docker私有仓库搭建及认证
什么是docker?
Docker 是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的 Linux 机器上,也可以实现虚拟化。容器是完全使用沙箱机制,相互之间不会有任何接口。
再具体的请自行百度~
命令是红字,配置是绿字,注释和其他为黑色字体。现在让我们来安装吧
服务器主机名及IP地址:
192.168.110.92 docker-registry
192.168.110.22 docker-gitlab
系统版本:
CentOS Linux release 7.2.1511 (Core)
docker版本:
Docker version 1.12.6, build c4618fb/1.12.6
docker仓库版本:
registry-2.4.1
docker认证版本:
docker_auth:1
基础优化~略
关闭selinux:
sed -i s#'SELINUX=enforcing'#'SELINUX=disabled'#g /etc/selinux/config
setenforce 0
关闭防火墙:
systemctl stop firewalld
systemctl disable firewalld
安装源:
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
安装并启动docker:
yum install docker docker-registry -y
systemctl enable docker
systemctl start docker
私有镜像库和认证搭建:
下载镜像:
docker pull registry
docker pull docker_auth:1
打标记:
docker tag registry 192.168.110.92:5000/registry:2.4.1
docker tag docker_auth:1 192.168.110.92:5000/docker_auth
修改docker文件 加一行--insecure-registry 192.168.110.92:5000
vim /etc/sysconfig/docker
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 192.168.110.92:5000'
if [ -z "${DOCKER_CERT_PATH}" ]; then
DOCKER_CERT_PATH=/etc/docker
fi
创建目录并进入:
mkidr /data/auth_server/ssl/ -p ##用于存放证书
mkidr /data/auth_server/config/ -p ##配置文件
cd /data/auth_server/ssl/
证书生成(server.key,server.pem和server.crt):
openssl genrsa -out server.key 2048
openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 3650 -out server.pem
cat server.pem | tee -a server.crt
拷贝:
scp server.crt 192.168.110.22:/etc/docker/certs.d/ ###scp 到其他服务器用于测试从内部仓库下载
现在创建配置文件:
cd /data/auth_server/config
vi auth_config.yml
server:
addr: ":5001"
certificate: "/ssl/server.pem"
key: "/ssl/server.key"
token:
issuer: "Auth Service" # Must match issuer in the Registry config.
expiration: 900
users:
# Password is specified as a BCrypt hash. Use htpasswd -B to generate.
"admin":
password: "$2y$05$LO.vzwpWC5LZGqThvEfznu8qhb5SGqvBSWY1J3yZ4AxtMRZ3kN5jC" #badmin
"test":
password: "123"
acl:
- match: {account: "admin"}
actions: ["*"]
comment: "Admin has full access to everything."
- match: {account: ""}
actions: ["pull"]
comment: "User \"user\" can pull stuff."
回到家目录创建docker-compose配置文件
cd && vi docker-compose.yml
dockerauth:
image: cesanta/docker_auth:1
ports:
- "5001:5001"
volumes:
- /data/auth_server/config:/config:ro
- /var/log/docker_auth:/logs
- /data/auth_server/ssl:/ssl
command: /config/auth_config.yml
restart: always
registry:
image: registry:2.4.1
ports:
- "5000:5000"
volumes:
- /data/auth_server/ssl:/ssl
- /data/docker_registry/data:/var/lib/registry
- /data/auth_server/config:/auth
- /data/auth_server/ssl:/certs
restart: always
environment:
- REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt
- REGISTRY_HTTP_TLS_KEY=/certs/server.key
- REGISTRY_AUTH=token
- REGISTRY_AUTH_TOKEN_REALM=https://192.168.110.92:5001/auth ###本机ip
- REGISTRY_AUTH_TOKEN_SERVICE="Docker registry"
- REGISTRY_AUTH_TOKEN_ISSUER="Auth Service"
- REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/server.pem
启动并查看:
docker-compose up -d #-d后台启动
docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------
root_dockerauth_1 /docker_auth/auth_server / ... Up 0.0.0.0:5001->5001/tcp
root_registry_1 /bin/registry serve /etc/d ... Up 0.0.0.0:5000->5000/tcp
上传打完包的镜像到私有仓库:
for n in `docker images |grep 192|awk '{print $1":"$2}'` ;do docker push $n;done
验证镜像是否在镜像库(没有404就行):
for YZ in `docker images|awk -F "[/ ]+" '{print $2}'|grep -v TAG`;do curl -v -X GET http://192.168.110.92:5000/v2/$YZ/tags/list ;done
测试:
192.168.110.22服务器执行:
docker login 192.168.110.92:5000
账号: admin #auth_config.yml 配置的
密码: badmin #auth_config.yml配置的
Login Succeeded ##说明成功
docker pull 192.168.110.92:5000/docker_auth #不出意外的话应该是飞快的速度
网上查资料+同事帮忙+自我实践,才弄出来,有问题及时联系我~