如何熟悉与部署Docker注册(Registry)?

Docker

1. 部署基础环境

学习本章,请先按照如下教程部署Docker环境,
https://www.cmdschool.org/archives/2183
另外,我们还建议你先学习以下章节,
https://www.cmdschool.org/archives/2276
https://www.cmdschool.org/archives/2288
https://www.cmdschool.org/archives/2296
https://www.cmdschool.org/archives/2307

2 部署Docker Registry

2.1 Registry的作用

– 严格控制镜像的存储位置
– 完全掌控镜像的分配渠道
– 可紧密将镜像的存储与分发紧密集成到内部开发工作流中

2.2 启用Registry

docker run -d -p 5000:5000 --name registry registry:2

显示如下:

Unable to find image 'registry:2' locally
2: Pulling from library/registry
81033e7c1d6a: Pull complete
b235084c2315: Pull complete
c692f3a6894b: Pull complete
ba2177f3a70e: Pull complete
a8d793620947: Pull complete
Digest: sha256:672d519d7fd7bbc7a448d17956ebeefe225d5eb27509d8dc5ce67ecb4a0bce54
Status: Downloaded newer image for registry:2
995e6e9f3a918d320ab55e1c277637bee48e45a56b546bfa6f5206d8625c8552

2.3 测试Registry

2.3.1 从Hub拉取测试镜像

docker pull ubuntu

显示如下:

Using default tag: latest
latest: Pulling from library/ubuntu
a48c500ed24e: Pull complete
1e1de00ff7e1: Pull complete
0330ca45a200: Pull complete
471db38bcfbf: Pull complete
0b4aba487617: Pull complete
Digest: sha256:c8c275751219dadad8fa56b3ac41ca6cb22219ff117ca98fe82b42f24e1ba64e
Status: Downloaded newer image for ubuntu:latest

2.3.2 标记镜像到本地的Registry

docker image tag ubuntu localhost:5000/myubuntu

2.3.3 推送镜像到本地的Registry

docker push localhost:5000/myubuntu

显示如下:

The push refers to repository [localhost:5000/myubuntu]
059ad60bcacf: Pushed
8db5f072feec: Pushed
67885e448177: Pushed
ec75999a0cb1: Pushed
65bdd50ee76a: Pushed
latest: digest: sha256:90f24abe180424046a5d53f6fc6f9fdb8f79b835cb2fd7d1a782e4c30dfb5dcc size: 1357

2.3.4 从本地Registry拉取镜像

docker pull localhost:5000/myubuntu

显示如下:

Using default tag: latest
latest: Pulling from myubuntu
Digest: sha256:90f24abe180424046a5d53f6fc6f9fdb8f79b835cb2fd7d1a782e4c30dfb5dcc
Status: Image is up to date for localhost:5000/myubuntu:latest

2.3.5 删除本地Registry并清理数据

docker container stop registry && docker container rm -v registry

2.4 启动相关配置

2.4.1 自动启动Registry

docker run -d -p 5000:5000 --restart=always --name registry registry:2

2.4.2 自定义发布的端口

docker run -d -p 5001:5000 --name registry-test registry:2

2.4.3 更改倾听的端口

docker run -d -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 -p 5001:5001 --name registry-test registry:2

2.4.4 指定存储的位置

docker run -d -p 5000:5000 --restart=always --name registry -v /mnt/registry:/var/lib/registry registry:2

2.5 配置TLS证书

2.5.1 停止Registry

docker container stop registry

2.5.2 删除旧的Registry

docker container rm registry

2.5.3 创建带SSL的服务

su - docker
cd /home/docker
docker run -d \
  --restart=always \
  --name registry \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker-m.cmdschool.org.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/docker-m.cmdschool.org.key \
  -p 443:443 \
  registry:latest

注:
– `pwd`代表运行程序的当前目录(假设当前目录为“/home/docker”)
– v参数是使用目录映射,将docker的路径“/certs”映射到物理路径“/home/docker/certs”

