00003.Windows下使用podman虚拟机搭建私有镜像仓

2022-08-04  本文已影响0人  笑着字太黑
1.安装podman

Guide:
https://github.com/containers/podman/blob/main/docs/tutorials/podman-for-windows.md
软件下载(拉到最下方,选msi文件下载):
Releases · containers/podman · GitHub

2.启动|关闭虚拟机
2.1.如果安装过wsl最好先卸载

查看当前系统下安装的wsl子系统版本:

wslconfig \l

注销需要删除的子系统:

wslconfig \u Ubuntu-18.04 #Ubuntu-18.04是上面查出来的

稍等片刻,等待注销完成,再输入wslconfig \l检查一下,确认注销成功

2.2.初始化虚拟机
podman machine init
2.3.启动虚拟机(start|stop|ls|ssh|rm)
podman machine start
2.4.进入wsl子进程(退出到父进程:ctl+d)
wsl -d podman-machine-default
3.使用ssh工具连接虚拟机
3.1.获得虚拟机开放的ssh的ip和端口号
podman machine ssh
3.2.确认已经生成密匙文件
C:\Users\[username]\.ssh\podman-machine-default
3.3.如图,指定密匙文件(我用的会自动转化为ppk文件)
image.png
4.搭建仓库(准备工作)
4.1.生成目录
/registry/auth
/registry/data
/registry/certs  (不搭https的话不需要这个目录)
4.2.使用htpasswd创建基本的认证用户

Guide:http://lnmp.ailinux.net/htpasswd

安装htpasswd

yum -y install httpd-tools

生成认证用户

cd /registry/auth
htpasswd -bc registry.password username password

在当前目录(auth)下面会生成一个文件registry.password文件

4.3.生成密匙和自签证书 (不搭https的话不需要)
cd /registry/certs
yum install openssl openssl-devel
sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
  录入证书信息:
    CN
    Province
    City
    Company
    UnitName
    CommonName
    Email
openssl x509 -inform PEM -in registry.crt -out registry.cert
4.4.拉取registry镜像(用这个镜像来搭建仓库)

去docker hub申请一个账号:(当然你可以挑战一下不申请账号)
匿名下载会因为流量限制发生Error
toomanyrequests: You have reached your pull rate limit.

https://hub.docker.com/

登录docker hub后拉取registry镜像

docker login
docker pull registry
5.搭建仓库(启动registry http)

直接启动可能会出现以下问题:

http: server gave HTTP response to HTTPS client
connect: no route to host

解决方法为修改配置文件:

/etc/containers/registries.conf
unqualified-search-registries = ["localhost:5000"]       
  [[registry]]
  location = "localhost:5000"
  insecure = true
  # If true, unencrypted HTTP as well as TLS connections with untrusted
  # certificates are allowed.
  block = false

语法参考:https://www.cnblogs.com/newtonsky/p/15490153.html

启动registry

docker run -d \
  -p 5000:5000 \
  --restart=always \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry.password \
  -v "$(pwd)"/data:/data \
  -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data \
  registry

docker run 参数详解
-d后台运行
-p指定端口
-v把镜像路径映射到本机的

验证:

docker ps -a
  查看registry已经被启动,不看也没关系。

curl -s -k -u username:password http://localhost:5000/v2/_catalog
  如果返回{"repositories":[]}则表示我们搭建成功

#push测试
docker tag docker.io/library/registry localhost:5000/library/registry:1.0.0
docker login -u username -p password localhost:5000
docker push localhost:5000/library/registry:1.0.0
curl -s -k -u username:password http://localhost:5000/v2/_catalog
  {"repositories":["library/registry"]}
curl -s -k -u username:password http://localhost:5000/v2/library/registry/tags/list
  {"name":"library/registry","tags":["1.0.0"]}

#pull测试
docker pull localhost:5000/library/registry:1.0.0

其他相关命令:

docker stop registry
docker rm registry
docker run xxx
docker stop registry
6.搭建仓库(启动registry https)

配置密匙,证书:

mkdir /etc/containers/certs.d/localhost:5000
cp -r /registry/certs/* /etc/containers/certs.d/localhost:5000
cat /registry/certs/registry.crt >> /etc/pki/tls/certs/ca-bundle.crt 

修改配置文件:

/etc/containers/registries.conf
unqualified-search-registries = ["localhost:5000"]        
  [[registry]]
  location = "localhost:5000"
  #insecure = true
  # If true, unencrypted HTTP as well as TLS connections with untrusted
  # certificates are allowed.
  block = false

启动registry(https)

docker run -d \
  --privileged=true \
  --restart=always \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry.password \
  -v "$(pwd)"/data:/data \
  -v "$(pwd)"/certs:/certs:z \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  -e REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
  -p 5000:5000 \
  registry

验证:
因为使用的是自签证书,所以客户段需要主动认可,有些麻烦,
使用正式机构发布的证书就不会有这个问题了,
这里使用--tls-verify=false来跳过tls验证。
其他部分与http基本相同,参考http部分即可。

docker login --tls-verify=false --username username --password password localhost:5000
上一篇 下一篇

猜你喜欢

热点阅读