一、简单介绍
前面已经介绍,可以使用Docker Hub公共仓库,但是大多数情况企业都需要创建一个本地仓库供自己使用。这里介绍几种搭建私库的方法
私库的好处有几点
1、节约带宽
2、可以自己定制系统
3、更加安全
二、我知道的几种方法
1、利用官方提供的工具docker-registry来配置私库
官方提供的镜像,注意这个工具是个镜像,直接下载并使用registry镜像启动docker实例就可以了
2、利用Harbor-Registry,来搭建私库
Harbor是一个用于存储Docker镜像的企业级Registry服务
三、通过官方docker-registry来配置私库
1、环境
docker私库地址:192.168.216.51 web1
docker服务器地址:192.168.216.52 web2,此节点使用私库服务器来pull/push镜像
2、拓扑
备注:这里docker hub 就是私库
docker engine :前面原理篇有介绍 ,是docker架构中的运行引擎,同时也Docker运行的核心模块。它扮演Docker container存储仓库的角色,并且通过执行job的方式来操纵管理这些容器。
3、安装docker私有仓库
1)首先安装
方式1
也可以下载rpm包安装
rpm包地址:https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
这里下载的是docker-ce-cli-19.03.2-3.el7.x86_64.rpm
为了解决依赖,配置本地源
[root@web2 yum.repos.d]# mv Centos-7.repo ./backup/ [root@web2 yum.repos.d]# ll total 16 drwxr-xr-x. 2 root root 27 Sep 23 14:56 backup drwxr-xr-x. 2 root root 6 Sep 23 14:32 bakcup -rw-r--r--. 1 root root 65 Sep 23 14:53 docker-rpm.repo -rw-r--r--. 1 root root 664 Sep 23 12:54 epel-7.repo -rw-r--r--. 1 root root 951 Sep 23 12:54 epel.repo -rw-r--r--. 1 root root 1050 Sep 23 12:54 epel-testing.repo [root@web2 yum.repos.d]# cd /root/docker-rpm/
[root@web2 docker-rpm]# createrepo ./
yum install docker-ce -y
方式2
配置阿里源,epel源里面我这里没有docker,所以配置阿里源的docker源
阿里源地址:https://mirrors.aliyun.com/docker-ce/linux/centos/
[root@web2 yum.repos.d]# cat docker-ce.repo [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-debuginfo] name=Docker CE Stable - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/stable enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-stable-source] name=Docker CE Stable - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stable enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge] name=Docker CE Edge - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-debuginfo] name=Docker CE Edge - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-edge-source] name=Docker CE Edge - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edge enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test] name=Docker CE Test - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-debuginfo] name=Docker CE Test - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-test-source] name=Docker CE Test - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/test enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly] name=Docker CE Nightly - $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-debuginfo] name=Docker CE Nightly - Debuginfo $basearch baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-$basearch/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [docker-ce-nightly-source] name=Docker CE Nightly - Sources baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightly enabled=0 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg [root@web2 yum.repos.d]#
yum install dockre-ce -y
2)开启防火墙
systemctl start firewalld.service
3)开启私有仓库服务端
systemctl start docker
systemctl enable docker
确保两台几点都安装了docker,并启动
4、私有仓库服务器拉取或load registry
方法1、直接拉取
[root@web1 yum.repos.d]# docker pull registry Using default tag: latest Trying to pull repository docker.io/library/registry ... latest: Pulling from docker.io/library/registry Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146 Status: Image is up to date for docker.io/registry:latest [root@web1 yum.repos.d]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE zxg/nginx1 latest 3babdf3c6c6d 2 weeks ago 546 MB zxg/centos_nginx v1 7c6604cacec1 4 weeks ago 698 MB docker.io/atlassian/jira-software latest c4b90dede4f3 5 weeks ago 624 MB zxg/my_nginx v1 b164f4c07c64 8 weeks ago 126 MB zxg/my_nginx latest f07837869dfc 8 weeks ago 126 MB docker.io/nginx latest e445ab08b2be 2 months ago 126 MB docker.io/alpine latest b7b28af77ffe 2 months ago 5.58 MB docker.io/centos latest 9f38484d220f 6 months ago 202 MB docker.io/registry latest f32a97de94e1 6 months ago 25.8 MB [root@web1 yum.repos.d]#
方法2、下载registry.tar包,然后导入即可、
docker load -i registry.tar
5、私库服务器随便拉取一个镜像,并且打好标签
docker pull busybox
docker tag docker.io/busybox:latest 192.168.216.51:5000/busybox:latest
打好标签就是下面标红的行
[root@web1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE zxg/nginx1 latest 3babdf3c6c6d 2 weeks ago 546 MB 192.168.216.51:5000/busybox latest 19485c79a9bb 3 weeks ago 1.22 MB busybox v1 19485c79a9bb 3 weeks ago 1.22 MB docker.io/busybox latest 19485c79a9bb 3 weeks ago 1.22 MB zxg/centos_nginx v1 7c6604cacec1 4 weeks ago 698 MB
6、修改配置文件,指定私库url
需要安装docker-common,检查一下有没有安装
[root@web1 yum.repos.d]# rpm -qf /etc/sysconfig/docker docker-common-1.13.1-96.gitb2f74b2.el7.centos.x86_64 [root@web1 yum.repos.d]#
配置文件添加--insecure-registry 192.168.216.51:5000
