docker学习笔记（3）

docker 搭建私有仓库

docker-registry是官方提供的工具，可以用于构建私有的镜像仓库。本文内容基于 docker-registry v2.x 版本。

安装运行 docker-registry

　　$ docker run -d -p 5000:5000 --restart=always --name registry registry

# docker run -d -p 5000:5000 --restart=always --name registry registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
81033e7c1d6a: Pull complete 
b235084c2315: Pull complete 
c692f3a6894b: Pull complete 
ba2177f3a70e: Pull complete 
a8d793620947: Pull complete 
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:latest
f7f231cb61d1ab0716e60a85e69b64d19bfe099636dcc7d668f3c83f47244bf3

这将使用官方的 registry 镜像来启动私有仓库。默认情况下，仓库会被创建在容器的
/var/lib/registry 目录下。你可以通过 -v 参数来将镜像文件存放在本地的指定路径。例
如下面的例子将上传的镜像放到本地的 /opt/data/registry 目录。

# docker run -d \
> -p 5000:5000 \
> -v /opt/data/registry:/var/lib/registry \
> registry

在私有仓库上传、搜索、下载镜像

docker image ls查看已有镜像

# docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
fandf-image-base    1.0                 33761c640b6f        2 days ago          762MB
centos              latest              2d194b392dd1        11 days ago         195MB
nginx               latest              e548f1a579cf        3 weeks ago         109MB
registry            latest              d1fd7d86a825        2 months ago        33.3MB
mysql               5.6.38              15a5ee56ec55        2 months ago        299MB
hello-world         latest              f2a91732366c        3 months ago        1.85kB
centos              7.4.1708            3afd47092a0e        4 months ago        197MB
java                latest              d23bdf5b1b1b        14 months ago       643MB

使用 docker tag 将 centos:7.4.1708 这个镜像标记为 127.0.0.1:5000/centos:7.4.1708 

格式为 docker tag IMAGE[:TAG] [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG]

# docker tag centos:7.4.1708 127.0.0.1:5000/centos:7.4.1708
# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
fandf-image-base        1.0                 33761c640b6f        2 days ago          762MB
centos                  latest              2d194b392dd1        11 days ago         195MB
nginx                   latest              e548f1a579cf        3 weeks ago         109MB
registry                latest              d1fd7d86a825        2 months ago        33.3MB
mysql                   5.6.38              15a5ee56ec55        2 months ago        299MB
hello-world             latest              f2a91732366c        3 months ago        1.85kB
127.0.0.1:5000/centos   7.4.1708            3afd47092a0e        4 months ago        197MB
centos                  7.4.1708            3afd47092a0e        4 months ago        197MB
java                    latest              d23bdf5b1b1b        14 months ago       643MB

上传镜像

# docker push 127.0.0.1:5000/centos:7.4.1708 
The push refers to repository [127.0.0.1:5000/centos]
129b697f70e9: Pushed 
7.4.1708: digest: sha256:834aba7fdd53f4e622a8d636dcd549a83e86a22efad0246bf9438e4655b888ef size: 529

用 curl 查看仓库中的镜像

# curl 127.0.0.1:5000/v2/_catalog 
{"repositories":["centos"]}

先删除已有镜像，再尝试从私有仓库中下载这个镜像

# docker image rm 127.0.0.1:5000/centos:7.4.1708 
Untagged: 127.0.0.1:5000/centos:7.4.1708
Untagged: 127.0.0.1:5000/centos@sha256:834aba7fdd53f4e622a8d636dcd549a83e86a22efad0246bf9438e4655b888ef
[root@localhost ~]# docker pull 127.0.0.1:5000/centos:7.4.1708
7.4.1708: Pulling from centos
Digest: sha256:834aba7fdd53f4e622a8d636dcd549a83e86a22efad0246bf9438e4655b888ef
Status: Downloaded newer image for 127.0.0.1:5000/centos:7.4.1708
[root@localhost ~]# docker image ls
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
fandf-image-base        1.0                 33761c640b6f        2 days ago          762MB
centos                  latest              2d194b392dd1        11 days ago         195MB
nginx                   latest              e548f1a579cf        3 weeks ago         109MB
registry                latest              d1fd7d86a825        2 months ago        33.3MB
mysql                   5.6.38              15a5ee56ec55        2 months ago        299MB
hello-world             latest              f2a91732366c        3 months ago        1.85kB
127.0.0.1:5000/centos   7.4.1708            3afd47092a0e        4 months ago        197MB
centos                  7.4.1708            3afd47092a0e        4 months ago        197MB
java                    latest              d23bdf5b1b1b        14 months ago       643MB

