利用docker官网提供的registry镜像创建私有仓库
一、首先从docker官网拉取registry镜像:
docker pull registry
二、然后运行该镜像:
docker run --name MyRegistry -d -v /data/DockerRegistry:/var/lib/registry -p 5000:5000 registry
其中,-v /data/DockerRegistry:/var/lib/registry表示将镜像库映射到宿主机的/data目录
验证仓库运行:
http://ip:5000/v2/
其中,v2表示registry的tag,该url会返回一个空'{}'。
三、推送本地镜像到仓库:
先说下docker仓库中镜像的命名格式:registry.mydaemon.com/redis/redis-master:latest,共由三部分组成。
registry.mydaemon.com:表示仓库服务器地址
redis:表示镜像仓库的分类
redis-master:表示镜像名称
:latest:表示版本
1、首先对本地镜像打tag,告知镜像仓库的地址:
docker tag redis-master 192.168.0.100:5000/redis/redis-master:1.0
2、推送镜像到仓库:
docker push 192.168.0.100:5000/redis/redis-master:1.0
注意,push的时候可能会遇到一下提示:
The push refers to a repository [192.168.0.100:5000/redis/redis-master]
Get https://192.168.0.100:5000/v1/_ping: http: server gave HTTP response to HTTPS client
这是因为客户端push的时候采用https协议,而registry未使用https导致的。
解决方法如下:
在/etc/docker/目录下创建daemon.json文件,并写入如下内容:
{ "insecure-registries":["192.168.0.110:5000"] }
然后重启docker:
service docker restart
接着再执行push就可以了:
[root@ahaii docker]# docker push 192.168.0.100:5000/redis/redis-master:1.0
The push refers to a repository [192.168.0.100:5000/redis/redis-master]
e5bc8ffdee47: Pushed
babc1e95c4f0: Pushed
ebc4b691c405: Pushed
6363afe92ed2: Pushed
78e49376f417: Pushed
b8aa150f5f16: Pushed
b51149973e6a: Pushed
1.0: digest: sha256:7c60ce71ba4026b2b35e78c86dfgddf7ae171bf1d2903a567b964ad9a07f26f9 size: 1786
通过页面可以看到镜像已经存在:
以上的搭建,是最简单模式,没有安全认证的设置。
下面用官方的registry v2搭建私有仓库,自生成签字证书(用于https),并设置登陆认证
1、获取registry:
docker pull registry:2
2、在registry仓库目录下创建cert目录,并利用openssl自生成签名:
#mkdir certs
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 99999 -out certs/domain.crt
出现如下信息:
Generating a 4096 bit RSA private key
..........................++
............................................................................................++
writing new private key to 'certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:docker
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.damoin.com
Email Address []:ahaii@ahaii.com
主要输入registry服务器的域名,其他的可以不用填写。
3、创建登陆帐号密码:
#mkdir auth
#docker run --entrypoint htpasswd registry:2 -Bbn ahaii ahaii123 > auth/htpasswd
这里创建的帐号/密码为:ahaii/ahaii123
4、运行带有TLS认证的registry容器:
[root@ahaii DockerRegistry]# docker run -d -p 5000:5000 --restart=always --name registry \
> -v `pwd`/auth:/auth \
> -v /data/local/DockerRegistry:/var/lib/registry \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -v `pwd`/certs:/certs \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
> registry:2
5、运行成功后,可以通过页面登陆查看:
地址栏里输入:https://docker.damoin.com:5000/v2/后,会要求登陆。输入ahaii/ahaii123后登陆成功:
注意:是https。
6、将本地镜像推送到仓库:
registry客户端登陆:
docker login docker.damoin.com:5000
会要求输入帐号密码,输入之后提示:
Error response from daemon: Get https://docker.damoin.com:5000/v1/users/: x509: certificate signed by unknown authority
客户端不信任registry自生成的证书,解决->让registry客户端信任registry自生成的证书:
[root@ahaii DockerRegistry]# ls /etc/docker/certs.d/docker.damoin.com:5000/
ca.crt
然后继续登陆仓库,提示登陆成功:
[root@ahaii certs]# docker login docker.damoin.com:5000
Username: ahaii
Password:
Login Succeeded
好,现在继续push镜像到仓库:
[root@ahaii DockerRegistry]# docker push docker.damoin.com:5000/redis/redis-master:1.0
The push refers to a repository [docker.damoin.com:5000/redis/redis-master]
e5bc8ffdee47: Pushed
babc1e95c4f0: Pushed
ebc4b691c405: Pushed
6363afe92ed2: Pushed
78e49376f417: Pushed
b8aa150f5f16: Pushed
b51149973e6a: Pushed
1.0: digest: sha256:7c60ce71ba4026b2b35df7c86118ddf7ae171bf1d2903a567b964ad9a07f26f9 size: 1786
OK,push成功,通过浏览器查看如下: