Docker创建仓库
Mr.linus 发表于2017年10月27日 11:40
文章索引
一、docker仓库
Docker的仓库是DockerHub,类似于github,github有一个开源的软件叫gitlab。Docker也有一个开源软件docker registry。我们先查看镜像,找到registry
[root@linux-node1 ~]# docker search docker INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED docker.io docker.io/jenkins Official Jenkins Docker image 3010 [OK] docker.io docker.io/alpine A minimal Docker image based on Alpine Lin... 2409 [OK] docker.io docker.io/registry The Docker Registry 2.0 implementation for... 1587 [OK] ...
我们可以通过docker pull 来下载一个
[root@linux-node1 ~]# docker pull registry
查看镜像
[root@linux-node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE youngcheung/nginx v3 b1fddf8a648d About an hour ago 401.2 MB youngcheung/nginx v2 7ad2cb731e7e 5 hours ago 381.9 MB youngcheung/nginx v1 76bed70bc348 5 hours ago 381.9 MB docker.io/registry latest 751f286bc25e 5 days ago 33.19 MB docker.io/nginx latest e4e6d42c70b3 2 weeks ago 107.5 MB docker.io/centos latest 36540f359ca3 2 weeks ago 192.5 MB
我们需要运行容器,注意默认端口5000是否被占用
启动容器
[root@linux-node1 ~]# docker run -d -p 5000:5000 registry 1e871b39b0756f48d05d56293e743670051817beddd910477de903888419f421
提示:docker比较老的版本运行起来就可以运行,1.7之后都不可以
我们现在来打个标签
[root@linux-node1 ~]# docker tag youngcheung/nginx:v3 192.168.56.10:5000/zhsir/mynginx:latest
然后,push 此时我们发现push不上去,因为Docker从1.3.X之后默认docker registry使用的是https,所以当用docker pull命令下载远程镜像时,如果远程docker registry是非https的时候就会报上面的错误。
[root@linux-node1 ~]# docker push 192.168.56.10:5000/zhsir/mynginx:latest The push refers to a repository [192.168.56.10:5000/zhsir/mynginx] Get https://192.168.56.10:5000/v1/_ping: http: server gave HTTP response to HTTPS client
提示:解决方法有2种,一种是去沃通或腾讯申请免费ssl,或者我们本地修改配置文件
方法一:安装nginx,制作https
[root@linux-node1 ~]# yum install nginx -y [root@linux-node1 ~]# vim /etc/nginx/nginx.conf … include /etc/nginx/conf.d/*.conf; …
因为在配置文件中已经指定了目录,只有放在/etc/nginx/conf.d/*下面才会识别到
配置如下:
[root@linux-node1 conf.d]# cat docker.conf
upstream docker-registry {
server 127.0.0.1:5000;
}
server {
listen 443;
server_name registry.zhsir.com
ssl on;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
auth_basic "Docker";
auth_basic_user_file /etc/nginx/conf.d/docker-registry.htpasswd;
proxy_pass http://docker-registry;
}
location /_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
location /v1/_ping {
auth_basic off;
proxy_pass http://docker-registry;
}
}
我们需要生成一个证书,大家可以申请一个沃通或者腾讯的免费ssl,如果有沃通的免费ssl就不需要设置,我们先设置一个根密钥,生产上直接使用沃通的免费ssl配置就可以了
[root@linux-node1 nginx]# cd /etc/pki/CA/
[root@linux-node1 CA]#
[root@linux-node1 CA]#
[root@linux-node1 CA]# touch ./{serial,index.txt}
[root@linux-node1 CA]# echo "00" >serial
[root@linux-node1 CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
.............................................+++
e is 65537 (0x10001)
[root@linux-node1 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:www.zhsir.org
Organizational Unit Name (eg, section) []:docker
Common Name (eg, your name or your server's hostname) []:registry.zhsir.com
Email Address []:zhangyang1@afocus.com.cn
我们现在需要生产一个nginx的证书(生产可以直接使用运营商颁发的证书,不需要生成)
[root@linux-node1 CA]# cd /etc/ssl/ [root@linux-node1 ssl]# openssl genrsa -out nginx.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ .............................................................................................+++ e is 65537 (0x10001) [root@linux-node1 ssl]# openssl req -new -key nginx.key -out nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:www.zhsir.org Organizational Unit Name (eg, section) []:docker Common Name (eg, your name or your server's hostname) []:registry.zhsir.com Email Address []:zhangyang1@afocus.com.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #后面两个直接回车
签发证书
[root@linux-node1 ssl]# openssl ca -in nginx.csr -days 365 -out nginx.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jul 26 16:51:43 2017 GMT Not After : Jul 26 16:51:43 2018 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = www.zhsir.org organizationalUnitName = docker commonName = registry.zhsir.com emailAddress = zhangyang1@afocus.com.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EA:D5:6D:BA:E6:6B:F0:67:8C:D2:69:5D:37:19:90:77:B8:EE:C4:92 X509v3 Authority Key Identifier: keyid:9A:20:C0:DC:34:82:2C:6F:8D:42:57:EB:E6:75:49:11:5C:0E:FC:E1 Certificate is to be certified until Jul 26 16:51:43 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