私有仓库高级设置

新建文件夹，以下操作均在该文件夹下进行

第一步：创建ca私钥

# openssl genrsa -out "root-ca.key" 4096
Generating RSA private key, 4096 bit long modulus
.................................++
...............................................................................++
e is 65537 (0x10001)
[root@localhost fandf]# 

第二步：利用私钥创建 CA 根证书请求文件

# openssl req \
> -new -key "root-ca.key" \
> -out "root-ca.csr" -sha256 \
> -subj '/C=CN/ST=Shanxi/L=xianyang/O=dongfeng/CN=dongfeng Docker Registry CA'

以上命令中 -subj 参数里的 /C 表示国家，如 CN ； /ST 表示省； /L 表示城市或者地区； /O 表示组织名； /CN 通用名称

第三步：配置 CA 根证书，新建 root-ca.cnf 

[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash

第四步：签发根证书

# openssl x509 -req -days 3650 -in "root-ca.csr" \
> -signkey "root-ca.key" -sha256 -out "root-ca.crt" \
> -extfile "root-ca.cnf" -extensions \
> root_ca
Signature ok
subject=/C=CN/ST=Shanxi/L=xianyang/O=dongfeng/CN=dongfeng Docker Registry CA
Getting Private key
[root@localhost fandf]# 

第五步：生成站点 SSL 私钥

# openssl genrsa -out "docker.domain.com.key" 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................................++
........................................++
e is 65537 (0x10001)
[root@localhost fandf]# 

第六步：使用私钥生成证书请求文件

# openssl req -new -key "docker.domain.com.key" -out "site.csr" -sha256 \
> -subj '/C=CN/ST=Shanxi/L=Datong/O=Your Company Name/CN=docker.domain.com'
[root@localhost fandf]# 

第七步：配置证书，新建 site.cnf 文件

[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = DNS:docker.domain.com, IP:127.0.0.1
subjectKeyIdentifier=hash

第八步：签署站点 SSL 证书

# openssl x509 -req -days 750 -in "site.csr" -sha256 \
> -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial \
> -out "docker.domain.com.crt" -extfile "site.cnf" -extensions server
Signature ok
subject=/C=CN/ST=Shanxi/L=Datong/O=Your Company Name/CN=docker.domain.com
Getting CA Private Key
[root@localhost fandf]# 

这样已经拥有了 docker.domain.com 的网站 SSL 私钥 docker.domain.com.key 和 SSL 证书 docker.domain.com.crt 。
新建 ssl 文件夹并将 docker.domain.com.key docker.domain.com.crt 这两个文件移入，删除其他文件。

私有仓库默认的配置文件位于 /etc/docker/registry/config.yml ，我们先在本地编辑
config.yml ，之后挂载到容器中。

version: 0.1
log:
    accesslog:
        disabled: true
    level: debug
    formatter: text
    fields:
        service: registry
        environment: staging
storage:
    delete:
        enabled: true
    cache:
        blobdescriptor: inmemory
    filesystem:
        rootdirectory: /var/lib/registry
auth:
    htpasswd:
        realm: basic-realm
        path: /etc/docker/registry/auth/nginx.htpasswd
http:
    addr: :443
    host: https://docker.domain.com
    headers:
        X-Content-Type-Options: [nosniff]
    http2:
        disabled: false
    tls:
        certificate: /etc/docker/registry/ssl/docker.domain.com.crt
        key: /etc/docker/registry/ssl/docker.domain.com.key
health:
    storagedriver:
        enabled: true
        interval: 10s
threshold: 3

生成 http 认证文件

mkdir auth
$ docker run --rm \
--entrypoint htpasswd \
registry \
-Bbn username password > auth/nginx.htpasswd

将上面的 username password 替换为你自己的用户名和密码

编辑 docker-compose.yml

version: '3'

services:
  registry:
    image: registry
    ports:
      - "443:443"
    volumes:
      - ./:/etc/docker/registry
      - registry-data:/var/lib/registry
volumes:
  registry-data:

修改 hosts

docker.domain.com 127.0.0.1

启动

docker-compose up -d