容器云----docker-registry+docker-registry-web(镜像仓库+镜像仓库管理界面)
一.配置环境
下载仓库镜像
docker pull registry:registry
docker pull hyper/docker-registry-web
配置主机名解析
vim /etc/hosts
docker-registry 172.22.6.241
二.创建镜像仓库
证书认证:
创建证书存放目录
mkdir /opt/docker/data/registry_dir/certs -p
创建自签名证书
openssl req -new -newkey rsa:4096 -days 365 -subj "/CN=docker-registry" -nodes -x509 -keyout /opt/docker/data/registry_dir/certs/auth.key -out /opt/docker/data/registry_dir/certs/auth.cert
创建带有证书认证的镜像仓库
docker run -d -p 5000:5000 --restart=always --name registry-srv
-v /opt/docker/data/registry_dir/registry:/var/lib/registry/
-v /opt/docker/data/registry_dir/certs:/certs
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/auth.cert
-e REGISTRY_HTTP_TLS_KEY=/certs/auth.key
registry:2.4.1
访问仓库
curl https://docker-registry:5000/v2/_catalog --insecure
尝试推送镜像到镜像仓库
docker push docker-registry:5000/busybox:latest
出现如下报错
unable to ping registry endpoint https:/docker-registry:5000/v0/
v2 ping attempt failed with error: Get https://mydockerhub.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://mydockerhub.com:5000/v1/_ping: x509: certificate signed by unknown authority
这是因为节点还没有安装证书
节点安装证书
mkdir /etc/docker/certs.d/docker-registry:5000/ -p
cp /opt/docker/data/registry_dir/certs/auth.cert /etc/docker/certs.d/docker-registry:5000/ca.crt
system daemon-reload
systemctl restart docker
再次尝试推送镜像
docker push docker-registry:5000/busybox:latest
The push refers to a repository [docker-registry:5000/busybox]
8a788232037e: Layer already exists
latest: digest: sha256:e2d9acbe92a6def141a9f9f2584468206735308df6a696430e25947882385fb2 size: 527
证书+密码鉴权:
创建密码文件存放目录
mkdir /opt/docker/data/registry_dir/auth/ -p
创建密码文件
docker run --entrypoint htpasswd registry:2.4.1 -Bbn linkcm 123456 > /opt/docker/data/registry_dir/auth/htpasswd
启动带有证书+密码鉴权的仓库:
docker run -d -p 5000:5000 --restart=always --name registry-srv
-v /opt/docker/data/registry_dir/registry:/var/lib/registry/
-v /opt/docker/data/registry_dir/certs:/certs
-v /opt/docker/data/registry_dir/auth:/auth
-e REGISTRY_AUTH=htpasswd
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry_Realm
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/auth.cert
-e REGISTRY_HTTP_TLS_KEY=/certs/auth.key
registry:2.4.1
尝试推送镜像到镜像仓库
docker push docker-registry:5000/busybox:latest
https://docker-registry:5000/v2/tonybai/busybox/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: no basic auth credentials
这是因为没有登录到docker
登录docker
docker login docker-registry:5000
username:test
password:
login succeed!
再次尝试推送镜像到镜像仓库
docker push docker-registry:5000/busybox:latest
三.创建镜像仓库管理界面
此方法是建立在镜像仓库只有证书认证的模式下的,需要密码认证的方式请自动网上搜索。
docker run -d -p 8080:8080 --name registry-web --link registry-srv
-e REGISTRY_URL=https://registry-srv:5000/v2
-e REGISTRY_TRUST_ANY_SSL=true
-e REGISTRY_NAME=localhost:5000
hyper/docker-registry-web
访问镜像仓库
http://172.22.6.241:8080/
