Docker--Repositor
二、Docker仓库
一、基本概述
仓库(Repository)是集中存放镜像的地方。
一个容易混淆的概念是注册服务器(Registry) 。实际上注册服务器是管理仓库的具体服务器,每个服务器上可以有多个仓库,而每个仓库下面有多个镜像。从这方面来说,仓库可以被认为是一个具体的项目或目录。例如对于仓库地址 docker.sina.com.cn/centos:centos63 来说,docker.sina.com.cn 是注册服务器地址,centos 是仓库名,centos63 是仓库的 tag。
Docker Hub 官方仓库
目前 Docker 官方维护了一个公共仓库 Docker Hub,其中已经包括了超过 15,000 的镜像。大部分需求,都可以通过在 Docker Hub 中直接下载镜像来实现。
注册&登录
可以通过命令行执行 docker login 命令来输入用户名、 密码和邮箱来完成注册和登录。 注册成功后,本地用户目录的 .docker/config.json 中将保存用户的认证信息。
基本操作
用户无需登录即可通过 docker search 命令来查找官方仓库中的镜像,并利用 docker pull 命令来将它下载到本地。 例如以 centos 为关键词进行搜索:
可以看到返回了很多包含关键字的镜像, 其中包括镜像名字、 描述、 星级 (表示该镜像的受欢迎程度) 、是否官方创建、是否自动创建。 官方的镜像说明是官方项目组创建和维护的,automated 资源允许用户验证镜像的来源和内容。
根据是否是官方提供,可将镜像资源分为两类。
一种是类似 centos 这样的基础镜像,被称为基础或根镜像。这些基础镜像是由 Docker 公司创建、验证、支持、提供。这样的镜像往往使用单个单词作为名字。
还有一种类型,比如 tianon/centos 镜像,它是由 Docker 的用户创建并维护的,往往带有用户名称前缀。可以通过前缀 user_name/ 来指定使用某个用户提供的镜像,比如 tianon 用户。另外,在查找的时候通过 -s N 参数可以指定仅显示评价为 N 星以上的镜像。
二、创建自己的仓库----镜像仓库
拓扑:
说明:
docker.benet.com 这是docker registry服务器的主机名称, ip是192.168.1.107;因为https的SSL证书要用到主机名,所以要设置主机名。
docker registry 服务器作为处理docker镜像的最终上传和下载,用的是官方的镜像registry。 nginx 1.6.x 是一个用nginx作为反向代理服务器
(一)、私有仓库https支持:
1.安装依赖软件包:
[root@repository ~]# yum -y install pcre devel zlib-devel openssl openssl-devel
在Nginx编译需要PCRE,因为Nginx的Rewrite模块和HTTP核心模块会使用到PCRE正则表达式。需要安装pcre和pcre-devel用yum就能安装。 Zlib库提供了开发人员的压缩算法,在nginx的模块中需要使用gzip压缩。 需要安装zlib和zlib-devel用yum就可以安装 在Nginx中如果需要为服务器提供安全则需要用到OpenSSL库。 需要安装的是openssl和openssl-devel。用yum就可以安装。
hostname
[root@repository ~]# hostnamectl set-hostname docker.benet.com
[root@repository ~]# bash
[root@docker ~]# hostname
docker.benet.com
[root@docker ~]#
2.配置SSL
(1) 编辑/etc/hosts,把docker.benet.com的ip地址添加进来,例如:
主机名、ip地址:
[root@docker ~]# ifconfig eno16777736
eno16777736: flags=4163 mtu 1500
inet 192.168.142.163 netmask 255.255.255.0 broadcast 192.168.142.255
inet6 fe80::20c:29ff:fe3c:1c0 prefixlen 64 scopeid 0x20
ether 00:0c:29:3c:01:c0 txqueuelen 1000 (Ethernet)
RX packets 806309 bytes 1116337317 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 211572 bytes 17728543 (16.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@docker ~]#
/etc/hosts文件内容:
[root@docker ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.142.163 docker.benet.com
[root@docker ~]#
(2) 生成根密钥
先把 /etc/pki/CA/cacert.pem /etc/pki/CA/index.txt /etc/pki/CA/index.txt.attr /etc/pki/CA/index.txt.old /etc/pki/CA/serial /etc/pki/CA/serial.old 删除掉!
[root@docker ~]# cd /etc/pki/CA
[root@docker CA]# ls
certs crl newcerts private
[root@docker CA]#
[root@docker CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
..................................+++
...+++
e is 65537 (0x10001)
[root@docker CA]# ls
certs crl newcerts private
[root@docker CA]# cd private/
[root@docker private]# ls
cakey.pem
[root@docker private]#
(3) 生成根证书
执行
[root@docker CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
输出如下信息
[root@docker private]# cd ..
[root@docker CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:perma
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.benet.com
Email Address []:
[root@docker CA]#
会提示输入一些内容,因为是私有的,所以可以随便输入,最好记住能与后面保持一致,特别是"Common Name”。必须要和hostname显示的一致。 上面的自签证书cacert.pem应该生成在/etc/pki/CA下。
[root@docker CA]# ls
cacert.pem certs crl newcerts private
(4) 为nginx web服务器生成ssl密钥
[root@docker pki]# cd /etc/ssl
[root@docker ssl]# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
..................................................................................................+++
e is 65537 (0x10001)
注:因为CA中心与要申请证书的nginx服务器是同一个所以就在本机上执行为nginx服务器生成ssl密钥了,否则应该是在另一台需要用到证书的服务器上生成。 查看nginx服务器的密钥
[root@docker ssl]# ls
certs nginx.key
(5) 为nginx生成证书签署请求
执行 openssl req -new -key nginx.key -out nginx.csr 输出如下信息
[root@docker ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:perma
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:docker.benet.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@docker ssl]#
同样会提示输入一些内容,Commone Name一定要是你要授予证书的服务器域名或主机名,challenge password不填。
(6) 私有CA根据请求来签发证书
[root@docker ssl]# touch /etc/pki/CA/index.txt
[root@docker ssl]# touch /etc/pki/CA/serial
[root@docker ssl]# echo 00 > /etc/pki/CA/serial
执行 openssl ca -in nginx.csr -out nginx.crt 输出内容:
[root@docker ssl]# openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 27 14:02:34 2016 GMT
Not After : Jul 27 14:02:34 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = perma
commonName = docker.benet.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1F:0B:12:9F:A7:E9:C2:23:ED:61:A8:94:28:82:2D:34:13:AE:F4:06
X509v3 Authority Key Identifier:
keyid:DE:3B:A6:10:A0:B7:C9:C7:3A:C4:83:2F:11:1C:89:2D:15:5C:CC:BC
Certificate is to be certified until Jul 27 14:02:34 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
同样会提示输入一些内容,选择y就可以了! 查看nginx的证书
[root@docker ssl]# ls
certs nginx.crt nginx.csr nginx.key
3.安装,配置,运行nginx
(1) 添加组和用户
[root@docker ssl]# groupadd www -g 58
[root@docker ssl]# useradd -u 58 -g www www
(2) 下载nginx源文件:
[root@docker ssl]# wget http://nginx.org/download/nginx-1.11.2.tar.gz
--2016-07-27 22:05:11-- http://nginx.org/download/nginx-1.11.2.tar.gz
Resolving nginx.org (nginx.org)... 206.251.255.63, 95.211.80.227, 2001:1af8:4060:a004:21::e3
Connecting to nginx.org (nginx.org)|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 924979 (903K) [application/octet-stream]
Saving to: ‘nginx-1.11.2.tar.gz’
100%[==============================================================>] 924,979 39.6KB/s in 37s
2016-07-27 22:05:51 (24.4 KB/s) - ‘nginx-1.11.2.tar.gz’ saved [924979/924979]
[root@docker ssl]# ls
certs nginx-1.11.2.tar.gz nginx.crt nginx.csr nginx.key
[root@docker ssl]#
(3) 编译,安装nginx:
[root@docker ssl]# tar zxf nginx-1.11.2.tar.gz -C ~
[root@docker ssl]# cd
[root@docker ~]# ls
anaconda-ks.cfg Desktop Downloads nginx-1.11.2 sshd_dockerfile Videos
centos6-test.tar Dockerfile hello-world.tar Pictures Templates
centos-6-x86_64.tar.gz Documents Music Public util-linux-2.24.tar.gz
