拉取私有仓库

逻辑

  1. 1. 本次私有仓库是创建在云服务器上,云服务器有两个地址,公网和私有IP
  2. 2. push时需要命名为daemon中认证的IP地址和端口号
  3. 3. Windows端口push时,由于时外网访问,所以上传IP地址和内网地址不一致,所以并不能上云
  1. docker pull registry

122

1212

修改配置

  1. # 编辑配置文件
  2. vi /etc/docker/daemon.json
  3. # 内容
  4. {
  5.     "registry-mirrors":["http://hub-mirror.c.163.com","https://docker.mirrors.ustc.edu.cn"],
  6.     "insecure-registries":["192.168.1.9:3389"]
  7. }

重新加载配置信息以及重启Dokcer服务

  1. #重新加载某个服务的配置文件
  2. sudo systemctl daemon-reload
  3. #重启docker
  4. sudo systemctl restart docker

创建私有仓库容器

  1. # 删除/mydata/docker_registry下文件再创建
  2. docker run -di --name registry -p 3389:5000 -v /mydata/docker_registry:/var/lib/registry registry

12

推送镜像至私有仓库

  1. # 添加标签 格式为原标签:新标签【网址+端口/镜像名】
  2. docker tag caesartylor/test-helloworld:1.0.0 192.168.1.9:3389/hello-world
  3. # 本地推送
  4. docker push 192.168.1.9:3389/hello-world

实现效果

  1. # 从本地仓库创建容器
  2. docker run -it --name hello-world 192.168.1.9:3389/hello-world
  3. # 查看卷中的文件
  4. root@vvkt7whznuckhiz2-0723575:/mydata/docker_registry/docker/registry/v2/repositories# ls
  5. hello-world

配置私有仓库认证

私有仓库已经搭建好了,要确保私有仓库的安全性,还需要一个安全认证证书, 防止发生意想不到的事情。所以需要在搭建私有仓库的Docker主机上先生成自签名证书。
创建证书存储目录。

  1. mkdir -p /usr/local/registry/certs

生成自签名证书命令

  1. openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt

5.1 生成自签名证书

  1.  openssl req :创建证书签名请求等功能;
  2.  -newkey :创建CSR证书签名文件和RSA私钥文件;
  3.  rsa:2048 :指定创建的RSA私钥长度为2048;
  4.  -nodes :对私钥不进行加密; 
  5.  -sha256 :使用SHA256算法;
  6.  -keyout :创建的私钥文件名称及位置;
  7.  -x509 :自签发证书格式;
  8.  -days :证书有效期;
  9.  -out :指定CSR输出文件名称及位置;

创建过程

  1. root@vvkt7whznuckhiz2-0723575:~# openssl req -newkey rsa:2048 -nodes -sha256 -keyout /usr/local/registry/certs/domain.key -x509 -days 365 -out /usr/local/registry/certs/domain.crt
  2. Can't load /root/.rnd into RNG
  3. 140495885132224:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
  4. Generating a RSA private key
  5. ..............+++++
  6. .............................+++++
  7. writing new private key to '/usr/local/registry/certs/domain.key'
  8. -----
  9. You are about to be asked to enter information that will be incorporated
  10. into your certificate request.
  11. What you are about to enter is what is called a Distinguished Name or a DN.
  12. There are quite a few fields but you can leave some blank
  13. For some fields there will be a default value,
  14. If you enter '.', the field will be left blank.
  15. -----
  16. Country Name (2 letter code) [AU]:SH
  17. State or Province Name (full name) [Some-State]:SH
  18. Locality Name (eg, city) []:SH
  19. Organization Name (eg, company) [Internet Widgits Pty Ltd]:CT
  20. Organizational Unit Name (eg, section) []:CT
  21. Common Name (e.g. server FQDN or YOUR name) []:192.168.1.9
  22. Email Address []:419997284@qq.com

