（三）：docker registry2 搭建

2018-07-06 本文已影响0人木夕月_fc7b

简介

docker hub使用hub.docker.com作为公共仓库，与之相对应，我们可以通过registry来搭建自己的私有仓库，提升镜像仓库的访问速度。

1.环境描述

[root@localhost docker.registry:5000]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

2.搭建方式

无需验证的镜像中心
https鉴权的镜像中心
用户名密码登录的镜像中心

3.搭建步骤：

3.1 无需验证的镜像中心

拉取镜像：

docker pull registry:2.6.2

不需要验证的启动：

docker run -d -p 5000:5000  --name registry2-noauth --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

--restart=always docker重启容器自启动

客户端配置免https

修改 /etc/docker/daemon.json

[root@localhost ~]# echo '{ "insecure-registries":["172.16.1.146:5000"] }' > /etc/docker/daemon.json
[root@localhost ~]# cat /etc/docker/daemon.json
{ "insecure-registries":["172.16.1.146:5000"] }

重载docker

sudo systemctl daemon-reload
sudo systemctl restart docker

如果不配置，客户端使用时候会报错

使用：

tag镜像并上传

使用docker tag将一个镜像标记，格式如下：
172.16.1.146:5000/registry:2.6.2，其中172.16.1.146是本地仓库地址，5000为仓库端口，registry是镜像标签, 2.6.2是版本号
这里的172.16.1.146可以是本地的ip也可以是域名，如：www.xxx.net

[root@gitlab conf]# docker tag docker.io/registry:2.6.2  172.16.1.146:5000/registry:2.6.2

当标记完成后，本地的images中会存放一个和标记名称一样的镜像，我们将这个镜像上传即可

上传镜像到镜像中心

[root@localhost local]# docker push 172.16.1.146:5000/registry:2.6.2
The push refers to a repository [172.16.1.146:5000/registry]
9113493eaae1: Pushed 
621c2399d41a: Pushed 
59e80739ed3f: Pushed 
febf19f93653: Pushed 
e53f74215d12: Pushed 
2.6.2: digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c size: 1364

判断镜像是否存在

api：

列出所有存储库

GET http://127.0.0.1:5000/v2/_catalog
{
  ● repositories: 
[
      ○ "mongo",
      ○ "registry"
]
}

列出镜像所有tags

GET http://127.0.0.1:5000/v2/registry/tags/list
{
  ● name: "registry",
  ● tags: 
[
      ○ "2.6.2",
      ○ "2.6.3"
]
}

registry是镜像的名称，可以看出来镜像已经上传成功。

从私有镜像中心拉取镜像

[root@localhost local]# docker pull 172.16.1.146:5000/registry:2.6.2
Trying to pull repository 172.16.1.146:5000/registry ... 
2.6.2: Pulling from 172.16.1.146:5000/registry
Digest: sha256:feb40d14cd33e646b9985e2d6754ed66616fedb840226c4d917ef53d616dcd6c
Status: Downloaded newer image for 172.16.1.146:5000/registry:2.6.2

3.2 https鉴权的镜像中心:

注意:客户端不需要配置免https

创建key

mkdir -p /usr/local/docker/registry/certs/
cd /usr/local/docker/registry/certs/
openssl genrsa -out docker.registry.key 2048

创建crt

openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt

部分信息填写示例如下:

[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout docker.registry.key -x509 -days 365 -out docker.registry.crt
Generating a 4096 bit RSA private key
...........................................................................................++
.............................++
writing new private key to 'docker.registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86
State or Province Name (full name) []:Anhui
Locality Name (eg, city) [Default City]:Hefei
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:docker.registry
Email Address []:xxx@xxx.com

查看证书失效时间。

[root@localhost docker.registry:5000]# openssl x509 -in docker.registry.crt -noout -dates
notBefore=Jul  5 06:58:36 2018 GMT
notAfter=Jul  5 06:58:36 2019 GMT

加入docker信任

由于是自签名证书,默认是不受Docker信任的,故而需要将证书添加到Docker 的根证书中,Docker在CentOS 7中,证书存放路径是 :

mkdir -p /etc/docker/certs.d/docker.registry:5000
cp /usr/local/docker/registry/certs/docker.registry.crt /etc/docker/certs.d/docker.registry:5000/

docker.registry:5000为实际访问域名和端口

启动

docker run -d -p 5000:5000 --name registry2-sslauth    -v /usr/local/docker/registry/certs/:/certs/  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker.registry.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/docker.registry.key -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

验证：

docker tag docker.io/registry:2.6.2  docker.registry:5000/registry:2.6.2
docker push docker.registry:5000/registry:2.6.2
docker rmi  docker.registry:5000/registry:2.6.2
docker pull docker.registry:5000/registry:2.6.2

其他类似，api操作，需要使用https。

3.3 用户名密码登录的镜像中心

生成用户名：密码

mkdir -p /usr/local/docker/registry/auth
docker run --entrypoint htpasswd registry:2.6.2 -Bbn admin ******  >> /usr/local/docker/registry/auth/htpasswd

上面这条命令是为admin用户名生成密码为******的一条用户信息，存在/usr/local/docker/registry/auth/htpasswd文件里面，文件中存的密码是被加密过的。

启动：

docker run -d -p 5000:5000 --name registry2-httpauth  --restart=always  -v /usr/local/docker/registry/auth/:/auth/  -e "REGISTRY_AUTH=htpasswd"  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v /usr/local/docker/registry/:/var/lib/registry/ registry:2.6.2

http登录：

docker login 172.16.1.146:5000

同样需要配置客户端免https，其他类似，api操作，需要输入用户名、密码。