[root@docker ~]# cd nginx-1.11.2/
[root@docker nginx-1.11.2]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src
[root@docker nginx-1.11.2]# ./configure --user=www --group=www --prefix=/opt/nginx \
> --with-pcre \
> --with-http_stub_status_module \
> --with-http_ssl_module \
> --with-http_addition_module \
> --with-http_realip_module \
> --with-http_flv_module
上述选项的解释:
- --user=USER 设定程序运行的用户环境(www) --group=GROUP 设定程序运行的组环境(www)
- --prefix=PATH 设定安装目录
- --with-pcre 启用pcre库,Nginx的Rewrite模块和HTTP核心模块会使用到PCRE正则表达式
- --with-http_stub_status_module 是为了启用 nginx 的 NginxStatus 功能,用来监控 Nginx 的当前状态
- --with-http_ssl_module 开启SSL模块,支持使用HTTPS协议的网页
- --with-http_realip_module 开启Real IP的支持,该模块用于从客户请求的头数据中读取Real Ip地址
- --with-http_addition_module 开启Addtion模块,该模块允许你追加或前置数据到相应的主体部分
- --with-http_flv_module模块ngx_http_flv_module 为Flash Video(FLV)文件 提供服务端伪流媒体支持
[root@docker nginx-1.11.2]# make && make install
(4) 编辑/opt/nginx/conf/nginx.conf文件
[root@docker nginx-1.11.2]# cat /opt/nginx/conf/nginx.conf | grep -v "#" | grep -v "^$"
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.142.163:5000;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate ../certs/server.crt;
ssl_certificate_key ../certs/server_nopwd.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://backend;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forwad-For $remote_addr;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
相关选项含义:
- ssl_session_cache 会话缓存用于保存SSL会话,这些缓存在工作进程间共享,可以使用ssl_session_cache指令进行配置。1M缓存可以存放大约4000个会话。
- ssl_session_timeout 缓存超时,默认的缓存超时是5分钟。
- ssl_ciphers HIGH:!aNULL:!MD5 使用高强度的加密算法
- ssl_prefer_server_ciphers on 依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码。即:在SSLv3或这是TLSv1握手时选择一个密码,通常是使用客户端的偏好。如果这个指令是启用的,那么服务器反而是使用服务器的偏好。
- client_max_body_size 即允许上传文件大小的最大值
- proxy_set_header Host $host和proxy_set_header X-Forward-For $remote_addr的作用描述:
nginx为了实现反向代理的需求而增加了一个ngx_http_proxy_module模块。其中proxy_set_header指令就是该模块需要读取的配置文件。在这里,所有设置的值的含义和http请求同中的含义完全相同,除了Host外还有X-Forward-For。 Host的含义是表明请求的主机名,因为nginx作为反向代理使用,而如果后端真实的服务器设置有类似防盗链或者根据http请求头中的host字段来进行路由或判断功能的话,如果反向代理层的nginx不重写请求头中的host字段,将会导致请求失败【默认反向代理服务器会向后端真实服务器发送请求,并且请求头中的host字段应为proxy_pass指令设置的服务器】。 同理,X_Forward_For字段表示该条http请求是有谁发起的?如果反向代理服务器不重写该请求头的话,那么后端真实服务器在处理时会认为所有的请求都来自反向代理服务器,如果后端有防攻击策略的话,那么机器就被封掉了。因此,在配置用作反向代理的nginx中一般会增加两条配置,修改http的请求头: proxy_set_header Host $http_host; proxy_set_header X-Forward-For $remote_addr; 这里的$http_host和$remote_addr都是nginx的导出变量,可以再配置文件中直接使用。
(5) 验证配置
/opt/nginx/sbin/nginx -t
[root@docker nginx-1.11.2]# /opt/nginx/sbin/nginx -t
nginx: [emerg] BIO_new_file("/opt/nginx/conf/../certs/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/opt/nginx/conf/../certs/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /opt/nginx/conf/nginx.conf test failed
重新修改配置文件
[root@docker ssl]# vim /opt/nginx/conf/nginx.conf
[root@docker ssl]# cat /opt/nginx/conf/nginx.conf | grep -v "#" | grep -v "^$"
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.142.163:5000;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://backend;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forwad-For $remote_addr;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
再次测试
[root@docker ssl]# /opt/nginx/sbin/nginx -t
nginx: the configuration file /opt/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx/conf/nginx.conf test is successful
注意这里虽然测试syntax是没有错误的,但是上面的配置文件中有错误
[root@docker ~]# cat /opt/nginx/conf/nginx.conf | grep -v "#" | grep -v "^$"
user www;
worker_processes 4;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream registry {
