docker搭建私有仓库

发布于:2022-11-02 ⋅ 阅读:(267) ⋅ 点赞:(0)

使用docker hub 需要自己创建账号,需要有外网。

如果想节省带宽,镜像不想让公司外部人员访问。可以搭建公司的私有仓库,类似于maven仓库nexus。

官方给我们提供了一个镜像registry,下面基于这个镜像搭建私有仓库。

拉取镜像 docker pull registry

[root@node01 ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
79e9f2f55bf5: Pull complete 
0d96da54f60b: Pull complete 
5b27040df4a2: Pull complete 
e2ead8259a04: Pull complete 
3790aef225b9: Pull complete 
Digest: sha256:169211e20e2f2d5d115674681eb79d21a217b296b43374b8e39f97fcf866b375
Status: Downloaded newer image for registry:latest
docker.io/library/registry:latest

registry     latest    b8604a3fe854   11 months ago    26.2MB

修改daemon.json 之前添加过aliyun的镜像仓库,现在需要添加自己的,端口5000,重新加载配置,重启docker

添加了才可以使用私有仓库 ip 搭建在哪台机器,端口一般默认搭建就使用5000

vim /etc/docker/daemon.json
添加一行
"insecure-registries": ["10.0.4.11:5000"],
systemctl daemon-reload
systemctl restart docker

查看

[root@node01 ~]# docker info | tail -n 10
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  10.0.4.11:5000
  127.0.0.0/8
 Registry Mirrors:
  https://49w1xpkl.mirror.aliyuncs.com/
 Live Restore Enabled: false

启动仓库

docker run -id --name registry -p 5000:5000 -v /mnt/docker/registry:/var/lib/registry registry:latest

[root@node01 ~]# docker run -id --name registry -p 5000:5000 -v /mnt/docker/registry:/var/lib/registry registry:latest
01a54b062d113941d1ee0b99638f66aee7f04ad3b75aa8d58e485057f09f2932

给镜像打标签 ,私有仓库标签格式需要在前面带上register的地址

如果要上传到仓库都需要针对于该仓库打一个能够识别的标签,docker hub 也是一样。

docker tag tomcat:8 10.0.4.11:5000/tomcat:8

上传 上传到私有仓库

[root@node01 ~]# docker push 10.0.4.11:5000/tomcat:8
The push refers to repository [10.0.4.11:5000/tomcat]
6cbc90f48487: Pushed 
b982307b2f1c: Pushed 
77a612e4c112: Pushed 
ae8a570fe211: Pushed 
174f56854903: Pushed 
8: digest: sha256:0df6679ce4529f3e4c6bee08a013dcfb35ad01e5c931362be19918681d7cc06e size: 1368

查看是否上传成功

[root@node01 ~]# curl http://10.0.4.11:5000/v2/_catalog
{"repositories":["tomcat"]}

下载 从私有仓库下载镜像

# 先删除
docker rmi 10.0.4.11:5000/tomcat:8
# 下载
[root@node01 ~]# docker pull 10.0.4.11:5000/tomcat:8
8: Pulling from tomcat
2d473b07cdd5: Already exists 
e64bce8da66f: Pull complete 
f9c9fca353dd: Pull complete 
9a85a3a98774: Pull complete 
fccf8488145f: Pull complete 
Digest: sha256:0df6679ce4529f3e4c6bee08a013dcfb35ad01e5c931362be19918681d7cc06e
Status: Downloaded newer image for 10.0.4.11:5000/tomcat:8
10.0.4.11:5000/tomcat:8

[root@node01 ~]# docker images|grep tomcat
10.0.4.11:5000/tomcat   8         17ee865d958f   36 minutes ago      574MB

其他机器访问私有仓库

可以在内网中使用其他机器去访问私有仓库,下载镜像等操作

我这里准备了一台node02机器,私有仓库机器需要将5000端口开发

[root@node02 ~]# curl 10.0.4.11:5000/v2/_catalog
{"repositories":["tomcat"]}

[root@node02 ~]# docker pull 10.0.4.11:5000/tomcat:8
8: Pulling from tomcat
2d473b07cdd5: Pull complete 
e64bce8da66f: Pull complete 
f9c9fca353dd: Pull complete 
9a85a3a98774: Pull complete 
fccf8488145f: Pull complete 
Digest: sha256:0df6679ce4529f3e4c6bee08a013dcfb35ad01e5c931362be19918681d7cc06e
Status: Downloaded newer image for 10.0.4.11:5000/tomcat:8
10.0.4.11:5000/tomcat:8

