前言:
docker三要素之一的仓库是比较重要的一个概念,那么,如何快速的搭建一个简单易用的私人本地仓库呢?注意了,这里的私人本地仓库不是指的的那些重型的比如harbor这样的企业级的本地私人仓库,主要是重型仓库部署使用起来并不简单和快速,背离了我们的初衷嘛 ,对吧。
那么,本文打算探讨一种快速的搭建本地私人docker仓库,该仓库功能比较简单(说人话就是简易代表功能少,哈哈哈),并且有一定的安全性,主要是有证书验证,说人话就是开启https验证。
部署前的规划:
两台服务器,IP地址分别为192.168.217.16和192.168.217.17,操作系统是centos7。两个服务器都安装有docker环境,计划是16服务器安装本地私人仓库服务端,1服务器做客户端,将17服务器的镜像传送到16服务器上。
正式部署:
一,
相关镜像下载 :
docker pull registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1 docker pull registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web:latest
运行镜像(有挂载volume,这样别的服务器使用这个私有仓库,上传的镜像才会直接到本机服务器内的var/lib/registry这个路径下,否则,该容器重启,上传的镜像就没有啦,这里一定要仔细思考并理解哦,才会明白volume到底是有什么用处):
建立两个挂载点,一个是挂载本地仓容器得数据到本地,一个是本地仓库容器得配置文件:
mkdir -p /opt/registry/{data,conf}
编辑这个文件,文件内容如下,一会此文件要挂载到容器内
[root@slave1 data]# cat /opt/registry/conf/config.yml version: 0.1 log: fields: service: registry storage: cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registry http: addr: :5000 headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 4
是在192.168.217.16这个服务器上启动的镜像哦,记住这个IP,后面会用到 ,启动容器得命令:
docker run -d -p 5000:5000 \ -v /opt/registry/data:/var/lib/registry \ -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \ --name localregistry registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
在16服务器上,镜像启动成功后,可以看到5000端口已经开放:
[root@k8s-master ~]# netstat -antup |grep 5000 tcp6 0 0 :::5000 :::* LISTEN 13073/docker-proxy
这样的方式启动的本地仓库已经可以使用了,现在只是差两个步骤
(1)告诉docker的客户端要使用哪个仓库
这一步是编辑docker的配置文件 /etc/docker/daemo.json (通常是这个文件),例如,在192.168.217.17这个服务器上配置如下(主要是添加这个:"insecure-registries": ["192.168.217.16:5000"], ):
cat /etc/docker/daemon.json { "registry-mirrors": ["http://bc437cce.m.daocloud.io"], "exec-opts":["native.cgroupdriver=systemd"], "insecure-registries": ["192.168.217.17:5000"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2" }
为什么是定义的5000端口呢?因为该镜像告诉我们这么定义的,证据如下:
[root@slave1 ~]# docker history registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1 IMAGE CREATED CREATED BY SIZE COMMENT 8ff6a4aae657 6 years ago /bin/sh -c #(nop) CMD ["serve" "/etc/docker/… 0B <missing> 6 years ago /bin/sh -c #(nop) ENTRYPOINT &{["/bin/regist… 0B <missing> 6 years ago /bin/sh -c #(nop) EXPOSE 5000/tcp 0B <missing> 6 years ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B <missing> 6 years ago /bin/sh -c #(nop) COPY file:ebd8cc424c954b92… 315B <missing> 6 years ago /bin/sh -c #(nop) COPY file:e46a815cdda044c6… 26.1MB <missing> 6 years ago /bin/sh -c apt-get update && apt-get ins… 20.4MB <missing> 6 years ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B <missing> 6 years ago /bin/sh -c #(nop) ADD file:76679eeb94129df23… 125MB
然后重启docker服务:
systemctl daemon-reload && systemctl restart docker
(2)
在17服务器上修改镜像的名称,给镜像打上本地仓库标签,就以前面的镜像registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web为例,打上16服务器的本地仓库标签吧:
没打标签前:
[root@master ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
打标签后,修改成了192.168.217.16:5000/registry(在17服务器上修改tag):