server 192.168.142.163:5000;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://registry;
client_max_body_size 3000m;
proxy_set_header Host $host;
proxy_set_header X-Forwad-For $remote_addr;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
将这里原来的“backend”更改为proxy_pass http://registry;
[root@docker ~]# killall -s HUP nginx //重新加载nginx
[root@docker ~]# killall -s QUIT nginx //重新启动nginx
[root@docker ~]# /opt/nginx/sbin/nginx
(6) 启动nginx:
执行/opt/nginx/sbin/nginx
[root@docker ~]# /opt/nginx/sbin/nginx
(7) 验证nginx是否启动:
[root@docker ~]# ps -ef | grep -i "nginx"
root 79230 1 0 22:44 ? 00:00:00 nginx: master process /opt/nginx/sbin/nginx
www 79231 79230 0 22:44 ? 00:00:00 nginx: worker process
www 79232 79230 0 22:44 ? 00:00:00 nginx: worker process
www 79233 79230 0 22:44 ? 00:00:00 nginx: worker process
www 79234 79230 0 22:44 ? 00:00:00 nginx: worker process
root 79257 75870 0 22:45 pts/2 00:00:00 grep --color=auto -i nginx
[root@docker ~]# netstat -anpt | grep nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 79230/nginx: master
(二)、配置,运行Docker
(1) 停止docker
[root@docker ~]# systemctl stop docker
(2)编辑/etc/sysconfig/docker文件,加上如下一行
[root@docker ~]# vim /etc/sysconfig/docker
[root@docker ~]# cat /etc/sysconfig/docker
DOCKER_OPTS="--insecure-registry docker.benet.com --tlsverify --tlscacert /etc/pki/CA/cacert.pem"
(3) 把根证书复制到/etc/docker/certs.d/docker.yy.com/目录下
[root@docker ~]# mkdir -p /etc/docker/certs.d/docker.benet.com
[root@docker ~]# cp /etc/pki/CA/cacert.pem /etc/docker/certs.d/docker.benet.com/ca-certificates.crt
(4) 启动docker
[root@docker ~]# systemctl start docker
(三)、运行私有仓库容器
通过获取官方 registry 镜像来运行
[root@docker ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry Containerized docker registry 961 [OK]
konradkleine/docker-registry-frontend Browse and modify your Docker registry in ... 103 [OK]
atcol/docker-registry-ui A web UI for easy private/local Docker Reg... 82 [OK]
distribution/registry WARNING: NOT the registry official image!!... 38 [OK]
samalba/docker-registry 36 [OK]
hyper/docker-registry-web Web UI, authentication service and event r... 34 [OK]
marvambass/nginx-registry-proxy Docker Registry Reverse Proxy with Basic A... 28 [OK]
h3nrik/registry-ldap-auth LDAP and Active Directory authentication p... 12 [OK]
jhipster/jhipster-registry JHipster Registry, based on Netflix Eureka... 7 [OK]
allingeek/registry A specialization of registry:2 configured ... 4 [OK]
pallet/registry-swift Add swift storage support to the official ... 4 [OK]
metadata/registry Metadata Registry is a tool which helps yo... 1 [OK]
silintl/registry Docker Registry 2.0, data stored in S3. 1 [OK]
silintl/registry-proxy A reverse proxy for the Docker Registry 2.0 1 [OK]
devsli/cifs-registry Docker Registry on CIFS (Samba) 1 [OK]
bhuisgen/alpine-registry alpine-registry 1 [OK]
kampka/registry A docker registry image based on kampka/ar... 0 [OK]
qnib/registry Alpine image of QNIBTerminal w/ docker-reg... 0 [OK]
h0tbird/registry Containerized Docker registry service 0 [OK]
openshift/simple-authenticated-registry A simple authenticated Docker registry tha... 0 [OK]
webhippie/registry Docker images for registry 0 [OK]
katch/schema-registry Confluent IO Katch Schema Registry 0 [OK]
nouchka/registry Docker registry with auto-generation of ht... 0 [OK]
centos/registry Docker registry v2 / AKA Distribution 0 [OK]
crowleyio/registry-grsec Containerized docker registry for grsecuri... 0 [OK]
[root@docker ~]#
