文章目录
Docker仓库上传拉取registry加密远程主机怎么连接
docker-compose
Docker仓库
仓库(Repository)是集中存放镜像的地方。以下介绍一下 Docker Hub。当然不止 docker hub,只是远程的服务商不一样,操作都是一样的。 docker仓库是用来保存镜像的位置,docker提供一个注册服务器(register)来保存多个仓库,每个仓库又可以包含多个具备不同的tag的镜像 docker运行中使用的默认仓库是docker Hub 公共仓库,使用公共registry docker hub:是docker公司维护的公共仓库,用户可以免费使用,也可以购买私有仓库。 #保存和分发镜像的最直接的方法就是使用DockerHub
1.在docker hub上注册一个帐号
2.登陆
[root@server1 docker
]
Password:
Login Succeeded
"""
[root@docker ~]# docker login -u dangdangwestos
Password:
# 这个警告的意思是 密码这样存储会有安全问题
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@docker ~]# cat .docker/config.json
#做过一个认证后就把认证信息放在文件中
{
"auths
": {
"https://index.docker.io/v1/
": {
"auth
": "ZGFuZ2Rhbmd3ZXN0b3M6NjQ1MTkzMjM2
"
}
},
"HttpHeaders
": {
"User-Agent
": "Docker-Client/18.09.6
(linux
)"
}
"""
docker
logout
3.修改镜像的名字 使之与Docker Hub帐号匹配
docker hub为了区分不同用户的镜像名 镜像的名字中要包含用户名 完整格式为
[username
]/xxx:tag
"""
我们可以通过以下命令搜寻docker官方仓库中的镜像
可以清楚的看到 除了官方镜像外 其余镜像均要按照官方的要求更改镜像的标签
# 不同的人可以上传不同的镜像
"""
[root@server3 ~
]
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
busybox Busybox base image. 1658
[OK
]
progrium/busybox 70
[OK
]
radial/busyboxplus Full-chain, Internet enabled, busybox made f… 24
[OK
]
arm32v7/busybox Busybox base image. 7
yauritux/busybox-curl Busybox with CURL 5
armhf/busybox Busybox base image. 5
arm64v8/busybox Busybox base image. 3
aarch64/busybox Busybox base image. 2
[root@docker ~
]
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
dangdangwestos/rhel7-up 0
dangdangwestos/busybox 0
dangdangwestos/rhel7-addifconfig 0
dangdangwestos/httpd 0
上传
[root@server3 ~
]
[root@server3 ~
]
dangdangwestos/busybox dangdangwestos/busybox:latest
[root@server3 ~
]
The push refers to repository
[docker.io/dangdangwestos/busybox
]
0d315111b484: Mounted from library/busybox
latest: digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649 size: 527
拉取
[root@server3 ~
]
latest: Pulling from dangdangwestos/busybox
Digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649
Status: Image is up to
date for dangdangwestos/busybox:latest
[root@server3 ~
]
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v4 b218a266197d 2 days ago 144MB
nginx v3 49349f668909 2 days ago 253MB
nginx v2 d21df066fe46 2 days ago 272MB
nginx v1 6baf2165c143 2 days ago 295MB
ubuntu latest 3556258649b2 3 weeks ago 64.2MB
busybox latest db8ee88ad75f 4 weeks ago 1.22MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
[root@server3 ~
]
latest: Pulling from dangdangwestos/busybox
Digest: sha256:895ab622e92e18d6b461d671081757af7dbaa3b00e3e28e12505af7817f73649
Status: Downloaded newer image
for dangdangwestos/busybox:latest
[root@server3 ~
]
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx v4 b218a266197d 2 days ago 144MB
nginx v3 49349f668909 2 days ago 253MB
nginx v2 d21df066fe46 2 days ago 272MB
nginx v1 6baf2165c143 2 days ago 295MB
ubuntu latest 3556258649b2 3 weeks ago 64.2MB
dangdangwestos/busybox latest db8ee88ad75f 4 weeks ago 1.22MB
busybox latest db8ee88ad75f 4 weeks ago 1.22MB
