其他分享
首页 > 其他分享> > 6.云原生之Docker容器Registry私有镜像仓库搭建实践

6.云原生之Docker容器Registry私有镜像仓库搭建实践

作者:互联网

转载自:https://www.bilibili.com/read/cv15219863/?from=readlist


#1.下载registry仓库并设置数据存放的目录(并生成认证账号密码)
docker pull registry:2

mkdir -vp /opt/data/auth   #宿主机认证目录
mkdir -vp /opt/data/registry  #宿主机仓库目录

# 采用--entrypoint进行执行
docker run --entrypoint htpasswd httpd:2 -Bbn  testuser testpassword > auth/htpasswd

#2.运行下载的仓库镜像(我们常常指定一个本地数据卷给容器)
docker run -d -p 5000:5000 --name registry -v /opt/data/registry:/var/lib/registry registry:2  #未认证

## 加入认证 (已失效)
docker run -d -p 5000:5000 --restart=always --name docker-hub \
  -v /opt/data/registry:/var/lib/registry \
  -v /opt/data/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  registry


#Docker 默认不允许非 HTTPS 方式推送镜像。我们可以通过 Docker 的配置选项来取消这个限制
# 3.修改docker的配置文件,让他支持http方式,上传私有镜像 (本地)
tee /etc/docker/daemon.json <<EOF
    # 写入如下内容
{
  "registry-mirror": [
    "https://registry.docker-cn.com"
  ],
  "insecure-registries": [
    "10.10.107.221:5000"
  ]
}
EOF

# 4.修改docker的服务配置文件(Ubuntu此步骤可以跳过)
vim /lib/systemd/system/docker.service
# 找到[service]这一代码区域块,写入如下参数
[Service]
EnvironmentFile=-/etc/docker/daemon.json

# 5.重新加载docker服务
systemctl daemon-reload

# 6.重启docker服务
systemctl restart docker
# 注意:重启docker服务,所有的容器都会挂掉
docker run -d -p 5000:5000 --name docker-registry -v /opt/data/registry:/var/lib/registry registry

# 7.修改本地镜像的tag标记,往自己的私有仓库推送
#docker tag weiyigeek/hello-world-docker 10.10.107.221:5000/weiyigeek  #对于修改名称的
$docker commit -m "alpine-sh" -a "weiyigeek" a63 10.10.107.221:5000/alpine-sh
sha256:b75ef26a9e1d92924914edcb841de8b7bdc0b336cea2c6cfbaaf6175e24472c6

$docker login 10.10.107.221:5000
Username: testuser
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

#上传我们的镜像文件
$docker push 10.10.107.221:5000/alpine-sh
The push refers to repository [10.10.107.221:5000/alpine-sh]
2a499f806f16: Pushed
f1b5933fe4b5: Pushed
latest: digest: sha256:6d13420cb9ce74095e2a71f565fc8c15ba17b40933e14534fc65775025eedd18 size: 735

# 8.下载私有仓库的镜像(查看)
docker pull 10.10.107.221:5000/weiyige
# http://10.10.107.221:5000/v2/_catalog  #查看仓库 需要进行认证
# http://10.10.107.221:5000/v2/[image_name]/tags/list #查看镜像版本列表
curl -XGET  http://10.10.107.221:5000/v2/_catalog -u testuser:testpassword
{"repositories":["alpine-sh"]} 

可以从下图看到设置账号密码认证后直接访问Registry API将受到限制

# (1) Registry API
/var/lib/registry
# (2) Harbor 本地目录中
/data/harbor/registry/docker/registry/v2

# 查看镜像 Manifest 对应的blob id
$ cat repositories/release/cyclone-server/_manifests/tags/v0.5.0-beta.1/current/link
sha256:6d47a9873783f7bf23773f0cf60c67cef295d451f56b8b79fe3a1ea217a4bf98
# 查看镜像 Manifest
$ cat blobs/sha256/6d/6d47a9873783f7bf23773f0cf60c67cef295d451f56b8b79fe3a1ea217a4bf98/data

# Blob 数据的存储
# 查看镜像 blob 的位置和大小
$ du -s blobs/sha256/71/7118e0a5b59500ceeb4c9686c952cae5e8bfe3e64e5afaf956c7098854a2390e/data
7560 blobs/sha256/71/7118e0a5b59500ceeb4c9686c952cae5e8bfe3e64e5afaf956c7098854a2390e/data

(2) 为Registry私有镜像仓库配置auth认证与tls证书

# 创建参数
docker run -d \
  -p 443:443 \
  --restart=always \
  --name registry \
  -v /app/registry/data:/var/lib/registry \
  -v /app/registry/auth:/auth \
  -v /app/registry/cert:/cert \
  -e "REGISTRY_HTTP_ADDR=0.0.0.0:443" \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/cert/hub.weiyigeek.top.crt" \
  -e "REGISTRY_HTTP_TLS_KEY=/cert/server.key" \
  registry:2

# 查看创建的registry 容器
$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}"
CONTAINER ID   NAMES      PORTS
c8657bd20936   registry   0.0.0.0:443->443/tcp, 5000/tcp

(3) 登陆远程仓库时报证书签名错误及其解决办法

~$ docker login hub.weiyigeek.top
Login did not succeed, error: Error response from daemon: Get https://hub.weiyigeek.top/v2/: x509: certificate signed by unknown authority
Username: WeiyiGeek
Password: ********

# 解决办法:
# (1) 在 /etc/docker/daemon.json 中配置insecure-registries字段,表示允许不安全的仓库。
"insecure-registries": ["192.168.12.111:5000","hub.weiyigeek.top"]

# (2) 从官方文档可知客户端要使用tls与Harbor通信使用的还是`自签证书`,那么必须建立一个目录`/etc/docker/certs.d`
# 如果配置可能会出现 x509: certificate signed by unknown authority 错误提示。
mkdir -vp /etc/docker/certs.d/hub.weiyigeek.top
cp -a /deployapp/harbor/harbor.pem  /etc/docker/certs.d/hub.weiyigeek.top/harbor.crt

标签:--,auth,REGISTRY,Registry,镜像,Docker,data,docker,registry
来源: https://www.cnblogs.com/sanduzxcvbnm/p/16426904.html