6.云原生之Docker容器Registry私有镜像仓库搭建实践
转载自:https://www.bilibili.com/read/cv15219863/?from=readlist
#1.下载registry仓库并设置数据存放的目录(并生成认证账号密码)
docker pull registry:2
mkdir -vp /opt/data/auth #宿主机认证目录
mkdir -vp /opt/data/registry #宿主机仓库目录
# 采用--entrypoint进行执行
docker run --entrypoint htpasswd httpd:2 -Bbn testuser testpassword > auth/htpasswd
#2.运行下载的仓库镜像(我们常常指定一个本地数据卷给容器)
docker run -d -p 5000:5000 --name registry -v /opt/data/registry:/var/lib/registry registry:2 #未认证
## 加入认证 (已失效)
docker run -d -p 5000:5000 --restart=always --name docker-hub \
-v /opt/data/registry:/var/lib/registry \
-v /opt/data/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
registry
#Docker 默认不允许非 HTTPS 方式推送镜像。我们可以通过 Docker 的配置选项来取消这个限制
# 3.修改docker的配置文件,让他支持http方式,上传私有镜像 (本地)
tee /etc/docker/daemon.json <<EOF
# 写入如下内容
{
"registry-mirror": [
"https://registry.docker-cn.com"
],
"insecure-registries": [
"10.10.107.221:5000"
]
}
EOF
# 4.修改docker的服务配置文件(Ubuntu此步骤可以跳过)
vim /lib/systemd/system/docker.service
# 找到[service]这一代码区域块,写入如下参数
[Service]
EnvironmentFile=-/etc/docker/daemon.json
# 5.重新加载docker服务
systemctl daemon-reload
# 6.重启docker服务
systemctl restart docker
# 注意:重启docker服务,所有的容器都会挂掉
docker run -d -p 5000:5000 --name docker-registry -v /opt/data/registry:/var/lib/registry registry
# 7.修改本地镜像的tag标记,往自己的私有仓库推送
#docker tag weiyigeek/hello-world-docker 10.10.107.221:5000/weiyigeek #对于修改名称的
$docker commit -m "alpine-sh" -a "weiyigeek" a63 10.10.107.221:5000/alpine-sh
sha256:b75ef26a9e1d92924914edcb841de8b7bdc0b336cea2c6cfbaaf6175e24472c6
$docker login 10.10.107.221:5000
Username: testuser
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#上传我们的镜像文件
$docker push 10.10.107.221:5000/alpine-sh
The push refers to repository [10.10.107.221:5000/alpine-sh]
2a499f806f16: Pushed
f1b5933fe4b5: Pushed
latest: digest: sha256:6d13420cb9ce74095e2a71f565fc8c15ba17b40933e14534fc65775025eedd18 size: 735
# 8.下载私有仓库的镜像(查看)
docker pull 10.10.107.221:5000/weiyige
# http://10.10.107.221:5000/v2/_catalog #查看仓库 需要进行认证
# http://10.10.107.221:5000/v2/[image_name]/tags/list #查看镜像版本列表
curl -XGET http://10.10.107.221:5000/v2/_catalog -u testuser:testpassword
{"repositories":["alpine-sh"]}
可以从下图看到设置账号密码认证后直接访问Registry API将受到限制
# (1) Registry API
/var/lib/registry
# (2) Harbor 本地目录中
/data/harbor/registry/docker/registry/v2
# 查看镜像 Manifest 对应的blob id
$ cat repositories/release/cyclone-server/_manifests/tags/v0.5.0-beta.1/current/link
sha256:6d47a9873783f7bf23773f0cf60c67cef295d451f56b8b79fe3a1ea217a4bf98
# 查看镜像 Manifest
$ cat blobs/sha256/6d/6d47a9873783f7bf23773f0cf60c67cef295d451f56b8b79fe3a1ea217a4bf98/data
# Blob 数据的存储
# 查看镜像 blob 的位置和大小
$ du -s blobs/sha256/71/7118e0a5b59500ceeb4c9686c952cae5e8bfe3e64e5afaf956c7098854a2390e/data
7560 blobs/sha256/71/7118e0a5b59500ceeb4c9686c952cae5e8bfe3e64e5afaf956c7098854a2390e/data
(2) 为Registry私有镜像仓库配置auth认证与tls证书
# 创建参数
docker run -d \
-p 443:443 \
--restart=always \
--name registry \
-v /app/registry/data:/var/lib/registry \
-v /app/registry/auth:/auth \
-v /app/registry/cert:/cert \
-e "REGISTRY_HTTP_ADDR=0.0.0.0:443" \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/cert/hub.weiyigeek.top.crt" \
-e "REGISTRY_HTTP_TLS_KEY=/cert/server.key" \
registry:2
# 查看创建的registry 容器
$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}"
CONTAINER ID NAMES PORTS
c8657bd20936 registry 0.0.0.0:443->443/tcp, 5000/tcp
(3) 登陆远程仓库时报证书签名错误及其解决办法
~$ docker login hub.weiyigeek.top
Login did not succeed, error: Error response from daemon: Get https://hub.weiyigeek.top/v2/: x509: certificate signed by unknown authority
Username: WeiyiGeek
Password: ********
# 解决办法:
# (1) 在 /etc/docker/daemon.json 中配置insecure-registries字段,表示允许不安全的仓库。
"insecure-registries": ["192.168.12.111:5000","hub.weiyigeek.top"]
# (2) 从官方文档可知客户端要使用tls与Harbor通信使用的还是`自签证书`,那么必须建立一个目录`/etc/docker/certs.d`
# 如果配置可能会出现 x509: certificate signed by unknown authority 错误提示。
mkdir -vp /etc/docker/certs.d/hub.weiyigeek.top
cp -a /deployapp/harbor/harbor.pem /etc/docker/certs.d/hub.weiyigeek.top/harbor.crt
