推入的镜像库 Endpoint ,例如 localhost:5000
[root@master ~]# docker tag consul:latest localhost:5000/consul
# 生成新的镜像,IMAGE ID 不会改变
[root@master ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
localhost:5000/consul                latest              197999eb696c        12 days ago         116MB
consul                               latest              197999eb696c        12 days ago         116MB
registry                             2                   708bc6af7e5e        3 months ago        25.8MB
# 将新的镜像推送到私有镜像库
[root@master ~]# docker push localhost:5000/consul
The push refers to repository [localhost:5000/consul]
97cfbb206c85: Pushed 
5366bac3007c: Pushed 
2a97efe9f9c6: Pushed 
051bc0c95736: Pushed 
719c26e0f977: Pushed 
89ae5c4ee501: Pushed 
latest: digest: sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2 size: 1570
# 删除原有的镜像库
[root@master ~]# docker image rm consul
Untagged: consul:latest
Untagged: consul@sha256:4592d81f9cecdc9fe1832bdcd22dfceafd36720011539679ae177f62cf169ce6
[root@master ~]# docker image rm localhost:5000/consul
Untagged: localhost:5000/consul:latest
Untagged: localhost:5000/consul@sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2
Deleted: sha256:197999eb696c8b907147bb108669c1a183e6683ceb6793c0a4e0d34e046959a5
Deleted: sha256:f0028a7bfb85b001d08d9e105c034c19c9895a519ad9d7e8c202279207b98f27
Deleted: sha256:059277fb9464504a5cd4a9433f02d6efdc8a9c42f689cbfb4c6165e608f8bc44
Deleted: sha256:481ec61ecfa3dfd0db039a18482368ab0bce307f2f4aa8f589bd6d6a971449b0
Deleted: sha256:3d0edaec3b59f4e51a5012d99ec9dfb7425595675764df139ecc821be1c8dd18
Deleted: sha256:07e0e8d80bf42f440db8f1fd5cce44db99eb2cb42068a335829e58dba2d168a0
Deleted: sha256:89ae5c4ee501a09c879f5b58474003539ab3bb978a553af2a4a6a7de248b5740
# 检查一下看看删掉没有
[root@master ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
registry                             2                   708bc6af7e5e        3 months ago        25.8MB
# 检查自己的镜像库是否有刚刚推送的 consul 镜像
[root@master ~]# curl localhost:5000/v2/_catalog
{"repositories":["consul"]}
# 拉取私有镜像库里的 consul 镜像
[root@master ~]# docker pull localhost:5000/consul
Using default tag: latest
latest: Pulling from consul
31603596830f: Pull complete 
1840596cea3b: Pull complete 
2ce4a325e54a: Pull complete 
439a692865dc: Pull complete 
e0d6651b2ff5: Pull complete 
1d0852833443: Pull complete 
Digest: sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2
Status: Downloaded newer image for localhost:5000/consul:latest
# 完美 (*゚∀゚*)
[root@master ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
localhost:5000/consul                latest              197999eb696c        12 days ago         116MB
registry                             2                   708bc6af7e5e        3 months ago        25.8MB

扩展

镜像库监听端口

可以配置环境变量 REGISTRY_HTTP_ADDR ,来更改镜像库的监听端口,默认是 5000

映射镜像库存储地址

-v /mnt/registry:/var/lib/registry

自定义存储地址

可以定义网盘地址官方文档

允许外部访问镜像库

# 在根目录创建 certs 目录,并把证书复制到这个目录下
[root@master ~]# ls certs
docker.xxx.cn.crt  docker.xxx.cn.key
# 紧接着你就可以愉快的部署可供外部访问的镜像库拉
[root@master ~]# docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.xxx.cn.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.xxx.cn.key \
  -p 443:443 \
  registry:2
# api 接口返回有数据,部署成功!
[root@master ~]# curl https://docker.xxx.cn/v2/_catalog
{"repositories":[]}
# 将本地镜像推送到镜像库,先看看我主机有什么镜像
zackliu:~ zackliu$ docker images
REPOSITORY                  TAG                 IMAGE ID            CREATED             SIZE
gitlab/gitlab-ce            latest              13d9da61e07d        3 months ago        1.85GB
golang                      latest              ed081345a3da        4 months ago        803MB
docker.xxx.cn/busybox   latest              6d5fcfe5ff17        4 months ago        1.22MB
busybox                     latest              6d5fcfe5ff17        4 months ago        1.22MB
mysql                       latest              d435eee2caa5        5 months ago        456MB
redis                       latest              de25a81a5a0b        6 months ago        98.2MB
mongo                       latest              58477a771fb4        7 months ago        361MB
centos                      latest              0f3e07c0138f        7 months ago        220MB
gomods/athens               v0.3.1              b2852a5f9c7a        14 months ago       167MB
registry                    latest              f32a97de94e1        14 months ago       25.8MB
# 为了节省流量费,决定推送 registry ,过程跟前面的一样,只是要把 localhost:5000 更改为你的域名
zackliu:~ zackliu$ docker tag registry:latest docker.xxx.cn/registry
zackliu:~ zackliu$ docker images | grep registry
registry                     latest              f32a97de94e1        14 months ago       25.8MB
docker.xxx.cn/registry   latest              f32a97de94e1        14 months ago       25.8MB
zackliu:~ zackliu$ 
zackliu:~ zackliu$ docker push docker.xxx.cn/registry
The push refers to repository [docker.xxx.cn/registry]
73d61bf022fd: Pushed 
5bbc5831d696: Pushed 
d5974ddb5a45: Pushed 
f641ef7a37ad: Pushed 
d9ff549177a9: Pushed 
latest: digest: sha256:b1165286043f2745f45ea637873d61939bff6d9a59f76539d6228abf79f87774 size: 1363
zackliu:~ zackliu$ curl https://docker.xxx.cn/v2/_catalog
{"repositories":["registry"]}