[root@slave2 ~]# docker tag registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web 192.168.217.16:5000/registry-web [root@master ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
可以将17服务器上的这个registry-web上传到16服务器上啦,根据前面打的仓库标签,表示它要上传到的是一个私人仓库:
[root@master ~]# docker push 192.168.217.16:5000/registry-web The push refers to repository [192.168.217.16:5000/registry-web] 8779b4998d0c: Pushed 9eb22ef427e2: Pushed 64d1c65ea33e: Pushed d6c3b0e63834: Pushed 1315f14832fa: Pushed d16096ccf0bb: Pushed 463a4bd8f8c1: Pushed be44224e76b9: Pushed d96a8038b794: Pushed f469fc28e82e: Pushed 8418a42306ef: Pushed 03457c5158e2: Pushed 7ef05f1204ee: Pushed f7049feabf0b: Pushed 5ee52271b8b7: Pushed 8b1153b14d3a: Pushed 367b9c52c931: Pushed 3567b2f05514: Pushed 292a66992f77: Pushed 641fcd2417bc: Pushed 78ff13900d61: Pushed latest: digest: sha256:2c4f88572e1626792d3ceba6a5ee3ea99f1c3baee2a0e8aad56f0e7c3a6bf481 size: 4695
查询私有仓库内有哪些镜像:
[root@master ~]# curl 192.168.217.16:5000/v2/_catalog {"repositories":["registry-web"]}
查询这个镜像的版本号(是latest):
[root@master ~]# curl 192.168.217.16:5000/v2/registry-web/tags/list {"name":"registry-web","tags":["latest"]}
在18服务器上注册一哈本地仓库:
vim /etc/docker/daemon.json
添加"insecure-registries": ["192.168.217.16:5000"],
在18服务器上pull这个nginx:
[root@k8s-node2 ~]# docker pull 192.168.217.16:5000/nginx Using default tag: latest latest: Pulling from nginx Digest: sha256:9b0fc8e09ae1abb0144ce57018fc1e13d23abd108540f135dc83c0ed661081cf Status: Downloaded newer image for 192.168.217.16:5000/nginx:latest 192.168.217.16:5000/nginx:latest
OK,就这么一个简单到极致的本地docker镜像仓库就搭建好了,镜像上传到到了16服务器上,我们前面建立的那个目录/opt/registry/data/docker/registry/v2/repositories下了:
[root@master ~]# cd /opt/registry/data/docker/registry/v2/ [root@master v2]# ls blobs repositories
那么,这么一个本地镜像仓库有问题吗?有,主要是关于安全方面的,实在是不安全啊。下面就来说一说安全方面的提升问题。
二,
https证书本地私人仓库的开启
在16服务器上,先建立证书存放路径:
mkdir /opt/ssl
在16服务器上,生成证书,并查看证书:
[root@master v2]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/ssl/myssl.key -x509 -days 365 -out /opt/ssl/myssl.pem Generating a RSA private key ..................................................................................................................++++ ....................................................................++++ writing new private key to '/opt/ssl/myssl.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN#随便写,自己做的证书不需要太多讲究 State or Province Name (full name) [Some-State]:WLMQ#随便写,自己做的证书不需要太多讲究 Locality Name (eg, city) []:XJ Organization Name (eg, company) [Internet Widgits Pty Ltd]:XJJ#随便写,自己做的证书不需要太多讲究 Organizational Unit Name (eg, section) []:WLMQ#随便写,自己做的证书不需要太多讲究 Common Name (e.g. server FQDN or YOUR name) []:master.com.cn # 这个不能乱写了,必须是二级域名的形式,我这里是master.com.cn Email Address []: Email Address []: [root@slave1 repositories]# cd /opt/ssl/ [root@slave1 ssl]# ls myssl.key myssl.pem
在16和17服务器上,域名解析master.com.cn(编辑hosts文件,写入对master.com.cn的解析,这个域名是证书制作的时候定义的哦):
[root@slave1 ssl]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.217.16 master k8s-master master.com.cn 192.168.217.17 slave1 k8s-node1 192.168.217.18 slave2 k8s-node2
在16服务器上,删除前面在运行的那个开启端口5000的镜像:
docker rm -f $(docker ps -aq)
在16服务器上,重新启动镜像,这次启动要开启443端口了(容器里挂载相关证书,-v /opt/ssl:/certs这是挂载到容器得/certs目录。):
docker run -d --restart=always --name registry \ -v /opt/ssl:/certs \ -v /opt/registry/data:/var/lib/registry \ -v /opt/registry/conf/config.yml:/etc/docker/registry/config.yml \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/myssl.pem \ -e REGISTRY_HTTP_TLS_KEY=/certs/myssl.key \ -p 443:443 registry.cn-beijing.aliyuncs.com/google_registry/registry:2.4.1
镜像启动成功后,可以看到443端口开启了:
[root@k8s-master ~]# netstat -antup |grep 443 tcp6 0 0 :::443 :::* LISTEN 8074/docker-proxy
任意服务器,稍微验证一哈是不是开启了443端口:
[root@k8s-node2 ~]# curl -k https://master.com.cn/v2/_catalog {"repositories":["nginx"]}
这里注意一哈,一定要在docker的配置文件里注册啦,因为是https的形式,不然会报错的哦(16和17,18服务器都注册一哈)
[root@slave1 ssl]# cat /etc/docker/daemon.json { "registry-mirrors": ["http://bc437cce.m.daocloud.io"], "exec-opts":["native.cgroupdriver=systemd"], "insecure-registries": ["master.com.cn","192.168.217.16:5000"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2" }
添加完注册重启docker服务:
systemctl daemon-reload && systemctl restart docker
还是同样的套路,同样的配方,修改镜像以符合仓库的要求,然后就可以上传啦:
在17服务器上,先从阿里云下载一个busybox镜像,然后查看现有的镜像:
[root@node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox 1.28.3 8ac48589692a 4 years ago 1.15MB 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上,修改镜像的仓库标识:
[root@node1 ~]# docker tag busybox:1.28.3 master.com.cn/busybox:1.28.3 [root@node1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox 1.28.3 8ac48589692a 4 years ago 1.15MB master.com.cn/busybox 1.28.3 8ac48589692a 4 years ago 1.15MB 192.168.217.16:5000/registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/docker-registry-web latest 0db5683824d8 5 years ago 599MB registry.cn-beijing.aliyuncs.com/google_registry/registry 2.4.1 8ff6a4aae657 6 years ago 172MB
在17服务器上面,上传修改好仓库标识的镜像到16服务器的本地仓库内:
[root@k8s-node1 ~]# systemctl daemon-reload && systemctl restart docker [root@k8s-node1 ~]# docker push master.com.cn/busybox:1.28.3 The push refers to repository [master.com.cn/busybox] 0314be9edf00: Pushed 1.28.3: digest: sha256:186694df7e479d2b8bf075d9e1b1d7a884c6de60470006d572350573bfa6dcd2 size: 527
同样的,上传另一个镜像。在192.168.217.17这个服务器上,看看有哪些镜像:
[root@slave1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE busybox latest 7a80323521cc 4 weeks ago 1.24MB nginx 1.8 0d493297b409 6 years ago 133MB
把这个133M的nginx上传到192.168.217.16上的本地镜像仓库内:
一样的,需要把域名写到17服务器的hosts文件内和docker的配置文件/etc/docker/daemon.json内并重启docker服务,修改镜像的仓库标识,然后就可以上传啦
[root@slave1 ~]# docker push master.com.cn/nginx:1.8 The push refers to repository [master.com.cn/nginx] 5f70bf18a086: Pushed 62fd1c28b3bf: Pushed 6d700a2d8883: Pushed c12ecfd4861d: Pushed 1.8: digest: sha256:746419199c9569216937fc59604805b7ac0f52b438bb5ca4ec6b7f990873b198 size: 1977
那么前面的操作都是上传push,pull是怎么弄呢?通过接口可以查询私人仓库内有哪些镜像核镜像的具体版本号呢?:
[root@slave1 ssl]# curl -k https://master.com.cn/v2/_catalog {"repositories":["nginx"]}
具体版本号:
[root@slave2 ~]# curl -k https://master.com.cn/v2/nginx/tags/list {"name":"nginx","tags":["1.8"]}
