Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

163.6. 倉庫

163.6.1. Docker 官方倉庫

163.6.1.1. 登陸倉庫

登錄

			
$ sudo docker login
Username: netkiller
Password: 
Email: netkiller@msn.com
Login Succeeded
			
			

163.6.1.2. 獲取鏡像

			
docker pull ubuntu:14.04
			
			

163.6.1.3. 上傳鏡像

			
docker tag friendlyhello username/repository:tag
docker push username/repository:tag
			
			

163.6.2. 私有倉庫

163.6.2.1. 搭建私有倉庫

搭建私有倉庫只需兩步

		
docker pull registry
docker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry --name registry registry
		
			

操作演示

		
neo@ubuntu:~$ docker pull registry
Using default tag: latest
latest: Pulling from library/registry
169185f82c45: Pull complete 
046e2d030894: Pull complete 
188836fddeeb: Pull complete 
832744537747: Pull complete 
7ceea07e80be: Pull complete 
Digest: sha256:870474507964d8e7d8c3b53bcfa738e3356d2747a42adad26d0d81ef4479eb1b
Status: Downloaded newer image for registry:latest		

neo@ubuntu:~$ docker run -d -p 5000:5000 -v /opt/registry:/tmp/registry registry 
38a6d3b5e18e378b7765fa00374426db3a06c64f4b9219a1f85dc42a6a66ef28

neo@ubuntu:~$ docker ps | grep registry
38a6d3b5e18e        registry              "/entrypoint.sh /etc…"   35 seconds ago      Up 33 seconds       0.0.0.0:5000->5000/tcp
		
			

設置允許http協議訪問,有兩種方式,一種是修改 /etc/docker/daemon.json並添加 “insecure-registries” 項

		
{
    "registry-mirrors": ["https://registry.docker-cn.com"],
    "insecure-registries": ["127.0.0.1:5000"]
}
		
			

另一種方式是修改 /etc/default/docker 中加入下面內容

		
neo@ubuntu:~$ sudo vim /etc/default/docker

DOCKER_OPTS="--insecure-registry 0.0.0.0:5000"
		
			

修改 /lib/systemd/system/docker.service

		
# 加入		
EnvironmentFile=/etc/default/docker
# 尾部加入 $DOCKER_OPTS
ExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTS		
		
			

完整的例子

		
neo@ubuntu:~$ sudo vim /lib/systemd/system/docker.service

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
EnvironmentFile=/etc/default/docker
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

		
			

重啟 Docker

		
neo@ubuntu:~$ sudo systemctl daemon-reload
neo@ubuntu:~$ sudo systemctl restart docker	

neo@ubuntu:~$ ps ax | grep docker
19548 ?        Ssl    0:00 /usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --insecure-registry 0.0.0.0:5000
		
			

驗證 5000 連接埠可以訪問

		
neo@ubuntu:~$ curl -XGET http://localhost:5000/v2/_catalog
{"repositories":[]}		
		
			

163.6.2.2. 推送鏡像到私有倉庫

本地鏡像推送到遠程私有倉庫

		
docker pull busybox
docker tag busybox docker.netkiller.cn:5000/busybox
docker push docker.netkiller.cn:5000/busybox
		
			

操作演示

		
[root@localhost ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
697743189b6d: Pull complete 
Digest: sha256:061ca9704a714ee3e8b80523ec720c64f6209ad3f97c0ff7cb9ec7d19f15149f
Status: Downloaded newer image for busybox:latest

[root@localhost ~]# docker tag busybox docker.netkiller.cn:5000/busybox

[root@localhost ~]# docker push docker.netkiller.cn:5000/busybox
The push refers to repository [docker.netkiller.cn:5000/busybox]
adab5d09ba79: Pushed 
latest: digest: sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e size: 527
        
			

查看遠程私有倉庫

		
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog
{"repositories":["busybox"]}

[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
		
			

從私有倉庫拉鏡像

		
docker pull docker.netkiller.cn:5000/busybox
		
			

163.6.2.3. 查詢鏡像

http://localhost:5000/v2/_catalog

如果我們想要查詢私有倉庫中的所有鏡像,使用docker search命令:

		
docker search registry_ipaddr:5000/	
		
			

如果要查詢倉庫中指定賬戶下的鏡像,則使用如下命令:

		
docker search registry_ipaddr:5000/account/
		
			

操作演示

		
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog
{"repositories":["busybox"]}

[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}		
		
			

163.6.2.4. registry 鏡像高級配置

/etc/docker/registry/config.yml

		
cat config.yml
 
version: 0.1
log:
  fields:
    service: registry
storage:
  delete:
    enabled: true
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
		
			
163.6.2.4.1. 私有倉庫認證

創建密碼檔案

			
docker run --entrypoint htpasswd registry -Bbn testuser testpassword > auth/htpasswd
			
				

啟動 docker

			
docker run -d -p 5000:5000 --restart=always --name docker-hub \
  -v /opt/registry:/var/lib/registry \
  -v /opt/auth:/auth \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  registry
			
				

登錄

			
docker login -u testuser -p testpassword docker.netkiller.cn:5000
			
				

退出

			
docker logout docker.netkiller.cn:5000			
			
				

163.6.2.5. registry 介面

查看倉庫 http://registry:5000/v2/_catalog

		
curl -XGET http://registry:5000/v2/_catalog
		
			

查看鏡像

		
curl -XGET http://registry:5000/v2/image_name/tags/list
		
			

刪除鏡像

		
DELETE /v2/<name>/manifests/<reference>		
name:鏡像名稱
reference: 鏡像對應sha256值
		
			

處理器測試

		
curl -I -X DELETE http://registry:5000/v2/netkiller/manifests/sha256:6a67ba482a8dd4f8143ac96b1dcffa5e45af95b8d3e37aeba72401a5afd7ab8e		
		
			

163.6.3. Harbor

Harbor 是 Vmware 公司開源的 企業級的 Docker Registry 管理項目,它提供 Dcoker Registry 管理 WebUI,可基于角色訪問控制, AD/LDAP 整合,日誌審核等功能,完全的支持中文。

開源項目地址 https://github.com/vmware/harbor