-
猿创征文|docker本地仓库的搭建(简易可快速使用的本地仓库)
前言:
docker三要素之一的仓库是比较重要的一个概念,那么,如何快速的搭建一个简单易用的私人本地仓库呢?注意了,这里的私人本地仓库不是指的的那些重型的比如harbor这样的企业级的本地私人仓库,主要是重型仓库部署使用起来并不简单和快速,背离了我们的初衷嘛 ,对吧。
那么,本文打算探讨一种快速的搭建本地私人docker仓库,该仓库功能比较简单(说人话就是简易代表功能少,哈哈哈),并且有一定的安全性,主要是有证书验证,说人话就是开启https验证。
部署前的规划:
两台服务器,IP地址分别为192.168.217.16和192.168.217.17,操作系统是centos7。两个服务器都安装有docker环境,计划是16服务器安装本地私人仓库服务端,1服务器做客户端,将17服务器的镜像传送到16服务器上。
正式部署:
一,
相关镜像下载 :
- docker pull registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
- docker pull registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web:latest
运行镜像(有挂载volume,这样别的服务器使用这个私有仓库,上传的镜像才会直接到本机服务器内的var/lib/registry这个路径下,否则,该容器重启,上传的镜像就没有啦,这里一定要仔细思考并理解哦,才会明白volume到底是有什么用处):
建立两个挂载点,一个是挂载本地仓容器得数据到本地,一个是本地仓库容器得配置文件:
mkdir -p /opt/registry/{data,conf}编辑这个文件,文件内容如下,一会此文件要挂载到容器内
- [root@slave1 data]# cat /opt/registry/conf/config.yml
- version: 0.1
- log:
- fields:
- service: registry
- storage:
- cache:
- blobdescriptor: inmemory
- filesystem:
- rootdirectory: /var/lib/registry
- http:
- addr: :5000
- headers:
- X-Content-Type-Options: [nosniff]
- health:
- storagedriver:
- enabled: true
- interval: 10s
- threshold: 4
是在192.168.217.16这个服务器上启动的镜像哦,记住这个IP,后面会用到 ,启动容器得命令:
- docker run -d -p 5000:5000 \
- -v /opt/registry/data:/var/lib/registry \
- -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \
- --name localregistry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
在16服务器上,镜像启动成功后,可以看到5000端口已经开放:
- [root@k8s-master ~]# netstat -antup |grep 5000
- tcp6 0 0 :::5000 :::* LISTEN 13073/docker-proxy
这样的方式启动的本地仓库已经可以使用了,现在只是差两个步骤
(1)告诉docker的客户端要使用哪个仓库
这一步是编辑docker的配置文件 /etc/docker/daemo.json (通常是这个文件),例如,在192.168.217.17这个服务器上配置如下(主要是添加这个:"insecure-registries": ["192.168.217.16:5000"], ):
- cat /etc/docker/daemon.json
- {
- "registry-mirrors": ["http://bc437cce.m.daocloud.io"],
- "exec-opts":["native.cgroupdriver=systemd"],
- "insecure-registries": ["192.168.217.17:5000"],
- "log-driver": "json-file",
- "log-opts": {
- "max-size": "100m"
- },
- "storage-driver": "overlay2"
- }
为什么是定义的5000端口呢?因为该镜像告诉我们这么定义的,证据如下:
- [root@slave1 ~]# docker history registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
- IMAGE CREATED CREATED BY SIZE COMMENT
- 8ff6a4aae657 6 years ago /bin/sh -c #(nop) CMD ["serve" "/etc/docker/… 0B
6 years ago /bin/sh -c #(nop) ENTRYPOINT &{["/bin/regist… 0B 6 years ago /bin/sh -c #(nop) EXPOSE 5000/tcp 0B 6 years ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B 6 years ago /bin/sh -c #(nop) COPY file:ebd8cc424c954b92… 315B 6 years ago /bin/sh -c #(nop) COPY file:e46a815cdda044c6… 26.1MB 6 years ago /bin/sh -c apt-get update && apt-get ins… 20.4MB 6 years ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B 6 years ago /bin/sh -c #(nop) ADD file:76679eeb94129df23… 125MB
然后重启docker服务:
systemctl daemon-reload && systemctl restart docker(2)
在17服务器上修改镜像的名称,给镜像打上本地仓库标签,就以前面的镜像registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web为例,打上16服务器的本地仓库标签吧:
没打标签前:
- [root@master ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
打标签后,修改成了192.168.217.16:5000/registry(在17服务器上修改tag):
- [root@slave2 ~]# docker tag registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web 192.168.217.16:5000/registry-web
- [root@master ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
