1. 部署基础环境
学习本章,请先按照如下教程部署Docker环境,
https://www.cmdschool.org/archives/2183
另外,我们还建议你先学习以下章节,
https://www.cmdschool.org/archives/2276
https://www.cmdschool.org/archives/2288
https://www.cmdschool.org/archives/2296
https://www.cmdschool.org/archives/2307
2 部署Docker Registry
2.1 Registry的作用
– 严格控制镜像的存储位置
– 完全掌控镜像的分配渠道
– 可紧密将镜像的存储与分发紧密集成到内部开发工作流中
2.2 启用Registry
docker run -d -p 5000:5000 --name registry registry:2
显示如下:
Unable to find image 'registry:2' locally 2: Pulling from library/registry 81033e7c1d6a: Pull complete b235084c2315: Pull complete c692f3a6894b: Pull complete ba2177f3a70e: Pull complete a8d793620947: Pull complete Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54 Status: Downloaded newer image for registry:2 995e6e9f3a918d320ab55e1c277637bee48e45a56b546bfa6f5206d8625c8552
2.3 测试Registry
2.3.1 从Hub拉取测试镜像
docker pull ubuntu
显示如下:
Using default tag: latest latest: Pulling from library/ubuntu a48c500ed24e: Pull complete 1e1de00ff7e1: Pull complete 0330ca45a200: Pull complete 471db38bcfbf: Pull complete 0b4aba487617: Pull complete Digest: sha256:c8c275751219dadad8fa56b3ac41ca6cb22219ff117ca98fe82b42f24e1ba64e Status: Downloaded newer image for ubuntu:latest
2.3.2 标记镜像到本地的Registry
docker image tag ubuntu localhost:5000/myubuntu
2.3.3 推送镜像到本地的Registry
docker push localhost:5000/myubuntu
显示如下:
The push refers to repository [localhost:5000/myubuntu] 059ad60bcacf: Pushed 8db5f072feec: Pushed 67885e448177: Pushed ec75999a0cb1: Pushed 65bdd50ee76a: Pushed latest: digest: sha256:90f24abe180424046a5d53f6fc6f9fdb8f79b835cb2fd7d1a782e4c30dfb5dcc size: 1357
2.3.4 从本地Registry拉取镜像
docker pull localhost:5000/myubuntu
显示如下:
Using default tag: latest latest: Pulling from myubuntu Digest: sha256:90f24abe180424046a5d53f6fc6f9fdb8f79b835cb2fd7d1a782e4c30dfb5dcc Status: Image is up to date for localhost:5000/myubuntu:latest
2.3.5 删除本地Registry并清理数据
docker container stop registry && docker container rm -v registry
2.4 启动相关配置
2.4.1 自动启动Registry
docker run -d -p 5000:5000 --restart=always --name registry registry:2
2.4.2 自定义发布的端口
docker run -d -p 5001:5000 --name registry-test registry:2
2.4.3 更改倾听的端口
docker run -d -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 -p 5001:5001 --name registry-test registry:2
2.4.4 指定存储的位置
docker run -d -p 5000:5000 --restart=always --name registry -v /mnt/registry:/var/lib/registry registry:2
2.5 配置TLS证书
2.5.1 停止Registry
docker container stop registry
2.5.2 删除旧的Registry
docker container rm registry
2.5.3 创建带SSL的服务
su - docker cd /home/docker docker run -d \ --restart=always \ --name registry \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker-m.cmdschool.org.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/docker-m.cmdschool.org.key \ -p 443:443 \ registry:latest
注:
– `pwd`代表运行程序的当前目录(假设当前目录为“/home/docker”)
– v参数是使用目录映射,将docker的路径“/certs”映射到物理路径“/home/docker/certs”
2.5.4 申请腾讯云证书
https://cloud.tencent.com/product/ssl
注:以上申请后使用Nginx证书即可并保存到当前目录的certs目录(假设当前目录为“/home/docker”)
2.5.5 重启docker服务
systemctl restart docker
2.5.6 检查服务运行
su - docker docker container ls -a
可见如下显示:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 666f1877d181 registry:latest "/entrypoint.sh /etc…" 33 seconds ago Up 32 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry
2.5.7 测试服务
从Hub拉取到服务器:
su - docker ssh docker-n1 docker pull ubuntu:16.04
显示如下:
16.04: Pulling from library/ubuntu b234f539f7a1: Pull complete 55172d420b43: Pull complete 5ba5bbeb6b91: Pull complete 43ae2841ad7a: Pull complete f6c9c6de4190: Pull complete Digest: sha256:fa9a4eb8f494fabe32d209a3983074451b60c45a9733c4543514a7bcd542e824 Status: Downloaded newer image for ubuntu:16.04
标记推送的位置:
docker tag ubuntu:16.04 docker-m.cmdschool.org/my-ubuntu
推送到服务器:
docker push docker-m.cmdschool.org/my-ubuntu
显示如下:
The push refers to repository [docker-m.cmdschool.org/my-ubuntu] 2de391e51d73: Pushed d73dd9e65295: Pushed 686245e78935: Pushed d7ff1dc646ba: Pushed 644879075e24: Pushed latest: digest: sha256:689aa49d87d325f951941d789f7f7c8fae3394490cbcf084144caddba9c1be12 size: 1357
2.6 以服务的方式运行
2.6.1 创建自签名证书
2.6.1.1 方法一
声明环境变量
su – docker mkdir -p /data/docker/certs certdir=/data/docker/certs domain=docker-m.cmdschool.org
创建证书:
openssl req \ -newkey rsa:2048 -nodes -keyout $certdir/$domain.key \ -x509 -days 3650 -out $certdir/$domain.crt
向导如下:
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:DG Organization Name (eg, company) [Default Company Ltd]:cmdschool Organizational Unit Name (eg, section) []:cmdschool.org Common Name (eg, your name or your server's hostname) []:docker-m.cmdschool.org Email Address []:will@cmdschool.org
2.6.1.2 方法二
声明环境变量
su - docker mkdir -p /data/docker/certs certdir=/data/docker/certs domain=docker-m.cmdschool.org
创建RSA私钥
openssl genrsa -out $certdir/$domain.key 2048
创建证书
openssl req -new -key $certdir/$domain.key -out $certdir/$domain.csr
向导如下:
[…] Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:DG Organization Name (eg, company) [Default Company Ltd]:cmdschool Organizational Unit Name (eg, section) []:cmdschool.org Common Name (eg, your name or your server's hostname) []:docker-m.cmdschool.org Email Address []:will@cmdschool.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
证书签名
openssl x509 -req -days 3650 -in $certdir/$domain.csr -signkey $certdir/$domain.key -out $certdir/$domain.crt
备份证书
cat $certdir/$domain.crt $certdir/$domain.key> $certdir/$domain.pem
2.6.2 配置证书信任
2.6.2.1 配置docker-m的证书
mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000 cp /data/docker/certs/docker-m.cmdschool.org.crt /etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt systemctl restart docker
2.6.2.2 配置docker-n1的证书
ssh root@docker-n1 mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000 scp /data/docker/certs/docker-m.cmdschool.org.crt root@docker-n1:/etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt ssh root@docker-n1 systemctl restart docker
2.6.2.3 配置docker-n2的证书
ssh root@docker-n2 mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000 scp /data/docker/certs/docker-m.cmdschool.org.crt root@docker-n2:/etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt ssh root@docker-n2 systemctl restart docker
2.6.3 将TLS证书与私钥保存为秘钥
certdir=/data/docker/certs domain=docker-m.cmdschool.org cd $certdir docker secret create $domain.crt $certdir/$domain.crt docker secret create $domain.key $certdir/$domain.key
检查保存的密钥:
docker secret ls
显示如下:
ID NAME DRIVER CREATED UPDATED yv7ctzbav3b5e4jjoszd90kms docker-m.cmdschool.org.crt 14 seconds ago 14 seconds ago r26i0fcs6fnn646dq7fgju8yl docker-m.cmdschool.org.key 14 seconds ago 14 seconds ago
2.6.4 标记运行节点
docker node update --label-add registry=true docker-m.cmdschool.org
2.6.5 停用之前的Registry
docker service ls docker service rm registry
2.6.6 创建被挂载目录
mkdir -p /data/docker/registry
2.6.7 创建服务
docker service create \ --name registry \ --secret docker-m.cmdschool.org.crt \ --secret docker-m.cmdschool.org.key \ --constraint 'node.labels.registry==true' \ --mount type=bind,src=/data/docker/registry,dst=/var/lib/registry \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/docker-m.cmdschool.org.crt \ -e REGISTRY_HTTP_TLS_KEY=/run/secrets/docker-m.cmdschool.org.key \ --publish published=5000,target=443 \ --replicas 1 \ registry:latest
注:以上服务,
– secret参数,授予服务访问两个秘钥的权限
– constraint参数,限制该服务职能在具有标签的节点上运行
– replicas参数,指定一次只能运行一个副本
– mount参数
— 将/data/docker/registry目录挂载到群集节点的/var/lib/registry上
— 需要在运行节点预先建立/data/docker/registry
执行后显示如下:
wg5j49vv218370aq4qcsj82r7 overall progress: 1 out of 1 tasks 1/1: running [==================================================>] verify: Service converged
2.6.8 测试服务
从Hub拉取到服务器:
su - docker ssh docker-n1 docker pull ubuntu:16.04
显示如下:
16.04: Pulling from library/ubuntu b234f539f7a1: Pull complete 55172d420b43: Pull complete 5ba5bbeb6b91: Pull complete 43ae2841ad7a: Pull complete f6c9c6de4190: Pull complete Digest: sha256:fa9a4eb8f494fabe32d209a3983074451b60c45a9733c4543514a7bcd542e824 Status: Downloaded newer image for ubuntu:16.04
标记推送的位置:
docker tag ubuntu:16.04 docker-m.cmdschool.org:5000/my-ubuntu
推送到服务器:
docker push docker-m.cmdschool.org:5000/my-ubuntu
显示如下:
The push refers to repository [docker-m.cmdschool.org:5000/my-ubuntu] 2de391e51d73: Pushed d73dd9e65295: Pushed 686245e78935: Pushed d7ff1dc646ba: Pushed 644879075e24: Pushed latest: digest: sha256:689aa49d87d325f951941d789f7f7c8fae3394490cbcf084144caddba9c1be12 size: 1357
参阅文档:
=============================
安装Docker Registry
—————————–
https://docs.docker.com/registry/
配置Docker Registry证书
—————————–
https://kevinguo.me/2017/07/06/Docker-Registry/#generate-a-certificate
配置证书:
—————————-
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
没有评论