[root@docker ~]# docker pull registry
Using default tag: latest
latest: Pulling from library/registry
8387d9ff0016: Pull complete
3b52deaaf0ed: Pull complete
4bd501fad6de: Pull complete
a3ed95caeb02: Pull complete
1d4dc7bffbb8: Pull complete
7c4baf947271: Pull complete
e14b922ad4f5: Pull complete
f1d1dbdd4f97: Pull complete
f2bbca3948d0: Pull complete
4e3899dc28fa: Pull complete
Digest: sha256:f374c0d9b59e6fdf9f8922d59e946b05fbeabaed70b0639d7b6b524f3299e87b
Status: Downloaded newer image for registry:latest
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos ssh 295662378a51 35 hours ago 664.7 MB
25cbc0a76930 35 hours ago 664.7 MB
test commit bccf75ecf2f4 4 days ago 671.5 MB
centos6 import 1c57411c9e2c 4 days ago 613.9 MB
python latest 9152ad50a7f9 7 days ago 694.2 MB
centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
hello-world latest c54a2cc56cbb 3 weeks ago 1.848 kB
registry latest bca04f698ba8 6 months ago 422.8 MB
使用官方的 registry 镜像来启动本地的私有仓库。 用户可以通过指定参数来配置私有仓库位置。
例如将目录/opt/data/registry作为私有仓库的位置
[root@docker ~]# mkdir -pv /opt/data/registry
mkdir: created directory ‘/opt/data’
mkdir: created directory ‘/opt/data/registry’
运行私有仓库容器
[root@docker ~]# docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
7e1f53f23341e81d1ffc3243d987eb1eedf060d51c834e7b25c8b3819ade3f57
[root@docker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7e1f53f23341 registry "docker-registry" 5 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp nauseous_visvesvaraya
可以通过 -v 参数来将镜像文件存放在本地的指定路径。 例如上面的例子将上传的镜像放到 /opt/data/registry 目录。
-p(小写的)用于将容器的5000端口映射宿主机的5000端口。
(四)、验证registry:
用浏览器输入: https://docker.benet.com
或者:curl -i -k https://docker.benet.com
[root@docker ~]# curl -i -k https://docker.benet.com
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Thu, 28 Jul 2016 07:04:59 GMT
Content-Type: application/json
Content-Length: 28
Connection: keep-alive
Expires: -1
Pragma: no-cache
Cache-Control: no-cache
"\"docker-registry server\""[root@docker ~]#
curl是通过url语法在命令行下上传或下载文件的工具软件,它支持http,https,ftp,ftps,telnet等多种协议,常被用来抓取网页和监控Web服务器状态
服务端的配置就到此完成! 注意:注意防火墙
(五)、Docker客户端配置
(1)编辑/etc/hosts,把docker.benet.com的ip地址添加进来,例如:
[root@client ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.142.163 docker.benet.com
[root@client ~]#
(2)把docker registry服务器端的根证书追加到ca-certificates.crt文件里
先从docker registry服务器端把文件/etc/pki/CA/cacert.pem拷贝到本机,然后执行命令: cat ./cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
[root@docker ~]# scp /etc/pki/CA/cacert.pem [email protected]:/root
[email protected]'s password:
cacert.pem 100% 1289 1.3KB/s 00:00
[root@docker ~]#
[root@client ~]# ls
anaconda-ks.cfg cacert.pem
[root@client ~]# cat cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
(3) 验证docker.benet.com下的registry:
用浏览器输入: https://docker.benet.com
或者:curl -i -k https://docker.benet.com
[root@client ~]# curl -i -k https://docker.benet.com
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Thu, 28 Jul 2016 07:04:32 GMT
Content-Type: application/json
Content-Length: 28
Connection: keep-alive
Expires: -1
Pragma: no-cache
Cache-Control: no-cache
"\"docker-registry server\""[root@client ~]#
(4) 使用私有registry步骤:
- 登录: docker login -u testuser -p pwd123 -e "[email protected]" https://docker.benet.com
[root@client ~]# docker login https://docker.benet.com
Username: testuser
Password:
Email: [email protected]
Error response from daemon: invalid registry endpoint https://docker.benet.com/v0/: unable to ping registry endpoint https://docker.benet.com/v0/