可以将17服务器上的这个registry-web上传到16服务器上啦,根据前面打的仓库标签,表示它要上传到的是一个私人仓库:
- [root@master ~]# docker push 192.168.217.16:5000/registry-web
- The push refers to repository [192.168.217.16:5000/registry-web]
- 8779b4998d0c: Pushed
- 9eb22ef427e2: Pushed
- 64d1c65ea33e: Pushed
- d6c3b0e63834: Pushed
- 1315f14832fa: Pushed
- d16096ccf0bb: Pushed
- 463a4bd8f8c1: Pushed
- be44224e76b9: Pushed
- d96a8038b794: Pushed
- f469fc28e82e: Pushed
- 8418a42306ef: Pushed
- 03457c5158e2: Pushed
- 7ef05f1204ee: Pushed
- f7049feabf0b: Pushed
- 5ee52271b8b7: Pushed
- 8b1153b14d3a: Pushed
- 367b9c52c931: Pushed
- 3567b2f05514: Pushed
- 292a66992f77: Pushed
- 641fcd2417bc: Pushed
- 78ff13900d61: Pushed
- latest: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695
查询私有仓库内有哪些镜像:
- [root@master ~]# curl 192.168.217.16:5000/v2/_catalog
- {"repositories":["registry-web"]}
查询这个镜像的版本号(是latest):
- [root@master ~]# curl 192.168.217.16:5000/v2/registry-web/tags/list
- {"name":"registry-web","tags":["latest"]}
在18服务器上注册一哈本地仓库:
vim /etc/docker/daemon.json
添加"insecure-registries": ["192.168.217.16:5000"],
在18服务器上pull这个nginx:
- [root@k8s-node2 ~]# docker pull 192.168.217.16:5000/nginx
- Using default tag: latest
- latest: Pulling from nginx
- Digest: sha256:9b0fc8e09ae1abb0144ce57018fc1e13d23abd108540f135dc83c0ed661081cf
- Status: Downloaded newer image for 192.168.217.16:5000/nginx:latest
- 192.168.217.16:5000/nginx:latest
OK,就这么一个简单到极致的本地docker镜像仓库就搭建好了,镜像上传到到了16服务器上,我们前面建立的那个目录/opt/registry/data/docker/registry/v2/repositories下了:
- [root@master ~]# cd /opt/registry/data/docker/registry/v2/
- [root@master v2]# ls
- blobs repositories
那么,这么一个本地镜像仓库有问题吗?有,主要是关于安全方面的,实在是不安全啊。下面就来说一说安全方面的提升问题。
二,
https证书本地私人仓库的开启
在16服务器上,先建立证书存放路径:
mkdir /opt/ssl在16服务器上,生成证书,并查看证书:
- [root@master v2]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/ssl/myssl.key -x509 -days 365 -out /opt/ssl/myssl.pem
- Generating a RSA private key
- ..................................................................................................................++++
- ....................................................................++++
- writing new private key to '/opt/ssl/myssl.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [AU]:CN#随便写,自己做的证书不需要太多讲究
- State or Province Name (full name) [Some-State]:WLMQ#随便写,自己做的证书不需要太多讲究
- Locality Name (eg, city) []:XJ
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:XJJ#随便写,自己做的证书不需要太多讲究
- Organizational Unit Name (eg, section) []:WLMQ#随便写,自己做的证书不需要太多讲究
- Common Name (e.g. server FQDN or YOUR name) []:master.com.cn # 这个不能乱写了,必须是二级域名的形式,我这里是master.com.cn
- Email Address []:
- Email Address []:
- [root@slave1 repositories]# cd /opt/ssl/
- [root@slave1 ssl]# ls
- myssl.key myssl.pem
在16和17服务器上,域名解析master.com.cn(编辑hosts文件,写入对master.com.cn的解析,这个域名是证书制作的时候定义的哦):
- [root@slave1 ssl]# cat /etc/hosts
- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- 192.168.217.16 master k8s-master master.com.cn
- 192.168.217.17 slave1 k8s-node1
- 192.168.217.18 slave2 k8s-node2
在16服务器上,删除前面在运行的那个开启端口5000的镜像:
docker rm -f $(docker ps -aq)在16服务器上,重新启动镜像,这次启动要开启443端口了(容器里挂载相关证书,-v /opt/ssl:/certs这是挂载到容器得/certs目录。):
- docker run -d --restart=always --name registry \
- -v /opt/ssl:/certs \
- -v /opt/registry/data:/var/lib/registry \
