Docker

Docker - Setup a secure private

2021-01-09  本文已影响0人  红薯爱帅

1. Setup a private docker registry

1.1. Setup Server

mkdir /u/devops/docker_repo
cd /u/devops/docker_repo
mkdir certs auth registry

Confirm Common Name should be domain name, such as myrepo.com

openssl req -newkey rsa:2048 -nodes -sha256 -keyout certs/myrepo.com.key -x509 -days 365 -out certs/myrepo.com.crt
htpasswd -Bbn test 123123 > ./auth/htpasswd
version: "2.3"
services:
  my-repo:
    container_name: my-repo
    restart: always
    image: registry:2.7
    ports:
      - 5443:443
    environment:
      - REGISTRY_HTTP_ADDR=0.0.0.0:443
      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepo.com.crt
      - REGISTRY_HTTP_TLS_KEY=/certs/myrepo.com.key
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
    volumes:
      - ./registry:/var/lib/registry
      - ./certs:/certs
      - ./auth:/auth
docker-compose up -d

1.2. Setup Node

1.2.1. 准备环境,并登陆registry

cd /etc/docker && sudo mkdir -p certs.d/myrepo.com:5443
echo "10.10.72.189 myrepo.com" >> /etc/hosts
docker login myrepo.com:5443 -u test -p 123123

1.2.2. pull images from private registry

docker pull myrepo.com:5443/project/mongo:4.2.0
docker pull myrepo.com:5443/project/redis:5.0

1.2.3. ansible palybook for #1.2.1 and #1.2.2

ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"
# ansible-playbook playbook-setup-node.yml -e "remotehost=wave1"

- hosts: "{{ remotehost }}"
  gather_facts: False
  vars:
    repo_host: "myrepo.com:5443"
  tasks:
    - name: Add mappings to /etc/hosts
      blockinfile:
        path: /etc/hosts
        block: |
          {{ item.ip }} {{ item.name }}
        marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.name }}"
      loop:
        - { name: myrepo.com, ip: 10.10.72.189 }
      become: yes

    - name: Create docker certs folder
      file:
        path: "/etc/docker/certs.d/{{repo_host}}"
        state: directory
        mode: '0755'
      become: yes

    - name: Copy ca.crt to docker daemon config path
      copy:
        src: /u/devops/docker_repo/certs/myrepo.com.crt
        dest: "/etc/docker/certs.d/{{repo_host}}/ca.crt"
        mode: 0644
      become: yes

    - name: Login docker registry and pull some images
      shell: |
        docker login {{repo_host}} -u test -p 123123
        docker pull {{repo_host}}/project/mongo:4.2.0
        docker pull {{repo_host}}/project/redis:5.0

2. 常用操作和规范建议

2.1. 查看私有仓库内image列表和所有tag

$ curl -u 'test:123123' localhost:5443/v2/_catalog
{"repositories":["redis","ubuntu"]}
$ curl -u 'test:123123' localhost:5443/v2/redis/tags/list
{"name":"redis","tags":["5.0"]}

2.2. 镜像命名规范

myrepo.com:5443/project-a/service-xxx:0.12.0
myrepo.com:5443/project-b/prom/prometheus:v2.23.0
myrepo.com:5443/project-b/nginx:1.19.5

3. 总结

上一篇 下一篇

猜你喜欢

热点阅读