1、docker仓库简介

在这里插入图片描述

2、Registry工作原理

在这里插入图片描述
客户端访问index，index返回镜像所需的地址以及index认证后的token，客户端拿着地址和token访问Registry，Registry会去访问index去验证token的合法性，index告诉registry合法，然后Registry才会将镜像传递给客户端，如下图：
在这里插入图片描述
客户端将push请求发给index，index会给客户端一个临时的token，然后客户端将镜像push到registry仓库，registry会访问index，验证token的合法性，验证成功registry会接收镜像

3、搭建私有仓库

私有仓库参考文档

[root@server1 docker]# docker pull registry  官方拉取仓库
 [root@server1 docker]#  docker run -d -p 5000:5000 --restart=always --name registry registry   运行， --restart=always表示每次在启动docker引擎的时侯自动开启
 [root@server1 docker]# docker ps  运行成功
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
f47e78f9434e        registry            "/entrypoint.sh /etc…"   4 minutes ago       Up 4 minutes        0.0.0.0:5000->5000/tcp   registry
[root@server1 docker]# docker tag  yakexi007/game2048:latest localhost:5000/game2048   更改镜像名字，指定仓库地址：指向本机5000端口上传镜像
[root@server1 docker]# docker push localhost:5000/game2048  上传镜像
[root@server1 docker]# docker rmi yakexi007/game2048:latest   删除本地的game2048镜像
[root@server1 docker]# docker rmi localhost:5000/game2048:latest   删除本地的game2048镜像
[root@server1 docker]# docker pull localhost:5000/game2048 可以从本地镜像仓库拉取
latest: Pulling from game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete

如何给私有仓库添加认证功能
开启一台虚拟机server2

[root@foundation50 ~]# cd /mnt/pub/docs/docker/
[root@foundation50 docker]# cp  -r docker-ce/ /var/www/html/   拷贝docker-ce/目录到http默认发布目录里
[root@server2 yum.repos.d]# vim docker.repo   配置软件仓库
[docker]
name=docker-ce
baseurl=http://172.25.254.50/docker-ce
gpgcheck=0
[root@server2 yum.repos.d]# yum install docker-ce -y  安装
[root@server2 yum.repos.d]# systemctl enable --now docker  启动docker
[root@server1 ~]# cd /etc/sysctl.d/  
[root@server1 sysctl.d]# scp docker.conf server2:/etc/sysctl.d/     
[root@server2 ~]# sysctl--system    使之生效
[root@server2 ~]# docker pull 172.25.50.1:5000/game2048  不支持远端非加密连接内网仓库
Using default tag: latest
Error response from daemon: Get https://172.25.50.1:5000/v2/: http: server gave HTTP response to HTTPS client   报错
[root@server2 ~]# cd /etc/docker/   
[root@server2 docker]# vim daemon.json  编辑，添加参数，支持远端非安全连接
{
  "insecure-registries" : ["172.25.50.1:5000"]
}
[root@server2 docker]# systemctl daemon-reload 
[root@server2 docker]# systemctl restart docker  重启daocker

在这里插入图片描述

[root@server2 docker]# docker pull 172.25.50.1:5000/game2048  可以拉取
Using default tag: latest
latest: Pulling from game2048
534e72e7cedc: Pull complete 
f62e2f6dfeef: Pull complete 
fe7db6293242: Pull complete 
3f120f6a2bf8: Pull complete 
4ba4e6930ea5: Pull complete 
Digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390
Status: Downloaded newer image for 172.25.50.1:5000/game2048:latest
172.25.50.1:5000/game2048:latest

如何加密认证连接镜像仓库？？

[root@server1 sysctl.d]# docker rm -f  registry  删除
registry
[root@server1 sysctl.d]# docker volume prune  表示删除没有被使用的卷
WARNING! This will remove all local volumes not used by at least one container.
Are you sure you want to continue? [y/N] y
[root@server1 sysctl.d]# docker volume ls  查看卷，已经删除完成
DRIVER              VOLUME NAME
[root@server1 sysctl.d]# docker ps -a     查看容器，没有容器运行
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

开启加密功能：

参靠文档
使用自签名证书

[root@server1 ~]# mkdir -p certs   建立目录
[root@server1 ~]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key -x509 -days 365 -out certs/westos.org.crt   生成key放到certs，再用key生成所需要的证书
Country Name (2 letter code) [XX]:cn  
State or Province Name (full name) []:shaanxi                  
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:reg.westos.org   主机名
Email Address []:root@westos.org   
[root@server1 ~]# ls certs/   证书已经生成
westos.org.crt  westos.org.key
[root@server1 ~]# docker run -d \
>   --restart=always \
>   --name registry \
>   -v /opt/registry:/var/lib/registry \   表示宿主机/opt/registry目录，没有自动生成，挂载到容器存放镜像/var/lib/registry目录里，把仓库里的数据持久化到宿主机上
>   -v "$(pwd)"/certs:/certs \    -v表示手动挂载指定路经，把当前目录下的certs挂载到容器内的certs
>   -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \     -e表示容器指令，表示启用443加密
>   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \    指定生成的证书
>   -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \   指定生成的key
>   -p 443:443 \    做一个端口i映射，切记不要和宿主机冲突
>     registry  镜像名字
[root@server1 ~]# docker ps   查看是否运行
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                          PORTS               NAMES
f433469ca1d9        docker              "docker-entrypoint.s…"   6 seconds ago       Restarting (125) 1 second ago                       registry   已经运行
[root@server1 ~]# docker port registry 
443/tcp -> 0.0.0.0:443
[root@server1 ~]# vim /etc/hosts  远程连接的时侯要加解析
172.25.50.1   server1  reg.westos.org      reg.westos.org  为仓库名字

