创建docker镜像的私有仓库
CentOS Linux release 7.2.1511
Docker version 17.03.1-ce
安装registry镜像
同时安装一个比较小的镜像alpine待会作测试用:
# docker pull daocloud.io/registry
# docker pull daocloud.io/alpine
来个简单的测试下:
# docker run -d -p 5000:5000 --restart=always daocloud.io/registry # docker tag daocloud.io/alpine localhost:5000/alpine # docker push localhost:5000/alpine # docker rmi localhost:5000/alpine # docker pull localhost:5000/alpine # docker images
这个仓库服务问题主要有两个,一是仓库的数据保存在容器而不是持久化到本地,二是不能在其他机器pull或push;
保存仓库数据
保存到宿主机的/data/docker/registry/:
# mkdir -p /data/docker/registry # docker run -d -p 5000:5000 \ -v /data/docker/registry/:/var/lib/registry \ daocloud.io/registry
# docker push localhost:5000/alpine
# tree /data/docker/registry/ -L 5
/data/docker/registry/
└── docker
└── registry
└── v2
├── blobs
│ └── sha256
└── repositories
└── alpine
增加https认证
域名已经有证书的直接用,没有的生成一个自己的证书(红色那行必须填自己的域名):
# mkdir -p /data/docker/certs
# cd /data/docker/certs
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:YYYY
Organizational Unit Name (eg, section) []:MMMM
Common Name (eg, your name or your server's hostname) []:my.cn
Email Address []:my@mail.cn
启动一个支持https的镜像,端口用默认的443就不需要在域名后面带端口了,顺便给容器起个名字myreg方便管理:
# docker run -d -p 443:5000 --restart=always --name myreg \ -v /data/docker/registry/:/var/lib/registry \ -v /data/docker/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ daocloud.io/registry
现在去到另一台机器上测试下,配置下域名映射,然后把证书文件拷贝过来:
# sed -i '$a\[your ip] my.cn' /etc/hosts # mkdir -p /etc/docker/certs.d/my.cn/ # cd /etc/docker/certs.d/my.cn/ # scp my.cn:/data/docker/certs/domain.crt . # docker pull daocloud.io/alpine # docker tag daocloud.io/alpine my.cn/alpine # docker push my.cn/alpine # docker pull my.cn/alpine
over
