一:搭建私有仓库
1:注册阿里云帐号
2:容器加速器,获取自己所私有的文件
[root@foundation60 ~]# touch /etc/docker/
[root@foundation60 ~]# ls
anaconda-ks.cfg foundation-config-post.log Public Videos
Desktop Music rht-ks-post.log
Documents original-ks.cfg rht-ks-pre.log
Downloads Pictures Templates
[root@foundation60 ~]# touch daemon.json
[root@foundation60 ~]# vim daemon.json
[root@foundation60 ~]# systemctl daemon-reload
[root@foundation60 ~]# systemctl restart docker
3:查看数据卷
[root@foundation60 ~]# docker volume ls
DRIVER VOLUME NAME
local 183d505970c1deea7625cb21f3973277bb5251406a5a2af2ccff6a793a7ac364
local 2f6049388bcf0c514087eb533fc38ed5c14f2dc4b5386fe18c75d5c4fef68a0e
local e866464a0b4cca3002870696da116a4f7726201c4dd2dd5290065ea21047fda4
4:删除不使用的数据卷
[root@foundation60 ~]# docker volume prune
5:导入 registry.tar
[root@foundation60 Desktop]# docker load -i registry.tar
917c0fc99b35: Loading layer 130.9MB/130.9MB
5f70bf18a086: Loading layer 1.024kB/1.024kB
e6107e74315e: Loading layer 20.71MB/20.71MB
5deabacb4c9b: Loading layer 20.66MB/20.66MB
32d89efca72a: Loading layer 3.584kB/3.584kB
Loaded image: registry:2.3.1 ###发现此时是有版本号的
此时可以修改名称,
[root@foundation60 Desktop]# docker tag registry:2.3.1 registry:latest
如果不修改也没有关系,一会会在联网的时候自动下载
6:查看镜像是否存在
[root@foundation60 Desktop]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v5 726a0d4f286a 15 minutes ago 23.6MB
<none> <none> c6280f9cd373 15 minutes ago 116MB
rhel7 v4 fff55a5a2b48 17 hours ago 141MB
<none> <none> e4bf053cd5e8 18 hours ago 256MB
rhel7 v3 f9133e15edef 19 hours ago 282MB
rhel7 v2 f5f0fdb3df67 20 hours ago 200MB
rhel7 v1 b05b17695e0b 20 hours ago 200MB
<none> <none> e0ae89c32a88 21 hours ago 147MB
nginx latest 881bd08c0b08 12 days ago 109MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
registry 2.3.1 83139345d017 3 years ago 166MB
registry latest 83139345d017 3 years ago 166MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
gcr.io/distroless/base latest 9a255d5fe262 49 years ago 16.8MB
7:建立仓库目录 此时仓库里是什么也没有的
[root@foundation60 ~]# mkdir /opt/registry
[root@foundation60 ~]# cd /opt/registry/
[root@foundation60 registry]# pwd
/opt/registry
[root@foundation60 registry]# ls ##空目录,什么也没有
[root@foundation60 registry]# cd
8:生成容器,做端口影射
[root@foundation60 ~]# docker run -d --name registry -p 5000:5000 -v /opt/registry/:/var/lib/registry registry
73f01a92ab0c2dd3b9f2353410d18ffad2eb6116090ba8d44758847b3f4780b6
[root@foundation60 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
73f01a92ab0c registry "/bin/registry /etc/…" 25 seconds ago Up 22 seconds 0.0.0.0:5000->5000/tcp registry
[root@foundation60 ~]#
9:修改tag,上传镜像
[root@foundation60 ~]# docker tag rhel7:v5 localhost:5000/rhel7:v5
[root@foundation60 ~]# docker push localhost:5000/rhel7:v5
The push refers to repository [localhost:5000/rhel7]
b3cc8face1a9: Pushed
668afdbd4462: Pushed
v5: digest: sha256:27777d006b8adade7441f2b7ee73f1dcd8dd3b8b3c835d401e1a940132d46306 size: 739
10:此时发现之前的空的仓库,已经有东西了
[root@foundation60 ~]# cd /opt/registry/
[root@foundation60 registry]# ls
docker
[root@foundation60 registry]# cd docker/
[root@foundation60 docker]# ls
registry
[root@foundation60 docker]# tree . ###可以查看具体信息
11:拉取(下载)镜像
[root@foundation60 docker]# docker pull localhost:5000/rhel7:v5
v5: Pulling from rhel7
Digest: sha256:27777d006b8adade7441f2b7ee73f1dcd8dd3b8b3c835d401e1a940132d46306
Status: Image is up to date for localhost:5000/rhel7:v5 ###本机中存在了
12:删除之前存在的
[root@foundation60 docker]# docker rmi localhost:5000/rhel7:v5
Untagged: localhost:5000/rhel7:v5
Untagged: localhost:5000/rhel7@sha256:27777d006b8adade7441f2b7ee73f1dcd8dd3b8b3c835d401e1a940132d46306
[root@foundation60 docker]# docker rmi rhel7:v5
Untagged: rhel7:v5
Deleted: sha256:726a0d4f286a2eef41d7c580f338733b72d410b2517dd608503ddd5868308d19
Deleted: sha256:6ee83f7838653860463bd60562b34c1ae86709dafb39215871056862b6a6a273
Deleted: sha256:b9923c618166806f93410fb8787f63229fa9cf02b369d233833dbb5ceea5ebff
Deleted: sha256:cb17f9172543e915de2bde1ee9ba234abd29cd11a62cc874a093d816375a3b9b
[root@foundation60 docker]# docker images rhel7 ##发现没有了
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v4 fff55a5a2b48 18 hours ago 141MB
rhel7 v3 f9133e15edef 19 hours ago 282MB
rhel7 v2 f5f0fdb3df67 20 hours ago 200MB
rhel7 v1 b05b17695e0b 20 hours ago 200MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
13:重新拉取
[root@foundation60 docker]# docker pull localhost:5000/rhel7:v5
v5: Pulling from rhel7
269521def953: Already exists
4848b703f1b6: Pull complete
Digest: sha256:27777d006b8adade7441f2b7ee73f1dcd8dd3b8b3c835d401e1a940132d46306
Status: Downloaded newer image for localhost:5000/rhel7:v5
14:修改tag便于查看
[root@foundation60 docker]# docker images rhel7
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v4 fff55a5a2b48 18 hours ago 141MB
rhel7 v3 f9133e15edef 19 hours ago 282MB
rhel7 v2 f5f0fdb3df67 20 hours ago 200MB
rhel7 v1 b05b17695e0b 20 hours ago 200MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
[root@foundation60 docker]# docker tag localhost:5000/rhel7:v5 rhel7:v5
[root@foundation60 docker]# docker im
image images import
[root@foundation60 docker]# docker images rhel7
REPOSITORY TAG IMAGE ID CREATED SIZE
rhel7 v5 726a0d4f286a 32 minutes ago 23.6MB
rhel7 v4 fff55a5a2b48 18 hours ago 141MB
rhel7 v3 f9133e15edef 19 hours ago 282MB
rhel7 v2 f5f0fdb3df67 20 hours ago 200MB
rhel7 v1 b05b17695e0b 21 hours ago 200MB
rhel7 latest 0a3eb3fde7fd 4 years ago 140MB
二:仓库的共享,认证
1:建立certs目录
[root@foundation60 docker]# ls
Dockerfile dvd.repo nginx-1.15.8.tar.gz test webdata
[root@foundation60 docker]# mkdir -p certs
[root@foundation60 docker]# ls
certs Dockerfile dvd.repo nginx-1.15.8.tar.gz test webdata
2:生成锁和钥匙
[root@foundation60 docker]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
.......................................................................++
.........................................................++
writing new private key to 'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:ahnxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:yz
Organizational Unit Name (eg, section) []:westos.org
Common Name (eg, your name or your server's hostname) []:westos.org
Email Address []:[email protected]
3:添加本地解析
[root@foundation60 docker]# vim /etc/hosts
westos.org
[root@foundation60 docker]# ping westos.org
PING westos.org (172.25.60.250) 56(84) bytes of data.
64 bytes from westos.org (172.25.60.250): icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from westos.org (172.25.60.250): icmp_seq=2 ttl=64 time=0.040 ms
^C
--- westos.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.040/0.052/0.065/0.014 ms
4:查看443端口是否被占有
[root@foundation60 docker]# netstat -antlp | grep :443
5:关闭之前的registry
[root@foundation60 docker]# docker rm -f registry
registry
6:生成所需要的容器
[root@foundation60 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry registry
61154da965df77b19e3976aadf0b6248a007bfb7cd4302154063656c16ccc16f
7:开启,查看状态是否为up
[root@foundation60 docker]# docker start registry
registry
[root@foundation60 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
61154da965df registry "/bin/registry /etc/…" 45 seconds ago Up 44 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
8:建立目录,拷贝证书
[root@foundation60 docker]# cd /opt/registry/
[root@foundation60 registry]# ls
docker
[root@foundation60 registry]# pwd
/opt/registry
[root@foundation60 registry]# cd /etc/docker/
[root@foundation60 docker]# ls
key.json
[root@foundation60 docker]# mkdir certs.d/westos.org -p
[root@foundation60 docker]# ls
certs.d key.json
[root@foundation60 docker]# cd certs.d/
[root@foundation60 certs.d]# ls
westos.org
[root@foundation60 certs.d]# cd westos.org/
[root@foundation60 westos.org]# ls
[root@foundation60 westos.org]# cp /opt/docker/certs/westos.org.crt ca.crt
[root@foundation60 westos.org]# ls
ca.crt
9:修改镜像名称,否则没有权限
[root@foundation60 Desktop]# docker tag game2048:latest westos.org/game2048
10:上传镜像(本机)
[root@foundation60 westos.org]# docker push westos.org/game2048
The push refers to repository [westos.org/game2048]
88fca8ae768a: Pushed
6d7504772167: Pushed
192e9fad2abc: Pushed
36e9226e74f8: Pushed
011b303988d2: Pushed
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364
11:其他主机来下载镜像
(1):安装docker服务
[root@server1 docker]# ls
container-selinux-2.21-1.el7.noarch.rpm
docker-ce-18.06.1.ce-3.el7.x86_64.rpm
libsemanage-2.5-8.el7.x86_64.rpm
libsemanage-python-2.5-8.el7.x86_64.rpm
pigz-2.3.4-1.el7.x86_64.rpm
policycoreutils-2.5-17.1.el7.x86_64.rpm
policycoreutils-python-2.5-17.1.el7.x86_64.rpm
[root@server1 docker]# yum install * -y
(2):开启服务
[root@server1 docker]# systemctl start docker
(3):修改本地解析
[root@server1 ~]# vim /etc/hosts
172.25.60.250 foundation60.ilt.exmaple.com westos.org
[root@server1 ~]# ping westos.org
PING foundation60.ilt.exmaple.com (172.25.60.250) 56(84) bytes of data.
64 bytes from foundation60.ilt.exmaple.com (172.25.60.250): icmp_seq=1 ttl=64 time=0.216 ms
64 bytes from foundation60.ilt.exmaple.com (172.25.60.250): icmp_seq=2 ttl=64 time=0.630 ms
64 bytes from foundation60.ilt.exmaple.com (172.25.60.250): icmp_seq=3 ttl=64 time=0.181 ms
(4):此时拉取镜像是失败的 509报错
[root@server1 ~]# docker pull westos.org/game2048
Using default tag: latest
Error response from daemon: Get https://westos.org/v2/: x509: certificate signed by unknown authority
(5):分发证书才能拉取
[root@server1 ~]# cd /etc/docker/
[root@server1 docker]# ls
key.json
[root@server1 docker]# mkdir /etc/docker/certs.d/westos.org -p
[root@server1 docker]# cd /etc/docker/certs.d/westos.org/
[root@server1 westos.org]# ls
[root@foundation60 westos.org]# scp ca.crt 172.25.60.1:/etc/docker/certs.d/westos.org/
[email protected]'s password:
ca.crt 100% 2090 2.0KB/s 00:00
[root@server1 westos.org]# ls
ca.crt
[root@server1 westos.org]# docker pull westos.org/game2048 ##拉取成功
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete
f62e2f6dfeef: Pull complete
fe7db6293242: Pull complete
3f120f6a2bf8: Pull complete
4ba4e6930ea5: Pull complete
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for westos.org/game2048:latest
三:加密
1:建立目录
[root@foundation60 ~]# cd /opt/docker/
[root@foundation60 docker]# ls
certs dvd.repo nginx-1.15.8.tar.gz test -x509
Dockerfile -newkey -p webdata
[root@foundation60 docker]# mkdir auth
2:生成用户和密码
[root@foundation60 docker]# docker run --entrypoint htpasswd registry -Bbn yz westos > auth/htpasswd
[root@foundation60 docker]# docker run --rm --entrypoint htpasswd registry -Bbn admin westos >> auth/htpasswd
3:查看账户和密码
[root@foundation60 docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04566550e911 registry "htpasswd -Bbn yz we…" 59 seconds ago Exited (0) 56 seconds ago admiring_newton
61154da965df registry "/bin/registry /etc/…" 44 minutes ago Up 44 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry
45a4ae4b7ee6 rhel7:v3 "/usr/local/nginx/sb…" 20 hours ago Exited (0) 19 hours ago nginx
0c51d8a6dd49 06d35616996b "/bin/sh -c 'yum ins…" 21 hours ago Exited (1) 21 hours ago upbeat_mcnulty
6a7ce82ecd24 e0ae89c32a88 "/bin/sh -c 'yum ins…" 22 hours ago Exited (1) 22 hours ago priceless_banach
[root@foundation60 docker]#
[root@foundation60 docker]# docker rm admiring_newton
admiring_newton
[root@foundation60 docker]# cat auth/htpasswd
yz:$2y$05$23QoIvUxd38RxzvJ8/xzA.R/VYm2xMjVylzcNn/lE6sS/nYYwA34S
admin:$2y$05$XoS8q2G.zKMiEuiIS1Wf6OIMLld/QuoqiV2VdlnkHIUOBPEoEhLV.
