前情提要:本篇博客将详细介绍搭建Registry仓库,以及配置加密传输和登陆认证系统的全流程。通过本篇博客你可以学会如何搭建一个私有的镜像仓库。
系统版本:RHEL9.3
一、搭建私有仓库原因
docker hub虽然方便,但是还是有限制
-
需要internet连接,速度慢
-
所有人都可以访问
-
由于安全原因企业不允许将镜像放到外网
好消息是docker公司已经将registry开源,我们可以快速构建企业私有仓库
地址: https://docs.docker.com/registry/deploying/
二、搭建Registry仓库
2.1 下载Registry镜像
- 搜索官方registry镜像
css
[root@docker-node1 ~]# docker search registry
NAME DESCRIPTION STARS OFFICIAL
registry Distribution implementation for storing and ... 4183 [OK]- 拉取官方镜像
css
[root@docker-node1 ~]# docker pull registry
[root@docker-node1 ~]# docker images
i Info → U In Use
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
registry:latest 99b916d8206b 57.7MB 0B 2.2 开启Registry
- 查看镜像的信息
css
[root@docker-node1 ~]# docker inspect registry
# 可见容器暴露5000端口
"ExposedPorts": {
"5000/tcp": {}
},- 开启容器
css
[root@docker-node1 ~]# docker run -d -p 5000:5000 --restart=always --name registry registry:latest
96606cc6b0f171dd69fc0853eb34cba41948f6853aa34b0215b5b7bed32f105f- 镜像上传测试
css
# 准备镜像
[root@docker-node1 ~]# docker load -i nginx-1.26.tar
Loaded image: nginx:1.26
# 给镜像打标签
[root@docker-node1 ~]# docker tag nginx:1.26 172.25.254.10:5000/nginx:1.26
# 上传
[root@docker-node1 ~]# docker push 172.25.254.10:5000/nginx:1.26
The push refers to repository [172.25.254.10:5000/nginx]
Get "https://172.25.254.10:5000/v2/": http: server gave HTTP response to HTTPS client可见镜像上传失败,是因为docker默认使用https连接,所以我们需要配置https协议
2.3 制作证书
- 创建证书存放目录并生成证书
css
# 创建证书存放目录
[root@docker-node2 ~]# mkdir /etc/docker/certs -p
# 生成key和证书
[root@docker-node2 ~]# mkdir /etc/docker/certs -p
[root@docker-node2 ~]# openssl req -newkey rsa:4096 \
> -nodes -sha256 -keyout /etc/docker/certs/doubledragon.org.key \
> -addext "subjectAltName = DNS:reg.doubledragon.org" \
> -x509 -days 365 -out /etc/docker/certs/doubledragon.org.crt
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shannxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:docker
Organizational Unit Name (eg, section) []:dragon
Common Name (eg, your name or your server's hostname) []:reg.doubledragon.org # 该处需要与上面指定的域名一致
Email Address []:admin@123
# 查看证书信息
[root@docker-node2 ~]# ls /etc/docker/certs/
doubledragon.org.crt doubledragon.org.key- 重启registry仓库
css
# 重新启动registry仓库
[root@docker-node2 ~]# docker run -d -p 443:443 --restart=always --name registry \
> -v /opt/registry:/var/lib/registry \ # 数据卷,持久化存储镜像数据
> -v /etc/docker/certs:/certs \ # 证书卷,挂载SSL证书目录
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ # 监听地址
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/doubledragon.org.crt \ # 指定SSL证书路径
> -e REGISTRY_HTTP_TLS_KEY=/certs/doubledragon.org.key registry # 指定SSL私钥路径
f3333722838a94e4ba74afc88f8edbaf917f63c52a1a30c68a849bdce6b9bb2d- 配置本地解析
css
# 客户端和仓库都需要配置
[root@docker-node2 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.10 docker-node2
172.25.254.10 reg.doubledragon.org- 上传测试
css
# 上传测试
# 打标签
[root@docker-node2 ~]# docker tag busybox:latest reg.doubledragon.org/busybox:latest
# 上传
[root@docker-node2 ~]# docker push reg.doubledragon.org/busybox:latest
The push refers to repository [reg.doubledragon.org/busybox]
61dfb50712f5: Unavailable
failed to do request: Head "https://reg.doubledragon.org/v2/busybox/blobs/sha256:af3f0f48a24edb84e94aff6f44f5d089203453719d3b2328486d311e61db9b09": tls: failed to verify certificate: x509: certificate signed by unknown authority
# docker没有证书导致链接失败,docker请求上传,然后registry返回证书,但是证书是我们自己制作的非官方的,docker不信任,所以连接被拒绝
# docker信任的证书位置为/etc/docker/certs.d/域名/证书,所以需要复制证书到该目录下
# 创建证书目录并复制证书
[root@docker-node2 ~]# mkdir /etc/docker/certs.d/reg.doubledragon.org -p
[root@docker-node2 ~]# cp -p /etc/docker/certs/doubledragon.org.crt /etc/docker/certs.d/reg.doubledragon.org/
# 重启docker
[root@docker-node2 ~]# systemctl restart docker
# 重新上传
[root@docker-node2 ~]# docker push reg.doubledragon.org/busybox:latest
The push refers to repository [reg.doubledragon.org/busybox]