因为我们设置的是自签证书,要让系统允许
[root@linux-node1 ssl]# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
然后创建一个用来验证的账号密码
[root@linux-node1 ssl]# htpasswd -c /etc/nginx/conf.d/docker-registry.htpasswd zhangyang New password: Re-type new password: Adding password for user zhangyang
#这个路径要跟nginx配置文件中的路径对应上,然后启动nginx
[root@linux-node1 ~]# systemctl start nginx
查看是否存在443端口
[root@linux-node1 ssl]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 65743/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 22953/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2725/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 65743/nginx: master tcp6 0 0 :::5000 :::* LISTEN 62640/docker-proxy- tcp6 0 0 :::80 :::* LISTEN 65743/nginx: master tcp6 0 0 :::22 :::* LISTEN 22953/sshd tcp6 0 0 ::1:25 :::* LISTEN 2725/master
我们还需要做一个绑定,设置host解析
[root@linux-node1 ssl]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.56.10 registry.zhsir.com
修改配置文件
[root@linux-node1 ~]# vim /etc/sysconfig/docker # Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled --insecure-registry 192.168.56.10:5000'
测试上传
[root@linux-node1 ~]# docker push 192.168.56.10:5000/zhsir/mynginx:latest The push refers to a repository [192.168.56.10:5000/zhsir/mynginx] 159e0c784414: Pushed fb2d6779346f: Pushed c4eab997fdda: Pushed e34375cdf1bb: Pushed 99b28d9413e4: Pushed latest: digest: sha256:71aaac410c29857d60357092b8f6604f3ebcd83b10fbd3e80e67fb2e3ee81f69 size: 1367
总结:
1、修改/etc/sysconfig/docker 配置文件,设置域名
2、构建镜像
[root@linux-node1 ~]# docker tag youngcheung/nginx:v3 192.168.56.10:5000/zhsir/mynginx:latest
3、上传到仓库中
[root@linux-node1 ~]# docker push 192.168.56.10:5000/zhsir/mynginx:latest
提交上去后,我们在其他服务器测试pull
首先我们修改配置文件,因为不是https,所以要修改/etc/sysconfig/docker配置文件,跟服务端修改的一样
设置hosts解析
然后我们使用docker pull即可
[root@linux-node2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE [root@linux-node2 ~]# docker pull 192.168.56.10:5000/zhsir/mynginx:latest Trying to pull repository 192.168.56.10:5000/zhsir/mynginx ... sha256:71aaac410c29857d60357092b8f6604f3ebcd83b10fbd3e80e67fb2e3ee81f69: Pulling from 192.168.56.10:5000/zhsir/mynginx e6e5bfbc38e5: Pull complete dcab844a57ba: Pull complete 806e3a8ff223: Pull complete 24a6c8df8920: Pull complete 7798d4f8222c: Pull complete Digest: sha256:71aaac410c29857d60357092b8f6604f3ebcd83b10fbd3e80e67fb2e3ee81f69 Status: Downloaded newer image for 192.168.56.10:5000/zhsir/mynginx:latest
查看镜像
[root@linux-node2 ]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.56.10:5000/zhsir/mynginx latest ff5ec8a1dd8e Less than a second ago 401.2 MB
创建并启动容器
[root@linux-node2 ]# docker run -d -it --name nginx1 -d -p 81:80 192.168.56.10:5000/zhsir/mynginx 67b5ef9fba585c5b0b3f1ee2481ecd48a9068d73a54c841ad713d338860fca54 [root@linux-node2 ~]# sh ns.sh nginx1 [root@67b5ef9fba58 ~]#
案例:按照我们上面的方法,制作一个nginx镜像并上传到docker仓库中,并运行容器启动nginx服务
[root@linux-node2 ~]# docker run -d --name nginx -p 87:80 192.168.56.10:5000/zhsir/mynginx 2b540821056a442306c071107c3c1d04aea7cca45cf2ab4f333d47e18fef5a6d [root@linux-node2 ~]# curl -I 192.168.56.11:87 HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Tue, 13 Jun 2017 11:20:04 GMT Content-Type: text/html Content-Length: 10 Last-Modified: Wed, 26 Jul 2017 14:17:39 GMT Connection: keep-alive ETag: "5978a483-a" Accept-Ranges: bytes
二、docker仓库含义
我们制作好镜像后,默认存放在本地,只可以我们本机使用,其他服务器无法使用,这时候就需要我们一个docker仓库,其他服务器使用的时候只需要进行pull下来即可
Docker默认提供了一个仓库叫docker registry
Docker registry需要使用https进行验证
Docker registry私有仓库搭建基本几步流程(采用nginx+认证的方式)
1. 申请免费的ssl证书 https://buy.wosiqn.com/free 2. 设置nginx ssl证书 3. 设置验证 4. proxy_pass 5000 5. docker run -d -p 5000:5000 –name registry registry:2
全文完
〓 随机文章推荐
共有4686阅 / 0评我要评论
- 还没有评论呢,快抢沙发~
发表你的评论吧返回顶部
!评论内容需包含中文