当前位置 博文首页 > RtxTitanV的博客:搭建Docker Registry私有镜像仓库
使用Docker Hub这样的公共仓库不方便时,可以创建一个私有仓库使用。Docker官方提供的工具docker-registry可以用于构建私有的镜像仓库。
本文主要对搭建Docker Registry私有镜像仓库进行简单总结。
这里选择搭建2.7版本的registry。一个安装了Docker的环境已经准备好了,本文所使用的环境如下:
下面就开始进行Docker Registry私有镜像仓库的搭建。
首先搭建一个没有加密认证的Docker Registry私有镜像仓库。
拉取registry:2.7镜像:
[root@MSI-PC ~]# docker pull registry:2.7
2.7: Pulling from library/registry
486039affc0a: Pull complete
ba51a3b098e6: Pull complete
8bb4c43d6c8e: Pull complete
6f5f453e5f2d: Pull complete
42bc10b72f42: Pull complete
Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7
Status: Downloaded newer image for registry:2.7
默认情况下,仓库会被创建在容器的/var/lib/registry目录下,使用-v /usr/local/docker/registry:/var/lib/registry将宿主机/usr/local/docker/registry挂载到容器/var/lib/registry,即将上传的镜像放到本地的/usr/local/docker/registry目录下:
[root@MSI-PC ~]# docker run -d --name myregistry -p 5000:5000 -v /usr/local/docker/registry:/var/lib/registry registry:2.7
00666d7457ee139f9e59402f1d55e6f0d22ba857fa4005ce301e94b7855bd844
vi编辑器打开/etc/docker/daemon.json:
[root@MSI-PC ~]# vi /etc/docker/daemon.json
注意daemon.json必须符合json规范,否则Docker将不能启动,在daemon.json中添加以下内容:
"insecure-registries":["192.168.221.128:5000"]
其中192.168.221.128为宿主机ip,5000为映射registry容器端口的宿主机端口。然后重启Docker服务和myregistry容器:
[root@MSI-PC ~]# systemctl restart docker
[root@MSI-PC ~]# docker start myregistry
myregistry
访问私有镜像仓库地址,仓库目前为空:
[root@MSI-PC ~]# curl http://192.168.221.128:5000/v2/_catalog
{"repositories":[]}
给nginx镜像打上标签,这里格式为私服ip:5000/私服中镜像名:[tag]:
[root@MSI-PC ~]# docker tag nginx 192.168.221.128:5000/my_nginx
推送镜像到私有仓库:
[root@MSI-PC ~]# docker push 192.168.221.128:5000/my_nginx
The push refers to repository [192.168.221.128:5000/my_nginx]
589561a3ffb4: Pushed
ef7dbb0cfc81: Pushed
d56055da3352: Pushed
latest: digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76 size: 948
[root@MSI-PC ~]# curl http://192.168.221.128:5000/v2/_catalog
{"repositories":["my_nginx"]}
删除本地的192.168.221.128:5000/my_nginx镜像,然后从私有仓库拉取,结果如下,成功推送和拉取镜像说明私有镜像仓库搭建成功。
[root@MSI-PC ~]# docker rmi 192.168.221.128:5000/my_nginx
Untagged: 192.168.221.128:5000/my_nginx:latest
Untagged: 192.168.221.128:5000/my_nginx@sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
[root@MSI-PC ~]# docker pull 192.168.221.128:5000/my_nginx
Using default tag: latest
latest: Pulling from my_nginx
Digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
Status: Downloaded newer image for 192.168.221.128:5000/my_nginx:latest
此时一个具有基础功能的私有镜像仓库就搭建完成了,作为个人学习使用已经足够。但是由于没有加密和认证,安全性较差。下面就对私有镜像仓库进行加密认证。
创建存放证书的目录并进入:
[root@MSI-PC ~]# mkdir /usr/local/docker/certs
[root@MSI-PC ~]# cd /usr/local/docker/certs/
生成SSL私钥和证书:
[root@MSI-PC certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout myrepository.key -x509 -days 365 -out myrepository.crt
Generating a 4096 bit RSA private key
...............++
..........................................................................++
writing new private key to 'myrepository.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:chongqing
Locality Name (eg, city) [Default City]:chongqing
Organization Name (eg, company) [Default Company Ltd]:rtxtitanv
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname) []:docker.domain.com
Email Address []:rtxtitanv@docker.domain.com
删除之前创建的私有镜像仓库容器:
[root@MSI-PC certs]# docker rm -f myregistry
myregistry
docker客户端的设置:
[root@MSI-PC certs]# mkdir -p /etc/docker/certs.d/docker.domain.com
[root@MSI-PC certs]# cp /usr/local/docker/certs/myrepository.crt /etc/docker/certs.d/docker.domain.com/ca.crt
添加域名解析:
[root@MSI-PC certs]# vim /etc/hosts
192.168.221.128 docker.domain.com
创建运行加密的私有镜像仓库:
[root@MSI-PC certs]# docker run -d \
> --name=myregistry \
> --restart=always \
> -v /usr/local/docker/certs:/certs \
> -v /usr/local/docker/myregistry_tls:/var/lib/registry \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepository.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/myrepository.key \