[root@web1 yum.repos.d]# cat /etc/sysconfig/docker # /etc/sysconfig/docker # # Modify these options if you want to change the way the docker daemon runs OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 192.168.216.51:5000' if [ -z "${DOCKER_CERT_PATH}" ]; then DOCKER_CERT_PATH=/etc/dockerd fi
7、重启docker
[root@web1 yum.repos.d]# systemctl restart docker
8、启动私有仓库,使用registry镜像运行一个docker就可以了
[root@web1 yum.repos.d]# docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry registry
###-v 指定本地持久路径
27d56aa54e167c26c76e25136b247072883aa29dde247f20c45f97fafedb650b [root@web1 yum.repos.d]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 27d56aa54e16 registry "/entrypoint.sh /e..." About a minute ago Up 58 seconds 0.0.0.0:5000->5000/tcp frosty_ptolemy [root@web1 yum.repos.d]# netstat -antlop |grep 5000 tcp6 0 0 :::5000 :::* LISTEN 27767/docker-proxy- off (0.00/0/0) [root@web1 yum.repos.d]# netstat -antup |grep 5000 tcp6 0 0 :::5000 :::* LISTEN 27767/docker-proxy- [root@web1 yum.repos.d]#
[root@web1 yum.repos.d]# ls /opt/registry
###目录已经自动创建
9、本机上传镜像,成功后使用tree查看
docker push 192.168.216.51:5000/busybox
[root@web1 ~]# tree /opt/registry/docker/registry/ /opt/registry/docker/registry/ └── v2 ├── blobs │ └── sha256 │ ├── 19 │ │ └── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── data │ ├── 7c │ │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ │ └── data │ └── dd │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── data └── repositories └── busybox ├── _layers │ └── sha256 │ ├── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── link │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ └── link ├── _manifests │ ├── revisions │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ └── tags │ └── latest │ ├── current │ │ └── link │ └── index │ └── sha256 │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── link └── _uploads 26 directories, 8 files [root@web1 ~]#
10、使用52节点下载busybox镜像
我这里已经装好docker,就不演示怎么安装docker,这里都是按照之前原理篇的安装方式,请见如下链接:
安装docker请参考:Docker1 架构原理及简单使用
###修改配置文件添加"--insecure-registry不安全的注册"
[root@web2 ~]# cat /etc/sysconfig/docker |grep 5000 OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 192.168.216.51:5000' ###拉取镜像
[root@web2 ~]# docker pull 192.168.216.51:5000/busybox Using default tag: latest Trying to pull repository 192.168.216.51:5000/busybox ... latest: Pulling from 192.168.216.51:5000/busybox 7c9d20b9b6cd: Pull complete Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 Status: Downloaded newer image for 192.168.216.51:5000/busybox:latest ###查看镜像
[root@web2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.216.51:5000/busybox latest 19485c79a9bb 3 weeks ago 1.22 MB
###运行实例-成功
[root@web2 ~]# docker run 192.168.216.51:5000/busybox echo "1111"
1111
[root@web2 ~]#
###创建镜像链接并命名
[root@web2 ~]# docker tag 192.168.216.51:5000/busybox busybox:v1
###删除镜像
[root@web2 ~]# docker rmi 192.168.216.51:5000/busybox
[root@web2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox v1 19485c79a9bb 3 weeks ago 1.22 MB
###运行新的实例
[root@web2 ~]# docker run busybox:v1 echo 222
222
到这里已经完成了私库搭建方方法,不过应该在上传一个新版本测试:
[root@web2 ~]# docker tag busybox:v1 192.168.216.51:5000/busybox:v1 [root@web2 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@web2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.216.51:5000/busybox v1 19485c79a9bb 3 weeks ago 1.22 MB busybox v1 19485c79a9bb 3 weeks ago 1.22 MB [root@web2 ~]# docker push 192.168.216.51:5000/busybox The push refers to a repository [192.168.216.51:5000/busybox] 6c0ea40aef9d: Layer already exists v1: digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 size: 527 [root@web2 ~]#
11、回到51节点测试查看有没有新的版本上传上来
在51节点,上用tree命令查看,可以看到v1版本
[root@web1 ~]# tree /opt/registry/docker/registry/ /opt/registry/docker/registry/ └── v2 ├── blobs │ └── sha256 │ ├── 19 │ │ └── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── data │ ├── 7c │ │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ │ └── data │ └── dd │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── data └── repositories └── busybox ├── _layers │ └── sha256 │ ├── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── link │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ └── link ├── _manifests │ ├── revisions │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ └── tags │ ├── latest │ │ ├── current │ │ │ └── link │ │ └── index │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ └── v1 │ ├── current │ │ └── link │ └── index │ └── sha256 │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── link └── _uploads
四、总结大家私有仓库的步骤
配置前可以先把防火墙及selinux全部关闭
1、安装docker
2、修改配置文件两台节点一样,有两种方式:(注意!!!)