game2048 latest 19299002fdbe 2 years ago 55.5MB
rhel7 latest 0a3eb3fde7fd 5 years ago 140MB
[root@server3 ~
]
registry
一次docker pull或 push背后发生的事情
index服务器主要提供镜像索引以及用户认证的功能,
当下载一个镜像的时候,首先回去index服务器上做认证,
然后查找镜像所在的registry的地址并回给docker客户端,
docker客户端再从registry下载镜像,在下载的过程中registry会去
index校验客户端token的合法性,不同镜像可以保存在不同的
registry服务上,其检索信息都放在index服务器上。
index:负责并维护有关账户,镜像的校验以及公共命名空间的信息
(并不会存放真正的镜像层
)
web UI
元数据存储
认证服务
符号化
registry:是镜像和图表的仓库,它不具有本地数据库以及不提供用户认证
registry client:docker充当registry客户端来维护推送和拉取,以及客户端的授权
"""
场景讲解:
Docker Client ---> index ----> registry
A:用户要获取并下载镜像
B:用户要推送镜像到registry中(index会创建镜像的命名空间)
C:用户要从index或registry中删除镜像
镜像加速
搭建私有仓库(搭建本地registry)
docker hub虽然方便 但还是有些限制,比如:
1.需要连接internet,下载和上传速度慢
2.上传到docker hub的镜像任何人都能访问
3.因安全原因很多组织不允许将镜像放到外网
解决方案就是搭建本地的registry
docker已经将registry开源了,同时在docker hub上也有官方的镜像registry
"""
```bash
[root@server3 ~
]
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
registry The Docker Registry 2.0 implementation
for s… 2655
[OK
]
[root@server3 ~
]
Using default tag: latest
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image
for registry:latest
[root@server3 ~
]
registry latest f32a97de94e1 5 months ago 25.8MB
[root@server3 ~
]
IMAGE CREATED CREATED BY SIZE COMMENT
f32a97de94e1 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
set -ex
&& apk add --no-cache… 1.27MB
<missing
> 5 months ago /bin/sh -c
<missing
> 5 months ago /bin/sh -c
[root@server3 ~
]
4579de1e48406e35648ade8a29f3dc38855d3ad84edca050c099d7b6a744c9c5
[root@server3 ~
]
"Mounts": [
{
"Type": "volume",
"Name": "37e8aed215b0812c9ca3f3b6018a52bec0029844a2cd7dd4a505a6772fbc7e52",
"Source": "/var/lib/docker/volumes/37e8aed215b0812c9ca3f3b6018a52bec0029844a2cd7dd4a505a6772fbc7e52/_data",
"Destination": "/var/lib/registry",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
[root@server3 ~
]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4579de1e4840 registry
"/entrypoint.sh /etc…" 54 seconds ago Up 53 seconds 0.0.0.0:5000-
>5000/tcp registry
[root@server3 ~
]
tcp6 0 0 :::5000 :::*
[root@server3 ~
]
[root@server3 ~
]
The push refers to repository
[localhost:5000/nginx
]
7d1f91d2183b: Pushed
44e042b8c4f1: Pushed
4ee9ed108b64: Pushed
faa0d2dbf883: Pushed
a5e52a0ea4d4: Pushed
38ab3572be9b: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v1: digest: sha256:1f42e2af016eae42bf2db8dc0d4a522b4f44c88ef2e786bcd160886bc0fc1242 size: 2000
[root@server3 image
]
[root@server3 _data
]
docker
[root@server3 _data
]
[root@server3 _data
]
[root@server3 docker
]
registry
[root@server3 docker
]
[root@server3 registry
]
v2
[root@server3 registry
]
加密
作为企业级的私有仓库是远远不够的
为docker仓库添加证书加密功能
官方文档
https://docs.docker.com/registry/insecure/
[root@server3 ~
]
[root@server3 ~
]
> -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \
> -x509 -days 365 -out certs/westos.org.crt
Generating a 4096 bit RSA private key
writing new private key to
'certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.', the field will be left blank.