v2 ping attempt failed with error: Get https://docker.benet.com/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://docker.benet.com/v1/_ping: x509: certificate has expired or is not yet valid. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry docker.benet.com` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/docker.benet.com/ca.crt
[root@client ~]#
这个问题最后排查是由于两个虚拟机的时间不一致导致的
[root@client certs]# date
Wed Jul 27 14:43:38 CST 2016
[root@client certs]# date -s "2016-07-28 12:26"
Thu Jul 28 12:26:00 CST 2016
[root@client certs]# docker login https://docker.benet.com
Username: testuser
Password:
Email: [email protected]
WARNING: login credentials saved in /root/.docker/config.json
Account created. Please see the documentation of the registry https://docker.benet.com/v1/ for instructions how to activate it.
[root@client certs]#
docker.benet.com的时间也是12:26将client更改成和docker.benet.com的时间一样 然后再登录就可以成功登录。
- 从Docker HUB 上拉取一个镜像测试,为基础镜像打个标签: docker tag centos:centos6 docker.benet.com/centos:centos6
[root@client ~]# ls
anaconda-ks.cfg cacert.pem centos6.tar
[root@client ~]# docker load -i centos6.tar
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
[root@client ~]# docker tag docker.io/centos:centos6 docker.benet.com/centos:centos6
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.benet.com/centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
docker.io/centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
- 发布: 上传镜像到本地私有仓库
docker push docker.benet.com/centos:centos6
[root@client ~]# docker push docker.benet.com/centos:centos6
The push refers to a repository [docker.benet.com/centos]
2714f4a6cdee: Image successfully pushed
Pushing tag for rev [cf2c3ece5e41] on {https://docker.benet.com/v1/repositories/centos/tags/centos6}
[root@client ~]#
查看私有仓库是否有对应的镜像
# curl 192.168.0.167:5000/v1/search
[root@client ~]# curl 192.168.142.163:5000/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos"}]}[root@client ~]#
查看镜像的存储目录和文件(在镜像服务器) tree /opt/data/registry/repositories
[root@docker ~]# curl 192.168.142.163:5000/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos"}]}[root@docker ~]#
[root@docker ~]# mount /dev/cdrom /media
mount: /dev/sr0 is write-protected, mounting read-only
[root@docker ~]# cd /media/Packages/
[root@docker Packages]# rpm -ivh tree-1.6.0-10.el7.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:tree-1.6.0-10.el7 ################################# [100%]
[root@docker Packages]# cd
[root@docker ~]# tree /opt/data/registry/repositories/
/opt/data/registry/repositories/
└── library
└── centos
├── _index_images
├── tag_centos6
└── tagcentos6_json
2 directories, 3 files
[root@docker ~]#
从私有仓库pull下来image,查看image
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.benet.com/centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
docker.io/centos centos6 cf2c3ece5e41 3 weeks ago 194.6 MB
[root@client ~]# docker rmi cf2c3ece5e41
Failed to remove image (cf2c3ece5e41): Error response from daemon: conflict: unable to delete cf2c3ece5e41 (must be forced) - image is referenced in one or more repositories
[root@client ~]# docker rmi -f cf2c3ece5e41
Untagged: docker.benet.com/centos:centos6
Untagged: docker.io/centos:centos6
Deleted: sha256:cf2c3ece5e418fd063bfad5e7e8d083182195152f90aac3a5ca4dbfbf6a1fc2a
Deleted: sha256:2714f4a6cdee9d4c987fef019608a4f61f1cda7ccf423aeb8d7d89f745c58b18
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@client ~]# docker pull docker.benet.com/centos:centos6
Trying to pull repository docker.benet.com/centos ...