5.2 生成鉴权密码文件

  1. #创建存储鉴权密码文件目录
  2. mkdir -p /usr/local/registry/auth
  3. #如果没有htpasswd 功能需要安装httpd
  4. yum install -y httpd
  5. # Ubuntu下安装
  6. sudo apt install apache2-utils
  7. #创建用户和密码
  8. htpasswd -Bbn root 1234 > /usr/local/registry/auth/htpasswd

htpasswd是apache http的基本认证文件,使用htpasswd命令可以生成用户及密码文件。

5.3 创建私有仓库容器

  1. docker run -di --name registry -p 3389:5000 -v /mydata/docker_registry:/var/lib/registry -v /usr/local/registry/certs:/certs -v /usr/local/registry/auth:/auth -e "REGISTRY AUTH=htpasswd" -e "REGISTRY_AUTH.HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH HTPASSWD_PATH=/auth/htpasswd -e REGISTRY HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=certs/domain.key registry
  5. docker run -di --name registry -p 3389:5000 -v /mydata/docker_registry:/var/lib/registry -v /usr/local/registry/certs:/certs -v /usr/local/registry/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry
  1. docker run -di --name registry -p 3389:5000 
  2. -v /mydata/docker_registry:/var/lib/registry 
  3. -v /usr/local/registry/certs:/certs 
  4. -v /usr/local/registry/auth:/auth 
  5. -e "REGISTRY_AUTH=htpasswd" 
  6. -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" 
  7. -e REGISTRY_AUTH_HTPASSWD_PATH=auth/htpasswd 
  8. -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt 
  9. -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key 
  10. registry

容器无法运行的报错及解决措施

  1. 1. 报错,程序使用密钥和证书文件创建,最后竟无法运行
  2.     time="2021-08-13T02:03:48.750612384Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.11.2 instance.id=b21b502d-e852-4ca8-95cb-70ac7d76a27e service=registry version=v2.7.1 
  3.      time="2021-08-13T02:03:48.750853985Z" level=info msg="redis not configured" go.version=go1.11.2 instance.id=b21b502d-e852-4ca8-95cb-70ac7d76a27e service=registry version=v2.7.1 
  4.      time="2021-08-13T02:03:48.760778738Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.11.2 instance.id=b21b502d-e852-4ca8-95cb-70ac7d76a27e service=registry version=v2.7.1 
  5.      time="2021-08-13T02:03:48.761126562Z" level=fatal msg="open /certs/domain.cert: no such file or directory" 
  6.      time="2021-08-13T02:04:07.141904369Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.11.2 instance.id=9866b621-ac2a-4333-959b-d44260e3885b service=registry version=v2.7.1 
  7.      time="2021-08-13T02:04:07.142162337Z" level=info msg="redis not configured" go.version=go1.11.2 instance.id=9866b621-ac2a-4333-959b-d44260e3885b service=registry version=v2.7.1 
  8.      time="2021-08-13T02:04:07.152537921Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.11.2 instance.id=9866b621-ac2a-4333-959b-d44260e3885b service=registry version=v2.7.1 
  9.      time="2021-08-13T02:04:07.152917456Z" level=fatal msg="open /certs/domain.cert: no such file or directory" 
  10.     root@vvkt7whznuckhiz2-0723575:~# cd /usr/local/registry/certs
  11. 2. 原因,使用命令:docker logs --details registry,查看日志,发现配置文件domain.crt错写为cert
  12. 3. 解决办法:删除容器,修改配置文件重新创建
  13. 4. 收获:命令整体为绑定目录,指定环境变量,authcert都是单独指定目录

5.4 推送至私有仓库失败

  1. root@vvkt7whznuckhiz2-0723575:~# docker push 192.168.1.9:3389/hello-world
  2. Using default tag: latest
  3. The push refers to repository [192.168.1.9:3389/hello-world]
  4. f22b99068db9: Preparing 
  5. no basic auth credentials
  6. root@vvkt7whznuckhiz2-0723575:~#

5.5 登录账号

  1. root@vvkt7whznuckhiz2-0723575:~# docker login 192.168.1.9:3389
  2. Username: root
  3. Password: 
  4. WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
  5. Configure a credential helper to remove this warning. See
  6. https://docs.docker.com/engine/reference/commandline/login/#credentials-store
  8. Login Succeeded

5.6 推送镜像至私有仓库成功

  1. root@vvkt7whznuckhiz2-0723575:~# docker push 192.168.1.9:3389/hello-world
  2. Using default tag: latest
  3. The push refers to repository [192.168.1.9:3389/hello-world]
  4. f22b99068db9: Pushed 
  5. latest: digest: sha256:1b26826f602946860c279fce658f31050cff2c596583af237d971f4629b57792 size: 525