- -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \
- -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
- -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myssl.pem \
- -e REGISTRY_HTTP_TLS_KEY=/certs/myssl.key \
- -p 443:443 registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
镜像启动成功后,可以看到443端口开启了:
- [root@k8s-master ~]# netstat -antup |grep 443
- tcp6 0 0 :::443 :::* LISTEN 8074/docker-proxy
任意服务器,稍微验证一哈是不是开启了443端口:
- [root@k8s-node2 ~]# curl -k https://master.com.cn/v2/_catalog
- {"repositories":["nginx"]}
这里注意一哈,一定要在docker的配置文件里注册啦,因为是https的形式,不然会报错的哦(16和17,18服务器都注册一哈)
- [root@slave1 ssl]# cat /etc/docker/daemon.json
- {
- "registry-mirrors": ["http://bc437cce.m.daocloud.io"],
- "exec-opts":["native.cgroupdriver=systemd"],
- "insecure-registries": ["master.com.cn","192.168.217.16:5000"],
- "log-driver": "json-file",
- "log-opts": {
- "max-size": "100m"
- },
- "storage-driver": "overlay2"
- }
添加完注册重启docker服务:
systemctl daemon-reload && systemctl restart docker
还是同样的套路,同样的配方,修改镜像以符合仓库的要求,然后就可以上传啦:
在17服务器上,先从阿里云下载一个busybox镜像,然后查看现有的镜像:
- [root@node1 ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- busybox 1.28.3 8ac48589692a 4 years ago 1.15MB
- 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上,修改镜像的仓库标识:
- [root@node1 ~]# docker tag busybox:1.28.3 master.com.cn/busybox:1.28.3
- [root@node1 ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- busybox 1.28.3 8ac48589692a 4 years ago 1.15MB
- master.com.cn/busybox 1.28.3 8ac48589692a 4 years ago 1.15MB
- 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB
- registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上面,上传修改好仓库标识的镜像到16服务器的本地仓库内:
- [root@k8s-node1 ~]# systemctl daemon-reload && systemctl restart docker
- [root@k8s-node1 ~]# docker push master.com.cn/busybox:1.28.3
- The push refers to repository [master.com.cn/busybox]
- 0314be9edf00: Pushed
- 1.28.3: digest: sha256:186694df7e479d2b8bf075d9e1b1d7a884c6de60470006d572350573bfa6dcd2 size: 527
同样的,上传另一个镜像。在192.168.217.17这个服务器上,看看有哪些镜像:
- [root@slave1 ~]# docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- busybox latest 7a80323521cc 4 weeks ago 1.24MB
- nginx 1.8 0d493297b409 6 years ago 133MB
把这个133M的nginx上传到192.168.217.16上的本地镜像仓库内:
一样的,需要把域名写到17服务器的hosts文件内和docker的配置文件/etc/docker/daemon.json内并重启docker服务,修改镜像的仓库标识,然后就可以上传啦
- [root@slave1 ~]# docker push master.com.cn/nginx:1.8
- The push refers to repository [master.com.cn/nginx]
- 5f70bf18a086: Pushed
- 62fd1c28b3bf: Pushed
- 6d700a2d8883: Pushed
- c12ecfd4861d: Pushed
- 1.8: digest: sha256:746419199c9569216937fc59604805b7ac0f52b438bb5ca4ec6b7f990873b198 size: 1977
那么前面的操作都是上传push,pull是怎么弄呢?通过接口可以查询私人仓库内有哪些镜像核镜像的具体版本号呢?:
- [root@slave1 ssl]# curl -k https://master.com.cn/v2/_catalog
- {"repositories":["nginx"]}
具体版本号:
- [root@slave2 ~]# curl -k https://master.com.cn/v2/nginx/tags/list
- {"name":"nginx","tags":["1.8"]}
-
相关阅读:
唤醒手腕 - 微信小程序、QQ小程序、抖音小程序学习笔记(更新中)
Java中ExecutorService线程的Callable的future.get()方法堵塞当前线程解决方法
9.15 Day 52---操作系统
8.4 数据结构——选择排序
cdh6.2+ 集成flink1.14.4
随机数发生器设计(四)
python中的accumulate()函数
TI C2000系列TMS320F2837xD开发板(DSP+FPGA)硬件规格参数说明书
多线程JUC 第2季 synchronized锁升级过程
c++编写简易版2048小游戏
- 原文地址:https://blog.csdn.net/alwaysbefine/article/details/126651407