Pulling repository docker.benet.com/centos
cf2c3ece5e41: Pulling image (centos6) from docker.benet.com/centos, endpoint: https://docker.benet.com/v
cf2c3ece5e41: Pull complete
Status: Downloaded newer image for docker.benet.com/centos:centos6
docker.benet.com/centos: this image was pulled from a legacy registry. Important: This registry version will not be supported in future versions of docker.
[root@client ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.benet.com/centos centos6 7e4e26acce17 3 weeks ago 194.6 MB
[root@client ~]#
查看私有仓库是否有对应的镜像
[root@client ~]# curl -k https://docker.benet.com/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos"}]}
或浏览器访问仓库
因为client是最小化安装,没有浏览器,所有用另一个有桌面的再测试一下
服务器将cacert.pem复制到client-2(192.168.142.160)当中
[root@docker ~]# scp /etc/pki/CA/cacert.pem [email protected]:/root
The authenticity of host '192.168.142.160 (192.168.142.160)' can't be established.
ECDSA key fingerprint is b6:5b:14:f0:9a:81:49:08:10:e8:8b:44:24:e1:8d:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.142.160' (ECDSA) to the list of known hosts.
[email protected]'s password:
cacert.pem 100% 1289 1.3KB/s 00:00
[root@client-2 ~]# cat cacert.pem >> /etc/pki/tls/certs/ca-certificates.crt
验证docker.benet.com下的registry
[root@client-2 ~]# curl -i -k https://docker.benet.com
HTTP/1.1 200 OK
Server: nginx/1.11.2
Date: Thu, 28 Jul 2016 07:58:21 GMT
Content-Type: application/json
Content-Length: 28
Connection: keep-alive
Expires: -1
Pragma: no-cache
Cache-Control: no-cache
"\"docker-registry server\""[root@client-2 ~]#
[root@client-2 ~]# docker login https://docker.benet.com
Username: testuser
Password:
Email: [email protected]
WARNING: login credentials saved in /root/.docker/config.json
Account created. Please see the documentation of the registry https://docker.benet.com/v1/ for instructions how to activate it.
[root@client-2 ~]# curl -k https://docker.benet.com/v1/search
{"num_results": 1, "query": "", "results": [{"description": "", "name": "library/centos"}]}[root@client-2 ~]#
(1) 弊端:
server端可以login到官方的Docker Hub,可以pull,push官方和私有仓库! client端只能操作搭设好的私有仓库! 私有仓库不能search!
(2) 优点:
所有的build,pull,push操作只能在私有仓库的server端操作,降低企业风险!
(3) 当client端docker login到官方的https://index.docker.io/v1/网站,出现x509: certificate signed by unknown authority错误时重命名根证书mv /etc/pki/tls/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt.bak 重启docker服务! service docker restart!
拓展
服务器端
[root@docker ~]# hostname
docker.benet.com
[root@docker ~]# docker login https://docker.benet.com
Username: test
Password:
Email: [email protected]
Error response from daemon: invalid registry endpoint
https://docker.benet.com/v0/: unable to ping registry endpoint
https://docker.benet.com/v0/
v2 ping attempt failed with error: Get https://docker.benet.com/v2/:
x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://docker.benet.com/v1/_ping: x509: certificate signed by unknown
authority. If this private registry supports only HTTP or HTTPS with an
unknown CA certificate, please add `--insecure-registry docker.benet.com` to the daemon's arguments. In the case of HTTPS, if
you have access to the registry's CA certificate, no need for the
flag; simply place the CA certificate at /etc/docker/certs.d/docker.benet.com/ca.crt