docker 镜像仓库之私有云单机仓库Docker Registry

Docker 仓库分为公有云仓库和私有云仓库
  公有云仓库：由互联网公司对外公开的仓库
	　　官方
	　　阿里云等第三方仓库
  私有云仓库：组织内部搭建的仓库，一般只为组织内部使用，常使用下面软件搭建仓库
	　　docker registory
	　　docker harbor

一、私有云单机仓库DockerRegistry配置说明
1.#安装httpd工具包
[root@localhost7C registry]#yum  -y  install httpd-tools

2.#创建目录保存用户信息以及数据和证书
[root@localhost7C registry]# mkdir /docker/registry/ /docker/registry/auth  /dokcer/registry/data  /docker/registry/certs  -pv

#在registry下创建auth目录，用于存放用于registry容器的用户名密码的文件,用户名密码不是必须的，如果不设置，则部署的仓库默认为公共仓库。
#生成密码加密的内容
[root@localhost7C registry]# htpasswd -Bbn root 123456 > /docker/registry/auth/htpasswd
[root@localhost7C registry]# htpasswd -Bbn zzhz 123456 >>  /docker/registry/auth/htpasswd


3.# 以授权方式启动,同时启用基于HTTP BASIC认证
[root@localhost7C registry]#docker run -d -p 5000:5000 --name registryA --restart=always --privileged=true \
-v /docker/registry/data:/var/lib/registry \
-v /docker/registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd docker.io/registry:latest



4.客户端http登录设置非安全模式登录
方法一、在/etc/docker/daedom.json输入"insecure-registries":["192.168.80.120:5000"]
方法二、启动文件中设置
[root@localhost7B ]# vim /lib/systemd/system/docker.service 
[Service]
Type=notify
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock  --insecure-registry 192.168.80.120:5000
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always


5.测试：客户端登录
[root@localhost7B ]# docker login 192.168.80.120:5000
Username: root
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded

#打标签

[root@localhost7B ]# docker tag  nginx:v1   192.168.80.120:5000/centos-base:v1

[root@localhost7B ]# docker tag  nginx:v1   192.168.80.120:5000/nginx:v1

[root@localhost7B ]# docker images
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE   
192.168.80.120:5000/nginx         v1                  e6b2d5a5a6b4        2 weeks ago         1.16GB
nginx                             v1                  e6b2d5a5a6b4        2 weeks ago         1.16GB
192.168.80.120:5000/centos-base   v1                  568629c634fc        2 weeks ago         782MB

#上传

[root@localhost7B haproxy]# docker push  192.168.80.120:5000/centos-base:v1

[root@localhost7B haproxy]# docker push  192.168.80.120:5000/nginx:v1 

The push refers to repository [192.168.80.120:5000/nginx]
ee3adf110ce8: Pushed 
379c896bedff: Pushed 
f205cc2e9b67: Pushed 
ada60a58fd66: Pushed 
72cb73469697: Pushed 
d9d4f0f4e563: Pushed 

#另一客户端下载
[root@localhost ~]# docker login 192.168.80.120:5000
[root@localhost ~]# docker pull 192.168.80.120:5000/nginx:v1 
v1: Pulling from nginx
2d473b07cdd5: Pull complete 
44d65ce0708e: Pull complete 
Digest: sha256:b39f7d7a09cdcaefbb63811503fcb6b2b2a1035029b44d1b262c26c06ca4d6f3
Status: Downloaded newer image for 192.168.80.120:5000/nginx:v1
192.168.80.120:5000/nginx:v1

[root@localhost ~]# docker images
REPOSITORY                  TAG       IMAGE ID       CREATED       SIZE
192.168.80.120:5000/nginx   v1        e6b2d5a5a6b4   2 weeks ago   1.16GB
registry                    latest    dcb3d42c1744   4 weeks ago   24.1MB




二、registry之https：
6.设置https方式
使用openssl自建域名证书，此处假设域名为registry.abc.com.并创建/docker/registry/certs目录用于专门存放证书文件
[root@localhost7C registry]# yum -y install openssl openssl-devel

生成根证书，执行命令后依次要输入：国家代码（两个英文字母）、省份、城市、组织、单位、域名(www.abc.com)、邮箱。
[root@localhost7C registry]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /docker/registry/certs/www.abc.com.key -x509 -days 3000 -out /docker/registry/certs/www.abc.com.crt


7.# 以授权方式启动
[root@localhost7C registry]#docker run -d  -p 443:443 --name registryA --restart=always --privileged=true \
-v /docker/registry/certs:/certs \
-v /docker/registry/data:/var/lib/registry \
-v /docker/registry/auth:/auth \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/www.abc.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/www.abc.com.key  \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" docker.io/registry:latest


#无BASIC认证账号使用httpsbn也可以的。
[root@localhost7C registry]#docker run -d  -p 443:443 --name registryA --restart=always --privileged=true \
-v /docker/registry/certs:/certs \
-v /docker/registry/data:/var/lib/registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/www.abc.com.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/www.abc.com.key  docker.io/registry:latest



8.#在客户端的/etc/docker/certs.d/下,创建目录名同docker的仓库地址（我的是www.abc.com）
[root@localhost7B]#mkdir  /etc/docker/certs.d/www.abc.com
[root@localhost7C registry]#cp certs/www.abc.com.crt  192.168.80.110:/etc/docker/certs.d/www.abc.com/



[root@localhost7B ]# docker logout   harbor3.abc.com
Removing login credentials for harbor3.abc.com
[root@localhost7B harbor3.abc.com]# docker login harbor3.abc.com
Username: root
Password: 
[root@localhost7B ]# docker tag  nginx:v1  harbor3.abc.com/nginx:v1
[root@localhost7B ]# docker push harbor3.abc.com/nginx:v1