Netkiller Virtualization 手札
Docker, KVM, OpenVZ, Vagrant, VirtualBox ...
Mr. Neo Chan, 陈景峯(BG7NYT)
中国广东省深圳市望海路半岛城邦三期 518067 +86 13113668890
MMDVM Hotspot: YSF80337 - CN China 1 - W24166/TG46001 BM_China_46001 - DMR Radio ID 4600441 <> 2015-07-14
版权 © 2015-2019 Netkiller(Neo Chan). All rights reserved.
版权声明
转载请与作者联系,转载时请务必标明文章原始出处和作者信息及本声明。
| | | |
|
1.10. 私有仓库
1.10.1. 搭建私有仓库
搭建私有仓库只需两步
docker pull registrydocker run -d -p 5000:5000 -v /opt/registry:/var/lib/registry --name registry registry
操作演示
neo@ubuntu:~$ docker pull registryUsing default tag: latestlatest: Pulling from library/registry169185f82c45: Pull complete 046e2d030894: Pull complete 188836fddeeb: Pull complete 832744537747: Pull complete 7ceea07e80be: Pull complete Digest: sha256:870474507964d8e7d8c3b53bcfa738e3356d2747a42adad26d0d81ef4479eb1bStatus: Downloaded newer image for registry:latest neo@ubuntu:~$ docker run -d -p 5000:5000 -v /opt/registry:/tmp/registry registry 38a6d3b5e18e378b7765fa00374426db3a06c64f4b9219a1f85dc42a6a66ef28neo@ubuntu:~$ docker ps | grep registry38a6d3b5e18e registry "/entrypoint.sh /etc…" 35 seconds ago Up 33 seconds 0.0.0.0:5000->5000/tcp
/etc/default/docker 中加入下面内容
neo@ubuntu:~$ sudo vim /etc/default/dockerDOCKER_OPTS="--insecure-registry 0.0.0.0:5000"
修改 /lib/systemd/system/docker.service
# 加入 EnvironmentFile=/etc/default/docker# 尾部加入 $DOCKER_OPTSExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTS
完整的例子
neo@ubuntu:~$ sudo vim /lib/systemd/system/docker.service[Unit]Description=Docker Application Container EngineDocumentation=https://docs.docker.comAfter=network-online.target docker.socket firewalld.serviceWants=network-online.targetRequires=docker.socket[Service]Type=notify# the default is not to use systemd for cgroups because the delegate issues still# exists and systemd currently does not support the cgroup feature set requiredEnvironmentFile=/etc/default/docker# for containers run by dockerExecStart=/usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 $DOCKER_OPTSExecReload=/bin/kill -s HUP $MAINPIDLimitNOFILE=1048576# Having non-zero Limit*s causes performance problems due to accounting overhead# in the kernel. We recommend using cgroups to do container-local accounting.LimitNPROC=infinityLimitCORE=infinity# Uncomment TasksMax if your systemd version supports it.# Only systemd 226 and above support this version.TasksMax=infinityTimeoutStartSec=0# set delegate yes so that systemd does not reset the cgroups of docker containersDelegate=yes# kill only the docker process, not all processes in the cgroupKillMode=process# restart the docker process if it exits prematurelyRestart=on-failureStartLimitBurst=3StartLimitInterval=60s[Install]WantedBy=multi-user.target
重启 Docker
neo@ubuntu:~$ sudo systemctl daemon-reloadneo@ubuntu:~$ sudo systemctl restart docker neo@ubuntu:~$ ps ax | grep docker19548 ? Ssl 0:00 /usr/bin/dockerd -H fd:// -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375 --insecure-registry 0.0.0.0:5000
验证 5000 端口可以访问
neo@ubuntu:~$ curl -XGET http://localhost:5000/v2/_catalog{"repositories":[]} 1.10.2. 推送镜像到私有仓库
本地镜像推送到远程私有仓库
docker pull busyboxdocker tag busybox docker.netkiller.cn:5000/busyboxdocker push docker.netkiller.cn:5000/busybox
操作演示
[root@localhost ~]# docker pull busyboxUsing default tag: latestlatest: Pulling from library/busybox697743189b6d: Pull complete Digest: sha256:061ca9704a714ee3e8b80523ec720c64f6209ad3f97c0ff7cb9ec7d19f15149fStatus: Downloaded newer image for busybox:latest[root@localhost ~]# docker tag busybox docker.netkiller.cn:5000/busybox[root@localhost ~]# docker push docker.netkiller.cn:5000/busyboxThe push refers to repository [docker.netkiller.cn:5000/busybox]adab5d09ba79: Pushed latest: digest: sha256:4415a904b1aca178c2450fd54928ab362825e863c0ad5452fd020e92f7a6a47e size: 527
查看远程私有仓库
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog{"repositories":["busybox"]}[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list{"name":"busybox","tags":["latest"]} 从私有仓库拉镜像
docker pull docker.netkiller.cn:5000/busybox
1.10.3. 查询镜像
如果我们想要查询私有仓库中的所有镜像,使用docker search命令:
docker search registry_ipaddr:5000/
如果要查询仓库中指定账户下的镜像,则使用如下命令:
docker search registry_ipaddr:5000/account/
操作演示
[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/_catalog{"repositories":["busybox"]}[root@localhost ~]# curl -XGET http://docker.netkiller.cn:5000/v2/busybox/tags/list{"name":"busybox","tags":["latest"]} 1.10.4. registry 镜像高级配置
/etc/docker/registry/config.yml
cat config.yml version: 0.1log: fields: service: registrystorage: delete: enabled: true cache: blobdescriptor: inmemory filesystem: rootdirectory: /var/lib/registryhttp: addr: :5000 headers: X-Content-Type-Options: [nosniff]health: storagedriver: enabled: true interval: 10s threshold: 3
1.10.4.1. 私有仓库认证
创建密码文件
docker run --entrypoint htpasswd registry -Bbn testuser testpassword > auth/htpasswd
启动 docker
docker run -d -p 5000:5000 --restart=always --name docker-hub \ -v /opt/registry:/var/lib/registry \ -v /opt/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ registry
登录
docker login -u testuser -p testpassword docker.netkiller.cn:5000
退出
docker logout docker.netkiller.cn:5000
1.10.5. registry 接口
查看仓库
curl -XGET http://registry:5000/v2/_catalog
查看镜像
curl -XGET http://registry:5000/v2/image_name/tags/list
删除镜像
DELETE /v2//manifests/ name:镜像名称reference: 镜像对应sha256值
处理器测试
curl -I -X DELETE http://registry:5000/v2/netkiller/manifests/sha256:6a67ba443ac96b1dcffa5e4582a8dd4f81af95b8d3e37aeba72401a5afd7ab8e