docker registry 私有仓库
不需要我们自己去搭建私有仓库,只需要起一个容器(官方封装好的仓库镜像)就可以了。
有关命令:
1:docker push xx.xxx.com/google_containers/busybox #上传镜像到私有私有仓库
2:docker pull xxx.xxx.com/google_containers/busybox #下载私有仓库的busybox镜像到本地
#普通的registry
docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry
--restart=always #容器服务每次重启了,自动把这个容器挂载起来启动
--name registry # 容器起来后,docker ps -a 看到的镜像名字
-v /opt/myregistry:/var/lib/registry #把宿主机的 /opt/myregistry目录,挂载到容器的/var/lib/registry 目录下面
registry #镜像名字
#启动docker registry 容器
[root@k8s129 ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /opt/myregistry:/var/lib/registry registry
Unable to find image 'registry:latest' locally
latest: Pulling from library/registry
c87736221ed0: Pull complete
1cc8e0bb44df: Pull complete
54d33bcb37f5: Pull complete
e8afc091c171: Pull complete
b4541f6d3db6: Pull complete
Digest: sha256:8004747f1e8cd820a148fb7499d71a76d45ff66bac6a29129bfdbfdc0154d146
Status: Downloaded newer image for registry:latest
3a7fee0d5a3cebbb9c43d60c430e774d86e16fa314350cf7b6f710e5fc2341ad
[root@k8s129 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3a7fee0d5a3c registry "/entrypoint.sh /etc…" 53 seconds ago Up 52 seconds 0.0.0.0:5000->5000/tcp registry
[root@k8s129 ~]#
怎么上传镜像到我们刚才启动的私有仓库中:
1: 打tag
2: 上传
#打tag
[root@k8s129 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 19485c79a9bb 8 weeks ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
# docker tag 源镜像名字:版本 私有仓库地址/镜像名字:版本(默认和源的一样)
[root@k8s129 ~]# docker tag busybox:latest 192.168.6.129:5000/busybox:latest
[root@k8s129 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
192.168.6.129:5000/busybox latest 19485c79a9bb 8 weeks ago 1.22MB
busybox latest 19485c79a9bb 8 weeks ago 1.22MB
registry latest f32a97de94e1 8 months ago 25.8MB
[root@k8s129 ~]#
#把刚才的镜像push(推)到镜像私有仓库
[root@k8s129 ~]# docker push 192.168.6.129:5000/busybox:latest (报错了,是因为docker默认使用https)
The push refers to repository [192.168.6.129:5000/busybox]
Get https://192.168.6.129:5000/v2/: http: server gave HTTP response to HTTPS client
[root@k8s129 ~]# 修改配置文件,添加一句信任私有仓库: "insecure-registries": ["192.168.6.129:5000"]"
[root@k8s129 ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://aeckruos.mirror.aliyuncs.com"], #注意这里是有逗号的哦。。。。。
"insecure-registries": ["192.168.6.129:5000"]
}
[root@k8s129 ~]#systemctl restart docker.service #重启docker
[root@k8s129 ~]# docker push 192.168.6.129:5000/busybox:latest #上传
The push refers to repository [192.168.6.129:5000/busybox]
6c0ea40aef9d: Pushed
latest: digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 size: 527
[root@k8s129 repositories]# pwd # 去仓库目录,会发现镜像已经上传上来了。
/opt/myregistry/docker/registry/v2/repositories
[root@k8s129 repositories]# ls
busybox
#看看在另外一台机器,使用docker pull 能不能把刚才的镜像pull 拉取下来
[root@k8s130 ~]# docker pull 192.168.6.129:5000/busybox:latest #注意/etc/docker/daemon.json 也要添加配置
latest: Pulling from busybox
Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
Status: Image is up to date for 192.168.6.129:5000/busybox:latest
192.168.6.129:5000/busybox:latest
[root@k8s130 ~]#
#现在谁都能往我们的私库上传镜像,这样是不安全的,因此我们要设置密码认证,增加安全认真。
#带basic认证的registry
[root@k8s129 ~]#yum install httpd-tools -y
[root@k8s129 ~]#mkdir /opt/registry-var/auth/ -p
[root@k8s129 ~]#htpasswd -Bbn xujin 123456 >> /opt/registry-var/auth/htpasswd
[root@k8s129 auth]# cat /opt/registry-var/auth/htpasswd
xujin:$2y$05$daHhmHOs7h7BsOHirUjaHO5xJ2QycWl5bFpXbwZx2vnPQphhaKXf6
#由于之前我们是没有启用认证方式,起的仓库容器,这里把在运行的容器全部删除。
[root@k8s129 auth]# docker rm -f `docker ps -a -q`
3a7fee0d5a3c
.......
[root@k8s129 auth]# docker run -d -p 5000:5000 --restart=always -v /opt/registry-var/auth/:/auth/ -v /opt/myregistry:/var/lib/registry -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
69c6617b88fc9d6a6fb7ddb07cba06d8674d3541deed42607f4261fab25edba6
[root@k8s129 auth]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69c6617b88fc registry "/entrypoint.sh /etc…" 7 seconds ago Up 4 seconds 0.0.0.0:5000->5000/tcp nostalgic_stonebraker
[root@k8s129 auth]#
#尝试下载镜像,报错,提示没有认证
[root@k8s129 auth]# docker pull 192.168.6.129:5000/nginx1:v1.1
Error response from daemon: Get http://192.168.6.129:5000/v2/nginx1/manifests/v1.1: no basic auth credentials
#登录
[root@k8s129 auth]# docker login 192.168.6.129:5000 # docker login 如果不指定我们私库,会默认是连接官方的
Username: xujin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json. #注意这个文件,认证的信息保存在这里,手动删除后需要重新认证
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#再次pull下载,成功
[root@k8s129 auth]# docker pull 192.168.6.129:5000/nginx1:v1.1
v1.1: Pulling from nginx1
Digest: sha256:224f1b76ad5d6d5878c2dccba5b3dcc8e9a263ff04efdf0f8e0ef8f68c208a44
Status: Image is up to date for 192.168.6.129:5000/nginx1:v1.1
192.168.6.129:5000/nginx1:v1.1
#上次push ,也成功了
[root@k8s129 auth]# docker tag busybox:latest 192.168.6.129:5000/busybox:latest
[root@k8s129 auth]# docker push 192.168.6.129:5000/busybox:latest
The push refers to repository [192.168.6.129:5000/busybox]
1da8e4c8d307: Pushed
latest: digest: sha256:679b1c1058c1f2dc59a3ee70eed986a88811c0205c8ceea57cec5f22d2c3fbb1 size: 527
[root@k8s129 auth]#
查看私有仓库镜像列表:
使用浏览器访问:
http://192.168.6.129:5000/v2/_catalog
查看私有仓库镜像版本:
使用浏览器访问:
http://192.168.6.129:5000/v2/nginx/tags/list
私有仓库删除镜像
1)进入docker registry的容器中
docker exec -it registry /bin/sh
2) 删除repo
rm -fr /var/lib/registry/docker/registry/v2/repositories/nginx
3) 清楚掉blob
registry garbage-collect /etc/docker/registry/config.yml