测试：从远程上传下载镜像
[root@server2 docker]# docker tag 172.25.50.1:5000/game2048:latest reg.westos.org/game2048  改镜像名字
[root@server2 docker]# docker push reg.westos.org/game2048  上传镜像,发现报错
The push refers to repository [reg.westos.org/game2048]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority   server2上没有证书
[root@server2 docker]# mkdir certs.d   创建目录
[root@server2 docker]# cd certs.d/
[root@server2 certs.d]# pwd
/etc/docker/certs.d
[root@server2 certs.d]# mkdir reg.westos.org  建路目录，和软件仓库名保持一样
[root@server2 certs.d]# cd reg.westos.org/
[root@server2 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org
[root@server1 ~]# vim /etc/hosts
[root@server1 ~]# cd certs/
[root@server1 certs]# scp westos.org.crt server2:/etc/docker/certs.d/reg.westos.org/ca.crt   将server1上的证书westos.org.crt拷贝到server2上/etc/docker/certs.d/reg.westos.org/ 目录里
[root@server2 reg.westos.org]# pwd  
/etc/docker/certs.d/reg.westos.org      server2 上已经有证书了，注意证书一定要放到此目录里
[root@server2 reg.westos.org]# docker push reg.westos.org/game2048  此时再次上传，就可以上传了
The push refers to repository [reg.westos.org/game2048]
88fca8ae768a: Pushed 
6d7504772167: Pushed 
192e9fad2abc: Pushed 
36e9226e74f8: Pushed 
011b303988d2: Pushed 
latest: digest: sha256:8a34fb9cb168c420604b6e5d32ca6d412cb0d533a826b313b190535c03fe9390 size: 1364

如何开启认证？

官方参考文档

[root@server1 certs]# cd --   
[root@server1 ~]# mkdir auth   创建认证目录
[root@server1 ~]# cd auth/
[root@server1 auth]# yum install -y httpd-tools   安装httpd工具
[root@server1 auth]# htpasswd  -B -c htpasswd wxh    -B强制使用最安全的加密算法  -c表示创建，在auth目录里创建htpasswd  ，wxh为添加的用户
[root@server1 auth]# cat htpasswd 
wxh:$2y$05$7QCbnhaOq0ashi6OxbwN5eii7RQaSB5yYcrtb6YkqozN3EEp0fv7S
[root@server1 auth]# htpasswd  -B  htpasswd admin     再次创建，第二次创建不要用-c，不然会把第一次的覆盖掉
New password: 
Re-type new password: 
Adding password for user admin
[root@server1 auth]# cat htpasswd            
wxh:$2y$05$7QCbnhaOq0ashi6OxbwN5eii7RQaSB5yYcrtb6YkqozN3EEp0fv7S
admin:$2y$05$Dn4RHzRpjdOQsriauva1gu56yPtXq3S1I5ZtyfPO7.XSZnkmzjaXm
[root@server1 ~]# docker rm -f registry   删除registry
registry
[root@server1 ~]# docker run -d --restart=always --name registry -v "$(pwd)"/certs:/certs -v /opt/registry:/var/lib/registry -v "$(pwd)"/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key -p 443:443 registry 
fdfadff803e9969dc9d96499bcc9b80a539730a827ad85785e581c445e09f7a3
再次运行，添加htpasswd认证：
添加REGISTRY_AUTH=htpasswd认证方式 ，读取REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm文件 
REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  指定认证文件
[root@server1 ~]# docker ps   查看容器
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                            NAMES
fdfadff803e9        registry            "/entrypoint.sh /etc…"   4 minutes ago       Up 4 minutes        0.0.0.0:443->443/tcp, 5000/tcp   registry
[root@server2 reg.westos.org]# docker pull reg.westos.org/game2048  此时拉取就需要认证
Using default tag: latest
Error response from daemon: Get https://reg.westos.org/v2/game2048/manifests/latest: no basic auth credentials   报错
[root@server2 reg.westos.org]# docker login reg.westos.org    登陆 
Username: wxh
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@server2 ~]# cd .docker/   认证文件存放位置
[root@server2 .docker]# ls
config.json
[root@server2 .docker]# cat config.json 
{
	"auths": {
		"reg.westos.org": {
			"auth": "d3hoOndlc3Rvcw=="    认证信息
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.15 (linux)"
	}
[root@server2 .docker]# docker pull  reg.westos.org/game2048  此时拉取就可以拉取成功
[root@server2 .docker]# docker logout  reg.westos.org  登出
Removing login credentials for reg.westos.org
[root@server2 .docker]# ls   
config.json
[root@server2 .docker]# cat config.json 
{
	"auths": {},    登出信息就没有了
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.15 (linux)"
	}