访问限制

最简单的就是身份校验
!!! 必须先配置 TLS 才能使用身份校验功能

[root@master ~]# mkdir auth
[root@master ~]# docker run \
>   --entrypoint htpasswd \
>   registry:2 -Bbn testuser testpassword > auth/htpasswd
[root@master ~]# cat auth/htpasswd 
testuser:$2y$05$T7zuhDGplTymnFE8J50C/OapMny2EA608KkuMnvNzRYIpab5f541G
[root@master ~]# docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v "$(pwd)"/certs:/certs \
  -p 443:443 \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.xxx.cn.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.xxx.cn.key \
  registry:2
ae8463de43604a7bce44a94e59f05ff8302816e3290bc047046ba44d6726ed70
# 删除从私有镜像库拉取的 consul 镜像
[root@master ~]# docker image remove docker.xxx.cn/consul
Untagged: docker.xxx.cn/consul:latest
[root@master ~]# docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
mysql                                latest              a7a67c95e831        10 days ago         541MB
localhost:5000/consul                latest              197999eb696c        13 days ago         116MB
# 再拉取镜像会发现拉取失败
[root@master ~]# docker pull docker.xxx.cn/consul
Using default tag: latest
Error response from daemon: Get https://docker.xxx.cn/v2/: dial tcp 47.57.146.165:443: connect: connection refused
# 先登录,会提示你密码保存到了 /root/.docker/config.json
[root@master ~]# docker login docker.xxx.cn:5000
Username: testuser
Password: testpassword
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
# 打开 /root/.docker/config.json,你会看到 auths 下面就有镜像库 Endpoint 和 登录信息,其中 auth 是 username:password 的 base64 编码... 
[root@master ~]# cat /root/.docker/config.json 
{
        "auths": {
                "docker.xxx.cn:5000": {
                        "auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.7 (linux)"
        }
}
# 上传镜像,这里操作错镜像了QAQ,心疼我的流量钱
[root@master ~]# docker tag localhost:5000/consul:latest docker.xxx.cn:5000/consul
[root@master ~]# docker push docker.xxx.cn:5000/consul
The push refers to repository [docker.xxx.cn:5000/consul]
97cfbb206c85: Pushed 
5366bac3007c: Pushed 
2a97efe9f9c6: Pushed 
051bc0c95736: Pushed 
719c26e0f977: Pushed 
89ae5c4ee501: Pushed 
latest: digest: sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2 size: 1570
# 删掉本地镜像,从私有镜像库拉取
[root@master ~]# docker rmi docker.xxx.cn:5000/consul
Untagged: docker.xxx.cn:5000/consul:latest
Untagged: docker.xxx.cn:5000/consul@sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2
# 完美
[root@master ~]# docker pull docker.xxx.cn:5000/consul
Using default tag: latest
latest: Pulling from consul
Digest: sha256:7b29cb3aed7a314c3a9babbfc343448ac0795609443dc4e399ef9fd17b19c8b2
Status: Downloaded newer image for docker.xxx.cn:5000/consul:latest

问题与解决

为什么加了身份校验之后,后面请求镜像库api失败,并且镜像名要带端口号

[root@master ~]# curl https://docker.xxx.cn/v2/_catalog
curl: (7) Failed connect to docker.xxx.cn:443; Connection refused

[root@master ~]# docker pull docker.xxx.cn/consul
Using default tag: latest
Error response from daemon: Get https://docker.xxx.cn/v2/: dial tcp 47.57.146.165:443: connect: connection refused

原来是忘记配置环境变量了

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v "$(pwd)"/certs:/certs \
  -p 443:443 \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.xxx.cn.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.xxx.cn.key \
  registry:2

To be continue...

相关文章

网友评论

      本文标题:Docker - 私有镜像库

      本文链接:https://www.haomeiwen.com/subject/ukyaghtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|Docker - 私有镜像库|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!