2.5.4 申请腾讯云证书

https://cloud.tencent.com/product/ssl
注:以上申请后使用Nginx证书即可并保存到当前目录的certs目录(假设当前目录为“/home/docker”)

2.5.5 重启docker服务

systemctl restart docker

2.5.6 检查服务运行

su - docker
docker container ls -a

可见如下显示:

CONTAINER ID        IMAGE                             COMMAND                  CREATED             STATUS              PORTS                            NAMES
666f1877d181        registry:latest                   "/entrypoint.sh /etc…"   33 seconds ago      Up 32 seconds       0.0.0.0:443->443/tcp, 5000/tcp   registry

2.5.7 测试服务

从Hub拉取到服务器:

su - docker
ssh docker-n1
docker pull ubuntu:16.04

显示如下:

16.04: Pulling from library/ubuntu
b234f539f7a1: Pull complete
55172d420b43: Pull complete
5ba5bbeb6b91: Pull complete
43ae2841ad7a: Pull complete
f6c9c6de4190: Pull complete
Digest: sha256:fa9a4eb8f494fabe32d209a3983074451b60c45a9733c4543514a7bcd542e824
Status: Downloaded newer image for ubuntu:16.04

标记推送的位置:

docker tag ubuntu:16.04 docker-m.cmdschool.org/my-ubuntu

推送到服务器:

docker push docker-m.cmdschool.org/my-ubuntu

显示如下:

The push refers to repository [docker-m.cmdschool.org/my-ubuntu]
2de391e51d73: Pushed
d73dd9e65295: Pushed
686245e78935: Pushed
d7ff1dc646ba: Pushed
644879075e24: Pushed
latest: digest: sha256:689aa49d87d325f951941d789f7f7c8fae3394490cbcf084144caddba9c1be12 size: 1357

2.6 以服务的方式运行

2.6.1 创建自签名证书

2.6.1.1 方法一

声明环境变量

su – docker
mkdir -p /data/docker/certs
certdir=/data/docker/certs
domain=docker-m.cmdschool.org

创建证书:

openssl req \
 -newkey rsa:2048 -nodes -keyout $certdir/$domain.key \
  -x509 -days 3650 -out $certdir/$domain.crt

向导如下:

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:DG
Organization Name (eg, company) [Default Company Ltd]:cmdschool
Organizational Unit Name (eg, section) []:cmdschool.org
Common Name (eg, your name or your server's hostname) []:docker-m.cmdschool.org
Email Address []:will@cmdschool.org

2.6.1.2 方法二

声明环境变量

su - docker
mkdir -p /data/docker/certs
certdir=/data/docker/certs
domain=docker-m.cmdschool.org

创建RSA私钥

openssl genrsa -out $certdir/$domain.key 2048

创建证书

openssl req -new -key $certdir/$domain.key -out $certdir/$domain.csr

向导如下:

[…]
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:DG
Organization Name (eg, company) [Default Company Ltd]:cmdschool
Organizational Unit Name (eg, section) []:cmdschool.org
Common Name (eg, your name or your server's hostname) []:docker-m.cmdschool.org
Email Address []:will@cmdschool.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

证书签名

openssl x509 -req -days 3650 -in $certdir/$domain.csr -signkey $certdir/$domain.key -out $certdir/$domain.crt

备份证书

cat $certdir/$domain.crt $certdir/$domain.key> $certdir/$domain.pem

2.6.2 配置证书信任

2.6.2.1 配置docker-m的证书

mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000
cp /data/docker/certs/docker-m.cmdschool.org.crt /etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt
systemctl restart docker

2.6.2.2 配置docker-n1的证书

ssh root@docker-n1 mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000
scp /data/docker/certs/docker-m.cmdschool.org.crt root@docker-n1:/etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt
ssh root@docker-n1 systemctl restart docker

2.6.2.3 配置docker-n2的证书

ssh root@docker-n2 mkdir -p /etc/docker/certs.d/docker-m.cmdschool.org:5000
scp /data/docker/certs/docker-m.cmdschool.org.crt root@docker-n2:/etc/docker/certs.d/docker-m.cmdschool.org:5000/ca.crt
ssh root@docker-n2 systemctl restart docker