1)、添加参数到/etc/sysconfig/docker文件
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --insecure-registry 192.168.216.51:5000'
2)、还可以把这行添加到启动参数里,/usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd-current --insecure-registry 192.168.216.51:5000
注意:新版本已经没有/etc/sysconfig/docker配置文件了,所以可以统一放到启动参数/usr/lib/systemd/system/docker.service
3、拉取registry镜像
4、运行registry镜像并映射5000端口
5、打标签上传下载镜像完成
五、带授权的registry
注意:这里是创建密码认证,而不是证书的认证
1、创建授权目录
mkdir /auth
2、使用registry镜像生成 htpasswd加密文件其中加密了密码
创建用户名:zxg,密码123456,并加密
docker run --entrypoint htpasswd registry -Bbn zxg 123456 >/auth/htpasswd
可以看到密码123456已经加密了
[root@web1 auth]# cat htpasswd zxg:$2y$05$qCY7iWVJIoOrnIp17WQOf.fcXUTo5xm4DwP3a/8ggzZlEZ3bsnonm
注释:
--entrypoint :是docker的一种指令,用于给出容器启动后默认入口
3、启动带参数的镜像
[root@web1 /]# docker run -d -p 5000:5000 --restart=always --name registry1
> -v /opt/registry:/var/lib/registry
> -v /auth:/auth
> -e "REGISTRY_AUTH=htpasswd"
> -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
> registry 37f0ce01ea327e6cd62798e0df683d5d2a4317c3fd865c0f1e19b654f052fe66
4、52节点创建busybox便签v2上传,先登陆,然后上传
[root@web2 ~]# docker login 192.168.216.51:5000 Username: zxg Password: Login Succeeded [root@web2 ~]# docker tag busybox:v2 192.168.216.51:5000/busybox:v2 busybox v2 19485c79a9bb 3 weeks ago 1.22 MB [root@web2 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.216.51:5000/busybox v1 19485c79a9bb 3 weeks ago 1.22 MB 192.168.216.51:5000/busybox v2 19485c79a9bb 3 weeks ago 1.22 MB busybox v1 19485c79a9bb 3 weeks ago 1.22 MB busybox v2 19485c79a9bb 3 weeks ago 1.22 MB [root@web2 ~]# docker push 192.168.216.51:5000/busybox:v2 The push refers to a repository [192.168.216.51:5000/busybox] 6c0ea40aef9d: Pushed v2: digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 size: 527 [root@web2 ~]#
5、回到51上确认是否上传成功
[root@web1 auth]# tree /opt/registry/docker/registry/v2/ /opt/registry/docker/registry/v2/ ├── blobs │ └── sha256 │ ├── 19 │ │ └── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── data │ ├── 7c │ │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ │ └── data │ └── dd │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── data └── repositories └── busybox ├── _layers │ └── sha256 │ ├── 19485c79a9bbdca205fce4f791efeaa2a103e23431434696cc54fdd939e9198d │ │ └── link │ └── 7c9d20b9b6cda1c58bc4f9d6c401386786f584437abbe87e58910f8a9a15386b │ └── link ├── _manifests │ ├── revisions │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ └── tags │ ├── latest │ │ ├── current │ │ │ └── link │ │ └── index │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ ├── v1 │ │ ├── current │ │ │ └── link │ │ └── index │ │ └── sha256 │ │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ │ └── link │ └── v2 │ ├── current │ │ └── link │ └── index │ └── sha256 │ └── dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 │ └── link └── _uploads 35 directories, 12 files
可以看到已经有v2版本,成功,下一篇将介绍Harbor-Registry的方式。