-----
Country Name
(2 letter code
) [XX
]:CN
State or Province Name
(full name
) []:Shaanxi
Locality Name
(eg, city
) [Default City
]:Xi
'an
Organization Name (eg, company) [Default Company Ltd]:Westos
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server's hostname
) []:westos.org
Email Address
[]:root@westos.org
[root@server3 ~
]
westos.org.crt
(证书
) westos.org.key
(私钥
)
[root@server3 ~
]
registry
[root@server3 ~
]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
https://docs.docker.com/registry/deploying/
[root@server3 ~
]
-e REGISTRY_HTTP_ADDR
=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE
=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY
=/certs/westos.org.key
-p 443:443 registry
3ebba5226703e6a15df3301ebc12207a213f939fb92af861c7f64c6ca2fd107b
"""
docker run -d :启动容器并打入后台
--restart=always --name registry #容器自启动(docker引擎启动的同时会启动容器)
-v "$(pwd)"/certs:/certs #本地的certs目录挂接到容器的certs目录
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 #-e 编辑 监听本机443的加密端口
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt #证书
-e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key #私钥
-p 443:443 registry
"""
[root@server3 ~
]
Active Internet connections
(servers and established
)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 649/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 852/master
tcp 0 0 172.25.0.3:22 172.25.0.250:54274 ESTABLISHED 2062/sshd: root@pts
tcp 0 0 172.25.0.3:22 172.25.0.250:56174 ESTABLISHED 5189/sshd: root@pts
tcp6 0 0 :::22 :::* LISTEN 649/sshd
tcp6 0 0 ::1:25 :::* LISTEN 852/master
tcp6 0 0 :::443 :::* LISTEN 7421/docker-proxy
[root@server3 ~
]
PING server3
(172.25.0.3
) 56
(84
) bytes of data.
64 bytes from server3
(172.25.0.3
): icmp_seq
=1 ttl
=64 time
=0.037 ms
64 bytes from server3
(172.25.0.3
): icmp_seq
=2 ttl
=64 time
=0.027 ms
[root@server3 ~
]
[root@server3 docker
]
daemon.json key.json
[root@server3 docker
]
[root@server3 docker
]
[root@server3 certs.d
]
[root@server3 certs.d
]
[root@server3 westos.org
]
[root@server3 westos.org
]
[root@server3 westos.org
]
ca.crt
[root@server3 westos.org
]
[root@server3 westos.org
]
The push refers to repository
[westos.org/nginx
]
7eb94711c590: Pushed
cdb9e6fdd1dd: Pushed
ac047a8a6c70: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v3: digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5 size: 1366
[root@server3 ~
]
[root@server3 ~
]
"""
admin 用户名
westos 密码
多个用户名可追加
docker run --rm entrypoint htpasswd registry -Bbn redhat redhat >>auth/htpasswd
"""
[root@docker ~
]
registry
[root@server3 ~
]
-v
"$(pwd)"/certs:/certs
-e REGISTRY_HTTP_ADDR
=0.0.0.0:443
-e REGISTRY_HTTP_TLS_CERTIFICATE
=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY
=/certs/westos.org.key
-p 443:443 -v
"$(pwd)"/auth:/auth
-e
"REGISTRY_AUTH=htpasswd"
-e
"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH
=/auth/htpasswd registry
2fb465d2f79e4a547a72e8014fe80c25cfc0321948ac83da45532f166c29fe80
[root@server3 ~
]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2fb465d2f79e registry
"/entrypoint.sh /etc…" 5 seconds ago Up 5 seconds 0.0.0.0:443-
>443/tcp, 5000/tcp registry
[root@server3 ~
]
Username: admin
Password:
WARNING
! Your password will be stored unencrypted
in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/
Login Succeeded
[root@server3 ~
]
Removing login credentials
for westos.org
[root@server3 ~
]
westos.org/nginx westos.org/nginx:v3
The push refers to repository
[westos.org/rhel7
]
18af9eb19b5f: Preparing
no basic auth credentials
westos.org/nginx westos.org/nginx:v3
[root@server3 ~
]
[root@server3 ~
]
The push refers to repository
[westos.org/nginx
]
7eb94711c590: Preparing
cdb9e6fdd1dd: Preparing
ac047a8a6c70: Preparing
e16686814e10: Preparing
18af9eb19b5f: Preparing
no basic auth credentials
[root@server3 ~
]
Username: admin
Password:
WARNING
! Your password will be stored unencrypted
in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/
Login Succeeded
[root@server3 ~
]
The push refers to repository
[westos.org/nginx
]
7eb94711c590: Pushed
cdb9e6fdd1dd: Pushed
ac047a8a6c70: Pushed
e16686814e10: Pushed
18af9eb19b5f: Pushed
v3: digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5 size: 1366
远程主机怎么连接
再打开一台虚拟机,安装docker并启动
主机名要有解析
[root@server2 docker包
]
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.0.1 server1
172.25.0.2 server2
172.25.0.3 server3 westos.org
172.25.0.4 server4
172.25.0.5 server5
172.25.0.6 server6
172.25.0.7 server7
172.25.0.8 server8
[root@server2 docker包
]
PING server3
(172.25.0.3
) 56
(84
) bytes of data.