> -p 443:443 registry:2.7
5efb6276aebce0295bd3541aba98aa50ef099bf2af03bfd8480fee7a9b5842f3
几个参数解释如下:
-e REGISTRY_HTTP_ADDR=0.0.0.0:443:指定容器内服务监听端口-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepository.crt:加载SSL证书-e REGISTRY_HTTP_TLS_KEY=/certs/myrepository.key:加载SSL私钥给镜像打上docker.domain.com/my_nginx标签并推送镜像到私有仓库:
[root@MSI-PC certs]# docker tag nginx docker.domain.com/my_nginx
[root@MSI-PC certs]# docker push docker.domain.com/my_nginx
The push refers to repository [docker.domain.com/my_nginx]
589561a3ffb4: Pushed
ef7dbb0cfc81: Pushed
d56055da3352: Pushed
latest: digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76 size: 948
进入本地仓库目录查看推送的镜像:
[root@MSI-PC certs]# cd /usr/local/docker/myregistry_tls/docker/registry/v2/repositories/
[root@MSI-PC repositories]# ls
my_nginx
删除本地镜像并从私有仓库拉取镜像,结果如下,成功推送和拉取镜像说明加密的私有镜像仓库搭建成功。
[root@MSI-PC repositories]# docker rmi docker.domain.com/my_nginx
Untagged: docker.domain.com/my_nginx:latest
Untagged: docker.domain.com/my_nginx@sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
[root@MSI-PC repositories]# docker pull docker.domain.com/my_nginx
Using default tag: latest
latest: Pulling from my_nginx
Digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
Status: Downloaded newer image for docker.domain.com/my_nginx:latest
创建存放认证文件的目录:
[root@MSI-PC docker]# mkdir auth
创建认证文件htpasswd:
[root@MSI-PC docker]# docker run --entrypoint htpasswd registry:2.7 -Bbn rtxtitanv 123456 > auth/htpasswd
查看认证文件htpasswd:
[root@MSI-PC docker]# cat auth/htpasswd
rtxtitanv:$2y$05$/ugZUG9pnOJHShwM0SNWIu.YYjjP6iT0YQLpHAUjTtwgbBBS6cqsO
删除之前创建的私有镜像仓库容器:
[root@MSI-PC docker]# docker rm -f myregistry
myregistry
创建运行加密认证的私有镜像仓库:
[root@MSI-PC docker]# docker run -d \
> --restart=always \
> --name myregistry \
> -v /usr/local/docker/certs:/certs \
> -v /usr/local/docker/auth:/auth \
> -v /usr/local/docker/myregistry_tls_auth:/var/lib/registry \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myrepository.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/myrepository.key \
> -e "REGISTRY_AUTH=htpasswd" \
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
> -p 443:443 registry:2.7
dfc7970af025cd445991cfbf394d5d083c780e283b04a6041d6d67605090d377
几个参数解释如下:
-e "REGISTRY_AUTH=htpasswd":设置认证方式-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm":设置认证窗口的提示信息-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd:指定认证文件直接推送镜像,没有认证:
[root@MSI-PC docker]# docker push docker.domain.com/my_nginx
The push refers to repository [docker.domain.com/my_nginx]
589561a3ffb4: Preparing
ef7dbb0cfc81: Preparing
d56055da3352: Preparing
no basic auth credentials
登录认证:
[root@MSI-PC docker]# docker login docker.domain.com
Username: rtxtitanv
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
登录认证成功后会产生认证文件,然后查看认证文件:
[root@MSI-PC docker]# cat /root/.docker/config.json
{
"auths": {
"docker.domain.com": {
"auth": "cnR4dGl0YW52OjEyMzQ1Ng=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.8 (linux)"
}
}[root@MSI-PC docker]#
推送镜像:
}[root@MSI-PC docker]#docker push docker.domain.com/my_nginx
The push refers to repository [docker.domain.com/my_nginx]
589561a3ffb4: Pushed
ef7dbb0cfc81: Pushed
d56055da3352: Pushed
latest: digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76 size: 948
先删除本地镜像再从私有仓库拉取镜像,结果如下,成功推送和拉取镜像说明带加密认证的私有镜像仓库搭建成功。
[root@MSI-PC docker]# docker rmi docker.domain.com/my_nginx
Untagged: docker.domain.com/my_nginx:latest
Untagged: docker.domain.com/my_nginx@sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
[root@MSI-PC docker]# docker pull docker.domain.com/my_nginx
Using default tag: latest
latest: Pulling from my_nginx
Digest: sha256:f83b2ffd963ac911f9e638184c8d580cc1f3139d5c8c33c87c3fb90aebdebf76
Status: Downloaded newer image for docker.domain.com/my_nginx:latest