2.6.3 将TLS证书与私钥保存为秘钥

certdir=/data/docker/certs
domain=docker-m.cmdschool.org
cd $certdir
docker secret create $domain.crt $certdir/$domain.crt
docker secret create $domain.key $certdir/$domain.key

检查保存的密钥:

docker secret ls

显示如下:

ID                          NAME                         DRIVER              CREATED             UPDATED
yv7ctzbav3b5e4jjoszd90kms   docker-m.cmdschool.org.crt                       14 seconds ago      14 seconds ago
r26i0fcs6fnn646dq7fgju8yl   docker-m.cmdschool.org.key                       14 seconds ago      14 seconds ago

2.6.4 标记运行节点

docker node update --label-add registry=true docker-m.cmdschool.org

2.6.5 停用之前的Registry

docker service ls
docker service rm registry

2.6.6 创建被挂载目录

mkdir -p /data/docker/registry

2.6.7 创建服务

docker service create \
 --name registry \
 --secret docker-m.cmdschool.org.crt \
 --secret docker-m.cmdschool.org.key \
 --constraint 'node.labels.registry==true' \
 --mount type=bind,src=/data/docker/registry,dst=/var/lib/registry \
 -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
 -e REGISTRY_HTTP_TLS_CERTIFICATE=/run/secrets/docker-m.cmdschool.org.crt \
 -e REGISTRY_HTTP_TLS_KEY=/run/secrets/docker-m.cmdschool.org.key \
 --publish published=5000,target=443 \
 --replicas 1 \
 registry:latest

注:以上服务,
– secret参数,授予服务访问两个秘钥的权限
– constraint参数,限制该服务职能在具有标签的节点上运行
– replicas参数,指定一次只能运行一个副本
– mount参数
— 将/data/docker/registry目录挂载到群集节点的/var/lib/registry上
— 需要在运行节点预先建立/data/docker/registry
执行后显示如下:

wg5j49vv218370aq4qcsj82r7
overall progress: 1 out of 1 tasks
1/1: running   [==================================================>]
verify: Service converged

2.6.8 测试服务

从Hub拉取到服务器:

su - docker
ssh docker-n1
docker pull ubuntu:16.04

显示如下:

16.04: Pulling from library/ubuntu
b234f539f7a1: Pull complete
55172d420b43: Pull complete
5ba5bbeb6b91: Pull complete
43ae2841ad7a: Pull complete
f6c9c6de4190: Pull complete
Digest: sha256:fa9a4eb8f494fabe32d209a3983074451b60c45a9733c4543514a7bcd542e824
Status: Downloaded newer image for ubuntu:16.04

标记推送的位置:

docker tag ubuntu:16.04 docker-m.cmdschool.org:5000/my-ubuntu

推送到服务器:

docker push docker-m.cmdschool.org:5000/my-ubuntu

显示如下:

The push refers to repository [docker-m.cmdschool.org:5000/my-ubuntu]
2de391e51d73: Pushed
d73dd9e65295: Pushed
686245e78935: Pushed
d7ff1dc646ba: Pushed
644879075e24: Pushed
latest: digest: sha256:689aa49d87d325f951941d789f7f7c8fae3394490cbcf084144caddba9c1be12 size: 1357

参阅文档:
=============================

安装Docker Registry
—————————–
https://docs.docker.com/registry/

配置Docker Registry证书
—————————–
https://kevinguo.me/2017/07/06/Docker-Registry/#generate-a-certificate

配置证书:
—————————-
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

没有评论

发表评论

Docker
如何打包Docker Nginx?

1 前言 一个问题,一篇文章,一出故事。 由于docker hub原版本的nginx镜像过于精简,于 …

Docker
如何打包Docker MAC-Telnet?

1 基础知识 一款可以使用MikroTik RouterOS MAC-Telnet协议连接Mikro …

Docker
如何部署Docker Unifi-WiFi?

1 前言 一个问题,一篇文章,一出故事。 笔者Unifi-WiFi想要迁移至docker环境,于是产 …