认证

上面的操作都是不需要用户认证的,如果使用docker hub会要求有一个账号。需要login才可以操作仓库。

私有仓库也可以实现认证登录。

创建证书

建立一个证书存储路径

mkdir -p /usr/local/registry/certs

生成证书

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -sha256 -keyout /usr/local/registry/certs/register.key   -out /usr/local/registry/certs/register.crt

-x509 自签发证书格式
-days 证书有效期 一年
-nodes 私钥不进行加密
-newkey 创建crt RSA
rsa:2048 长度
-sha256 算法
-keyout 私钥地址
-out crt地址

执行命令
# 比较关键的一行 需要填写服务器地址
Common Name (eg, your name or your server's hostname) []:10.0.4.11

[root@node01 certs]# ls
register.crt  register.key

生成鉴权文件

检查有没有 htpasswd

which htpasswd
# 如果没有需要安装
yum install -y httpd

# 如果出现报错 添加参数执行 --disableexcludes=all
No package httpd available.
Error: Nothing to do
# 执行
yum --disableexcludes=all install httpd

# 鉴权密码文件目录
mkdir -p /usr/local/registry/auth
-b 使用命令行中的register密码
-c 创建文件
-B bcrypt加密
htpasswd -cbB /usr/local/registry/auth/htpasswd register register

使用如下命令重新启动容器

docker run -id --name registry -p 5000:5000 \
   -v /usr/local/registry/auth:/auth \
   -v /data/registry:/var/lib/registry \
   -v /usr/local/registry/certs:/certs \
   -e "REGISTRY_AUTH=htpasswd" \
   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on juan.io" \
   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/register.crt \
   -e REGISTRY_HTTP_TLS_KEY=/certs/register.key \
   registry

[root@node01 data]# docker run -id --name registry -p 5000:5000 \
>    -v /usr/local/registry/auth:/auth \
>    -v /data/registry:/var/lib/registry \
>    -v /usr/local/registry/certs:/certs \
>    -e "REGISTRY_AUTH=htpasswd" \
>    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on juan.io" \
>    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
>    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/register.crt \
>    -e REGISTRY_HTTP_TLS_KEY=/certs/register.key \
>    registry
WARNING: IPv4 forwarding is disabled. Networking will not work.
94034b6b8ee133c6cf6f244709e39d4bc8194c8f36887a6082384448e2d59394


# 报错了
WARNING: IPv4 forwarding is disabled. Networking will not work.

# 修改
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

[root@node01 ~]# systemctl restart network
[root@node01 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
表示成功

再次执行
[root@node01 ~]# docker run -id --name registry -p 5000:5000 \
>    -v /usr/local/registry/auth:/auth \
>    -v /data/registry:/var/lib/registry \
>    -v /usr/local/registry/certs:/certs \
>    -e "REGISTRY_AUTH=htpasswd" \
>    -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry on juan.io" \
>    -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
>    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/register.crt \
>    -e REGISTRY_HTTP_TLS_KEY=/certs/register.key \
>    registry
d3bfa63f0a37c5b8ebc1fa5d175bb314d5f93a4911cd3c21536d9ca18da3a27c

[root@node01 ~]# docker ps
CONTAINER ID   IMAGE      COMMAND                  CREATED          STATUS          PORTS                                       NAMES
d3bfa63f0a37   registry   "/entrypoint.sh /etc…"   19 seconds ago   Up 18 seconds   0.0.0.0:5000->5000/tcp, :::5000->5000/tcp   registry

发布镜像到私有仓库

没有登录前会报错 no basic auth credentials

使用docker login 登录

提示Login Succeeded表示登录成功

[root@node01 ~]# docker push 10.0.4.11:5000/tomcat:8
The push refers to repository [10.0.4.11:5000/tomcat]
6cbc90f48487: Preparing 
b982307b2f1c: Preparing 
77a612e4c112: Preparing 
ae8a570fe211: Preparing 
174f56854903: Preparing 
no basic auth credentials

no basic auth credentials 没有登录 执行 docker login

[root@node01 ~]# docker login 10.0.4.11:5000
Username: register
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded


再次push
[root@node01 ~]# docker push 10.0.4.11:5000/tomcat:8
The push refers to repository [10.0.4.11:5000/tomcat]
6cbc90f48487: Pushed 
b982307b2f1c: Pushed 
77a612e4c112: Pushed 
ae8a570fe211: Pushed 
174f56854903: Pushed 
8: digest: sha256:0df6679ce4529f3e4c6bee08a013dcfb35ad01e5c931362be19918681d7cc06e size: 1368

退出账号 docker logout

本文含有隐藏内容,请 开通VIP 后查看

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布