61dfb50712f5: Pushed
latest: digest: sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6 size: 610
i Info → Not all multiplatform-content is present and only the available single-platform image was pushed
sha256:b3255e7dfbcd10cb367af0d409747d511aeb66dfac98cf30e97e87e4207dd76f -> sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6
# 上传成功- 拉取测试
css
# 拉取测试
# 客户端创建证书目录并拷贝证书
[root@docker-node1 ~]# mkdir /etc/docker/certs.d/reg.doubledragon.org -p
[root@docker-node2 ~]# scp /etc/docker/certs.d/reg.doubledragon.org/doubledragon.org.crt 172.25.254.10:/etc/docker/certs.d/reg.doubledragon.org/
# 重启docker
[root@docker-node1 ~]# systemctl restart docker
# 拉取测试
[root@docker-node1 ~]# docker pull reg.doubledragon.org/busybox:latest
latest: Pulling from busybox
Digest: sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6
Status: Downloaded newer image for reg.doubledragon.org/busybox:latest
reg.doubledragon.org/busybox:latest
[root@docker-node1 ~]# docker images
i Info → U In Use
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
172.25.254.20:5000/busybox:latest af3f0f48a24e 4.43MB 0B
reg.doubledragon.org/busybox:latest af3f0f48a24e 4.43MB 0B 可见仓库配置完毕,上传和拉取都没有问题
三、建立登陆认证系统
- 配置登录认证
css
# 安装认证文件的工具包
[root@docker-node2 ~]# dnf install httpd-tools -y
# 建立认证目录和文件
[root@docker-node2 ~]# mkdir /etc/docker/auth
[root@docker-node2 ~]# htpasswd -Bc /etc/docker/auth/htpasswd dragon # -B 强制使用最安全加密方式,默认用md5加密
New password:
Re-type new password:
Adding password for user dragon
# 重新启动容器,添加认证到容器中
[root@docker-node2 ~]# docker run -d -p 443:443 --restart=always --name registry \
> -v /opt/registry:/var/lib/registry \
> -v /etc/docker/certs:/certs \
> -v /etc/docker/auth:/auth \
> -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
> -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/doubledragon.org.crt \
> -e REGISTRY_HTTP_TLS_KEY=/certs/doubledragon.org.key \
> -e "REGISTRY_AUTH=htpasswd" \ # 认证方式,启用 htpasswd 认证
> -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ # 认证领域,认证提示信息
> -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ # 密码文件,htpasswd文件路径
> registry
1280801f881e50b214cf28c8bff0f19ee0b032b7c6870640dd9b23e9cfb7cb8c
[root@docker-node2 ~]# docker run -d -p 443:443 --restart=always --name registry -v /opt/registry:/var/lib/registry -v /etc/docker/certs:/certs -v /etc/docker/auth:/auth -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/doubledragon.org.crt -e REGISTRY_HTTP_TLS_KEY=/certs/doubledragon.org.key -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry- 访问和登陆测试
css
# 访问测试
[root@docker-node2 ~]# curl -k https://reg.doubledragon.org/v2/_catalog -u dragon:123
{"repositories":["busybox"]}
# 登陆测试
[root@docker-node2 ~]# docker login reg.doubledragon.org
Authenticating with existing credentials... [Username: dragon]
i Info → To login with a different account, run 'docker logout' followed by 'docker login'
Login did not succeed, error: Error response from daemon: login attempt to https://reg.doubledragon.org/v2/ failed with status: 401 Unauthorized
Username (dragon): dragon
Password:
WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/
Login Succeeded- 镜像上传测试
css
# 未登陆
# 上传和拉取均会报错
[root@docker-node1 ~]# docker pull reg.doubledragon.org/busybox:latest
Error response from daemon: unauthorized: authentication required
# 登陆后再次测试
[root@docker-node1 ~]# docker login reg.doubledragon.org
[root@docker-node1 ~]# docker pull reg.doubledragon.org/busybox:latest
latest: Pulling from busybox
61dfb50712f5: Already exists
Digest: sha256:70ce0a747f09cd7c09c2d6eaeab69d60adb0398f569296e8c0e844599388ebd6
Status: Downloaded newer image for reg.doubledragon.org/busybox:latest
reg.doubledragon.org/busybox:latest
[root@docker-node1 ~]# docker images
i Info → U In Use
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
reg.doubledragon.org/busybox:latest af3f0f48a24e 4.43MB 0B 至此私有registry仓库搭建完毕