64 bytes from server3
(172.25.0.3
): icmp_seq
=1 ttl
=64 time
=0.397 ms
要有认证文件,这个文件可以从server3这台主机获得
[root@server3 ~
]
[root@server3 docker
]
certs.d daemon.json key.json
[root@server3 docker
]
The authenticity of host
'server2 (172.25.0.2)' can
't be established.
ECDSA key fingerprint is 67:9d:41:df:c9:b5:0e:f3:e1:30:72:c7:c9:07:69:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,172.25.0.2
' (ECDSA) to the list of known hosts.
root@server2's password:
ca.crt 100% 2098 2.1KB/s 00:00
[root@server2 docker包
]
[root@server2 docker
]
certs.d key.json
先认证再拉取
[root@server2 certs.d
]
Username: admin
Password:
WARNING
! Your password will be stored unencrypted
in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/
Login Succeeded
[root@server2 certs.d
]
Using default tag: latest
Error response from daemon: manifest
for westos.org/nginx:latest not found
[root@server2 certs.d
]
v3: Pulling from nginx
48f5bbc9baf5: Pull complete
15f1fc4f91e0: Pull complete
98331229c5fd: Pull complete
4c7f36e2f886: Pull complete
df58a187e237: Pull complete
Digest: sha256:ad7f1eadc6268d111c7c1763dd76943e4c1f831f59bde82796bc351b894526b5
Status: Downloaded newer image
for westos.org/nginx:v3
测试运行成功
[root@server2 certs.d
]
299df76d6167d789883a1b7bdb9e338659f49be2e146bd4098e409a7f35d6a02
[root@server2 certs.d
]
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
299df76d6167 westos.org/nginx:v3
"/usr/local/nginx/sb…" 9 seconds ago Up 8 seconds 0.0.0.0:80-
>80/tcp nginx
[root@server2 certs.d
]
我们需要一个web页面
[root@server3 docker
]
Using default tag: latest
latest: Pulling from hyper/docker-registry-web
04c996abc244: Pull complete
d394d3da86fe: Pull complete
bac77aae22d4: Pull complete
b48b86b78e97: Pull complete
09b3dd842bf5: Pull complete
69f4c5394729: Pull complete
b012980650e9: Pull complete
7c7921c6fda1: Pull complete
e20331c175ea: Pull complete
40d5e82892a5: Pull complete
a414fa9c865a: Pull complete
0304ae3409f3: Pull complete
13effc1a664f: Pull complete
e5628d0e6f8c: Pull complete
0b0e130a3a52: Pull complete
d0c73ab65cd2: Pull complete
240c0b145309: Pull complete
f1fd6f874e5e: Pull complete
40b5e021928e: Pull complete
88a8c7267fbc: Pull complete
f9371a03010e: Pull complete
Digest: sha256:723ffa29aed2c51417d8bd32ac93a1cd0e7ef857a0099c1e1d7593c09f7910ae
Status: Downloaded newer image
for hyper/docker-registry-web:latest
https://github.com/mkuchin/docker-registry-web
[root@server3 ~
]
{
"auths": {
"": {
"auth": "ZGFuZ2Rhbmd3ZXN0b3M6ZGFuZ2Rhbmc="
},
"https://index.docker.io/v1/": {