4:删除之前的registry
[root@foundation60 docker]# docker stop registry
registry
[root@foundation60 docker]# docker rm registry
registry
[root@foundation60 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
5:生成所需要的容器
[root@foundation60 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
10fb7ca0898799b3611c7e7a836ded059e15c6766744169a23c9ab07f6e4c49e
6:查看容器和443端口
[root@foundation60 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
10fb7ca08987 registry "/bin/registry /etc/…" 4 seconds ago Up 3 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
[root@foundation60 docker]# netstat -antlp | grep :443
tcp6 0 0 :::443 :::* LISTEN 11868/docker-proxy
7:此时没有登陆是无法上传的
[root@foundation60 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Preparing
11083b444c90: Preparing
9468150a390c: Preparing
56abdd66ba31: Preparing
no basic auth credentials
8:登陆
[root@foundation60 docker]# docker login westos.org
Username: yz
Password: (westos)
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@foundation60 docker]# cat /root/.docker/config.json
{
"auths": {
"westos.org": {
"auth": "eXo6d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.06.1-ce (linux)"
}
}[root@foundation60 docker]#
9:登陆之后再次上传就可以了
[root@foundation60 docker]# docker push westos.org/ubuntu
The push refers to repository [westos.org/ubuntu]
5f70bf18a086: Pushed
11083b444c90: Pushed
9468150a390c: Pushed
四:web ui界面管理仓库(删除镜像)
1:导入所需镜像
[root@foundation60 Desktop]# docker tag ubuntu:latest westos.org/ubuntu
[root@foundation60 Desktop]# docker load -i docker-registry-web.tar
78ff13900d61: Loading layer 196.8MB/196.8MB
641fcd2417bc: Loading layer 209.9kB/209.9kB
292a66992f77: Loading layer 7.168kB/7.168kB
3567b2f05514: Loading layer 4.608kB/4.608kB
367b9c52c931: Loading layer 3.072kB/3.072kB
8b1153b14d3a: Loading layer 3.584kB/3.584kB
5ee52271b8b7: Loading layer 162.5MB/162.5MB
f7049feabf0b: Loading layer 4.096kB/4.096kB
7ef05f1204ee: Loading layer 3.072kB/3.072kB
03457c5158e2: Loading layer 3.584kB/3.584kB
8418a42306ef: Loading layer 3.584kB/3.584kB
f469fc28e82e: Loading layer 7.68kB/7.68kB
d96a8038b794: Loading layer 2.56kB/2.56kB
be44224e76b9: Loading layer 13.82kB/13.82kB
463a4bd8f8c1: Loading layer 438.8kB/438.8kB
d16096ccf0bb: Loading layer 8.704kB/8.704kB
1315f14832fa: Loading layer 197.1MB/197.1MB
d6c3b0e63834: Loading layer 1.009MB/1.009MB
64d1c65ea33e: Loading layer 3.584kB/3.584kB
9eb22ef427e2: Loading layer 3.584kB/3.584kB
8779b4998d0c: Loading layer 55.63MB/55.63MB
Loaded image: docker-registry-web:latest
[root@foundation60 Desktop]#
2:生成所需要的容器
[root@foundation60 docker]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_STORAGE_DELETE_ENABLED=true registry
cdcb915a6b088ff897bf80612f235bcfff5f6a415ea0b0a59c27d5bc49ecaf4c
[root@foundation60 docker]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cdcb915a6b08 registry "/bin/registry /etc/…" 3 seconds ago Up 2 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
3:生成registry-web容器
[root@foundation60 docker]# docker run -it -p 8080:8080 --name registry-web --link registry:westos.org -e REGISTRY_URL=https://westos.org/v2 -e REGISTRY_TRUST_ANY_SSL=true -e REGISTRY_BASIC_AUTH="eXo6d2VzdG9z" -e REGISTRY_NAME=westos.org -e REGISTRY_READONLY=false docker-registry-web
4:浏览器访问
localhost:8080,可以看到各种镜像,可以删除