|
如果你在基础架构中运行Docker微服务,可能构建一个内部私有Docker注册表来托管Docker镜像,本文将介绍在Ubuntu 18.04、Ubuntu 16.04系统上安装及设置Docker Private Registry。这里假设你已经运行了Docker(在Ubuntu 18.04系统中安装指定docker版本的简单方法),Kubernetes集群或DC/OS集群(使用Weave Net CNI在Ubuntu 18.04中设置3节点Kubernetes集群)。
在Ubuntu 18.04/Ubuntu 16.04上设置Docker Private Registry 让我们开始为Docker镜像构建私有注册表,首先,在主机上安装Docker Engine以充当注册表。 更新apt包索引: sudo apt-get update 安装包以允许通过HTTPS使用存储库: sudo apt-get install \ apt-transport-https \ ca-certificates \ curl \ software-properties-common 添加Docker的官方GPG密钥: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - 添加官方Docker稳定存储库: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) stable" 安装docker-ce pakage: sudo apt-get update sudo apt-get install docker-ce 如果想将Docker用作非root用户,现在应该考虑将您的用户添加到“docker”组: sudo usermod -aG docker your-user 运行以下命令以查看已安装的docker版本: $ docker --version Docker version 18.06.0-ce, build 0ffa825 检查状态,它应该处于运行状态,运行systemctl status docker命令:
1、让我们加密SSL证书 在这个Docker Registry设置中,我们将使用Let的加密SSL证书。 安装certbot-auto: wget https://dl.eff.org/certbot-auto chmod +x certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto 申请SSL证书: export DOMAIN="registry.domain.com" export EMAIL="email@domain.com" certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring 你的证书将保存在/etc/letsencrypt/live/下: /etc/letsencrypt/live/registry.domain.com/fullchain.pem /etc/letsencrypt/live/registry.domain.com/privkey.pem fullchain.pem,组合文件cert.pem和chain.pem chain.pem,中间证书 cert.pem,SSLServer证书(包括公钥) privkey.pem,私钥文件 2、配置并启动Docker Registry容器 可以使用SSL运行docker注册表,也可以不运行,但首先,创建一个将保存Docker注册表images的目录: sudo mkdir /var/lib/docker/registry 不使用SSL运行本地Docker注册表: $ docker run -d -p 5000:5000 \ --name docker-registry \ --restart=always \ -v /var/lib/docker/registry:/var/lib/registry \ registry:2 使用SSL运行本地Docker注册表,在主机上创建目录并放置证书: mkdir /certs cat /etc/letsencrypt/live/registry.domain.com/fullchain.pem > /certs/fullchain.pem cat /etc/letsencrypt/live/registry.domain.com/privkey.pem > /certs/privkey.pem cat /etc/letsencrypt/live/registry.domain.com/cert.pem > /certs/cert.pem 创建一个Docker注册表容器: $ docker run -d --name docker-registry --restart=always \ -p 5000:5000 \ -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \ -v /certs:/certs \ -v /var/lib/docker/registry:/var/lib/registry \ registry:2 将registry.domain.com替换为你的注册表子域名。 它将下载注册表:2 docker image如果它不存在并创建一个容器: .... Unable to find image 'registry:2' locally 2: Pulling from library/registry 4064ffdc82fe: Pull complete c12c92d1c5a2: Pull complete 4fbc9b6835cc: Pull complete 765973b0f65f: Pull complete 3968771a7c3a: Pull complete Digest: sha256:51bb55f23ef7e25ac9b8313b139a8dd45baa83 Status: Downloaded newer image for registry:2 211c906fdbc3f0ccc2ce5cf7f6af5f7b7448eb 检查容器状态: # docker ps
要将images推送到Registry Container服务器,请设置如下: $ curl https://registry.computingforgeeks.com:5000/v2/_catalog {"repositories":[]} 让我们下载两个docker镜像并将它们推送到这个本地存储库: # docker pull alpine # docker pull ubuntu 然后设置标签并将images推送到我们的注册表: # docker tag ubuntu registry.computingforgeeks.com:5000/ubuntu:v1 # docker push registry.computingforgeeks.com:5000/ubuntu:v1 The push refers to repository [registry.computingforgeeks.com:5000/ubuntu] 268a067217b5: Pushed c01d74f99de4: Pushed ccd4d61916aa: Pushed 8f2b771487e9: Pushed f49017d4d5ce: Pushed v1: digest: sha256:958eaeb7e33e6c4f68f7fef69b35ca178c size: 1357 使用docker images命令验证: # docker images
# curl https://registry.computingforgeeks.com:5000/v2/_catalog {"repositories":["ubuntu"]} # # ls /var/lib/docker/registry/docker/registry/v2/repositories/ ubuntu 在Docker主机上,你可以使用以下方式提取image: # docker pull registry.computingforgeeks.com:5000/ubuntu:v1 v1: Pulling from ubuntu c64513b74145: Pull complete 01b8b12bad90: Pull complete c5d85cf7a05f: Pull complete b6b268720157: Pull complete e12192999ff1: Pull complete Digest: sha256:958eaeb7e33e6c4f68f7fef69b35ca178c Status: Downloaded newer image for registry.computingforgeeks.com:5000/ubuntu:v1 现在应该可以看到image: # docker images
3、使用身份验证支持启动注册 除了在安全本地网络上运行的注册表之外,注册管理机构应始终实施访问限制,实现访问限制的最简单方法是通过基本身份验证。 创建一个密码文件,其中包含一个用户条目,dockadmin和密码registrypassword: $ docker run \ --entrypoint htpasswd \ registry:2 -Bbn dockadmin registrypassword > ~/.htpasswd $ cat ~/.htpasswd dockadmin:$2y$05$WN6moKCdU/Oaw5b4aVcphXSUlEHuRM 删除当前的docker注册表: $ docker rm -f docker-registry 使用基本身份验证启动注册表: $ docker run -d --name docker-registry --restart=always \ -p 5000:5000 \ -v ~/.htpasswd:/auth_htpasswd \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth_htpasswd \ -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/privkey.pem \ -v /certs:/certs \ -v /var/lib/docker/registry:/var/lib/registry \ registry:2 尝试从注册表中提取image,或将image推送到注册表,这些命令失败: $ docker pull registry.computingforgeeks.com:5000/ubuntu:v1 Error response from daemon: Get https://registry.computingforgeeks.com:5000/v2/ubuntu/manifests/v1: no basic auth credentials 需要登录注册表: # docker login registry.computingforgeeks.com:5000 Username: dockadmin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded # cat /root/.docker/config.json { "auths": { "registry.computingforgeeks.com:5000": { "auth": "ZG9ja2FkbWluOnJlZ2lzdHJ5cGFzc3dvcmQ=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/18.06.0-ce (linux)" } } 现在应该能够将images下载并推送到存储库: $ docker tag alpine registry.computingforgeeks.com:5000/alpine_local $ docker push registry.computingforgeeks.com:5000/alpine_local The push refers to repository [registry.computingforgeeks.com:5000/alpine_local] 73046094a9b8: Pushed latest: digest: sha256:0873c923e00e0fd2ba78041bfb64 size: 528 4、停止本地Docker registry 要停止注册表,请使用与任何其他容器相同的docker container stop命令: $ docker container stop docker-registry 要删除容器,请使用docker container rm: $ docker container stop registry $ docker container rm -v registry $ docker container rm -f -v registry # Force remove running
相关主题 |