报错记录

  1.  time="2021-08-13T03:03:00.998142307Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  2.  time="2021-08-13T03:03:00.998516037Z" level=info msg="redis not configured" go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  3.  time="2021-08-13T03:03:01.008786591Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  4.  time="2021-08-13T03:03:01.02673276Z" level=info msg="Starting upload purge in 17m0s" go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  5.  time="2021-08-13T03:03:01.027143705Z" level=info msg="listening on [::]:5000, tls" go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  6.  time="2021-08-13T03:18:28.465212015Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential" go.version=go1.11.2 http.request.host="192.168.1.9:3389" http.request.id=82e3313d-5a76-43e9-a306-209524a20ac8 http.request.method=GET http.request.remoteaddr="192.168.1.9:35974" http.request.uri="/v2/" http.request.useragent="docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \(linux\))" 
  7.  192.168.1.9 - - [13/Aug/2021:03:18:28 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \\(linux\\))"
  8.  time="2021-08-13T03:20:01.027011339Z" level=info msg="PurgeUploads starting: olderThan=2021-08-06 03:20:01.026981626 +0000 UTC m=-603779.950852935, actuallyDelete=true" 
  9.  time="2021-08-13T03:20:01.027107501Z" level=info msg="Purge uploads finished.  Num deleted=0, num errors=1" 
  10.  time="2021-08-13T03:20:01.027116354Z" level=info msg="Starting upload purge in 24h0m0s" go.version=go1.11.2 instance.id=a9ba00fa-9bd2-4c0a-a5b7-609c082bbbbd service=registry version=v2.7.1 
  11.  192.168.1.9 - - [13/Aug/2021:03:20:31 +0000] "GET /v2/ HTTP/1.1" 401 87 "" "docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \\(linux\\))"
  12.  time="2021-08-13T03:20:31.656182602Z" level=warning msg="error authorizing context: basic authentication challenge for realm "Registry Realm": invalid authorization credential" go.version=go1.11.2 http.request.host="192.168.1.9:3389" http.request.id=d2365ba3-4c76-44e2-a987-5f3c9859d516 http.request.method=GET http.request.remoteaddr="192.168.1.9:35978" http.request.uri="/v2/" http.request.useragent="docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \(linux\))" 
  13.  time="2021-08-13T03:20:31.665389768Z" level=info msg="authorized request" go.version=go1.11.2 http.request.host="192.168.1.9:3389" http.request.id=2219268c-ef1c-4b3e-bf80-a5aa263e4f4e http.request.method=GET http.request.remoteaddr="192.168.1.9:35980" http.request.uri="/v2/" http.request.useragent="docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \(linux\))" 
  14.  time="2021-08-13T03:20:31.665647483Z" level=info msg="response completed" go.version=go1.11.2 http.request.host="192.168.1.9:3389" http.request.id=2219268c-ef1c-4b3e-bf80-a5aa263e4f4e http.request.method=GET http.request.remoteaddr="192.168.1.9:35980" http.request.uri="/v2/" http.request.useragent="docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \(linux\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration=4.445561ms http.response.status=200 http.response.written=2 
  15.  192.168.1.9 - - [13/Aug/2021:03:20:31 +0000] "GET /v2/ HTTP/1.1" 200 2 "" "docker/20.10.8 go/go1.16.6 git-commit/75249d8 kernel/4.15.0-154-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.8 \\(linux\\))"
  16.  2021/08/13 03:21:27 http: TLS handshake error from 183.223.83.69:11714: tls: first record does not look like a TLS handshake
  17.  2021/08/13 03:21:28 http: TLS handshake error from 183.223.83.69:11713: tls: first record does not look like a TLS handshake
  18.  2021/08/13 03:21:30 http: TLS handshake error from 183.223.83.69:11717: tls: first record does not look like a TLS handshake
  19.  2021/08/13 03:21:34 http: TLS handshake error from 183.223.83.69:11718: tls: first record does not look like a TLS handshake
  20.  2021/08/13 03:21:35 http: TLS handshake error from 183.223.83.69:11735: tls: first record does not look like a TLS handshake
  21.  2021/08/13 03:21:38 http: TLS handshake error from 183.223.83.69:11738: tls: first record does not look like a TLS handshake
  22.  2021/08/13 03:21:39 http: TLS handshake error from 183.223.83.69:11742: tls: first record does not look like a TLS handshake
  23.  2021/08/13 03:21:40 http: TLS handshake error from 183.223.83.69:11746: tls: first record does not look like a TLS handshake
  24.  2021/08/13 03:21:45 http: TLS handshake error from 183.223.83.69:11748: tls: first record does not look like a TLS handshake

5.7 退出账户

  1. root@vvkt7whznuckhiz2-0723575:~# docker logout 192.168.1.9:3389
  2. Removing login credentials for 192.168.1.9:3389