"auth": "ZGFuZ2Rhbmd3ZXN0b3M6ZGFuZ2Rhbmc="
},
"westos.org": {
"auth": "YWRtaW46d2VzdG9z"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
}
[root@server3 ~
]
--name registry-web --link registry:westos.org
-e REGISTRY_URL
=https://westos.org/v2
-e REGISTRY_TRUST_ANY_SSL
=true
-e REGISTRY_BASIC_AUTH
="YWRtaW46d2VzdG9z"
-e REGISTRY_NAME
=westos.org:443 hyper/docker-registry-web
在浏览器测试:http://172.25.0.3:8080/
docker-compose
推荐学习harbor
Compose 是用于定义和运行多容器 Docker 应用程序的工具。通过 Compose,您可以使用 YML 文件来配置应用程序需要的所有服务。然后,使用一个命令,就可以从 YML 文件配置中创建并启动所有服务。 Compose 使用的三个步骤: 使用 Dockerfile 定义应用程序的环境。 使用 docker-compose.yml 定义构成应用程序的服务,这样它们可以在隔离环境中一起运行。 最后,执行 docker-compose up 命令来启动并运行整个应用程序。
Docker-Compose项目是Docker官方的开源项目,负责实现对Docker容器集群的快速编排。 Docker-Compose将所管理的容器分为三层,分别是工程(project),服务(service)以及容器(container)。Docker-Compose运行目录下的所有文件(docker-compose.yml,extends文件或环境变量文件等)组成一个工程,若无特殊指定工程名即为当前目录名。一个工程当中可包含多个服务,每个服务中定义了容器运行的镜像,参数,依赖。一个服务当中可包括多个容器实例,Docker-Compose并没有解决负载均衡的问题,因此需要借助其它工具实现服务发现及负载均衡。 Docker-Compose的工程配置文件默认为docker-compose.yml,可通过环境变量COMPOSE_FILE或-f参数自定义配置文件,其定义了多个有依赖关系的服务及每个服务运行的容器。 使用一个Dockerfile模板文件,可以让用户很方便的定义一个单独的应用容器。在工作中,经常会碰到需要多个容器相互配合来完成某项任务的情况。例如要实现一个Web项目,除了Web服务容器本身,往往还需要再加上后端的数据库服务容器,甚至还包括负载均衡容器等。 Compose允许用户通过一个单独的docker-compose.yml模板文件(YAML 格式)来定义一组相关联的应用容器为一个项目(project)。 Docker-Compose项目由Python编写,调用Docker服务提供的API来对容器进行管理。因此,只要所操作的平台支持Docker API,就可以在其上利用Compose来进行编排管理。
docker-compose.yml 的配置案例如下(配置参数参考下文):
version:
'3'
services:
web:
build:
.
ports:
-
"5000:5000"
volumes:
- .:/code
- logvolume01:/var/log
links:
- redis
redis:
image: redis
volumes:
logvolume01:
{}
https://docs.docker.com/compose/install/
docker-compose的部署
下载,授予执行权限
[root@docker ~
]
/compose/releases/download/1.24.1/docker-compose-
$(uname -s)-
$(uname -m)"
-o /usr/local/bin/docker-compose
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 617 0 617 0 0 109 0 --:--:-- 0:00:05 --:--:-- 172
100 15.4M 100 15.4M 0 0 100k 0 0:02:37 0:02:37 --:--:-- 117k
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version
Harbor的搭建
tar zxf harbor-online-installer-v1.8.2.tgz
cd harbor/
vim harbor.yml
hostname: westos.org
13 https:
14
15 port: 443
16
17 certificate: /root/certs/westos.org.crt
18 private_key: /root/certs/westos.org.key
27 harbor_admin_password: westos
28
29
30 database:
31
32 password: westos
./prepare
./install.sh
查看容器状态
docker
ps -a
docker-compose
ps
在真机做好解析,浏览器中访问https://westos.org/
docker login westos.org
docker tag rhel7:latest westos.org/library/rhel7
docker push westos.org/library/rhel7
compose学习
