关于docker:Docker安装及Docker私有仓库部署流程

Docker装置及Docker公有仓库部署流程

docker装置

此文档是基于Centos7操作。用户为root。
零碎内核须要3.8或更高版本

//查看内核$ uname -a  //装置docker,此脚本会查看内核并装置$ curl -fsSL https://get.docker.com/ | sh //启动服务$ systemctl start docker //查看版本$ docker --version 

部署公有仓库

镜像在私有仓库dockerhub拉取推送十分慢，而且把我的项目的镜像放在公网很不平安，在局域网内搭建公有仓库平安快捷。
docker registry server分为2个版本，第一版是python写成的，第二版是go写的。 本文档基于go版本，须要docker version 1.6以上。

//查看镜像$ docker images//删除镜像 -f示意强制删除$ docker rmi -f 镜像id//运行基于容器的registry.  registry:2镜像不存在时 会去dockerhub下面下载镜像并运行。--restart 设置为always，无论容器的退出代码是什么，Docker都会重启该容器， 设置为on-failure时 只有当容器的退出代码为非0时才会重启，如--restart=on-failure:5示意最多重启5次$ docker run -d -p 5000:5000 --restart=always --name registry registry:2  //默认的registry data是存储在容器docker volume中的，如果registry进行volume是会被删除的//把data共享进去到宿主机目录/data下$ docker run -d -p 5000:5000 --restart=always --name registry -v /data:/var/lib/registry registry:2  //获取容器日志 与tail -f 相似$ docker logs centos_d_container -f//来查看以后零碎中正在运行的容器列表$ docker ps    //命令会列出所有的容器$ docker ps -a  //进行容器 start restart$ docker stop registry (容器名或容器id)//删除容器$ docker rm registry (容器名或容器id)//删除全副容器$ docker rm `docker ps -a -q`//当初测试下公有仓库//下载ubuntu镜像$ docker pull ubuntu //打tag 将ubuntu取名为192.168.1.182:5000/ubuntu 不写tag默认为latest$ docker tag ubuntu 192.168.1.182:5000/ubuntu //推送到公有仓库$ docker push 192.168.1.182:5000/ubuntu //查看//能够间接在宿主机共享目录 查到ubuntu$ ll /data/docker/registry/v2/repositories///应用API查看$ curl https://192.168.1.182:5000/v2/_catalog 

客户端应用公有仓库

先装置好Docker 请看上文

//配置公有仓库地址$ echo '{ "insecure-registries":["192.168.1.182:5000"] }' > /etc/docker/daemon.json//重启失效$ systemctl restart docker//拉取公有仓库中的ubuntu镜像$ docker pull 192.168.1.182:5000/ubuntu //也能够推送到公有仓库,比方本地有个centos 镜像$ docker tag centos 192.168.1.182:5000/centos $ docker push 192.168.1.182:5000/centos //应用API查看$ curl https://192.168.1.182:5000/v2/_catalog 

创立证书

如果公有仓库想放到外网拜访，这样谁都能够拜访，就不平安了，须要登录认证
running a domain registry using TLS

//须要装置openssl$ which openssl//创立证书$ openssl genrsa -out server.key 2048$ openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:guangdongLocality Name (eg, city) [Default City]:shenzhenOrganization Name (eg, company) [Default Company Ltd]:mobiOrganizational Unit Name (eg, section) []:softCommon Name (eg, your name or your server's hostname) []:registrydomain.comEmail Address []:liangxxx@xxx.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

而后把证书装置到零碎中.

$ cp server.crt /etc/pki/ca-trust/source/anchors/$ update-ca-trust enable$ update-ca-trust extract

而后在/etc/hosts中配置域名，重启docker过程

$ vim /etc/hosts192.168.1.182 registrydomain.com$ systemctl restart docker

而后应用证书启动容器。

$ mkdir certs$ cp server.crt certs/$ cp server.key certs/$ docker run -d -p 5000:5000 --name registry --restart=always -v /data:/var/lib/registry -v $PWD/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt -e REGISTRY_HTTP_TLS_KEY=/certs/server.key registry:2

在其余客户端中也进行装置证书和配置域名并重启docker过程后就能够应用了

用户名明码利用

//用户名：hello,明码:world $ sh -c "docker run --entrypoint htpasswd registry:2 -Bbn hello world > auth/htpasswd"$ docker run -d -p 5000:5000 --restart=always --name registry   -v `pwd`/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd   -v `pwd`/certs:/certs   -v /data:/var/lib/registry   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/server.key   registry:2//登录 输出用户名明码hello:world$ docker login registrydomain.com:5000//登出$ docker logout registrydomain.com:5000 

客户端用户名明码登录应用公有仓库

//server.crt 仓库生成的证书$ cp server.crt /etc/pki/ca-trust/source/anchors/$ update-ca-trust enable$ update-ca-trust extract//而后在/etc/hosts中配置域名，重启docker过程$ vim /etc/hosts192.168.1.182 registrydomain.com$ systemctl restart docker$ docker login registrydomain.com -u hello -p world

界面治理公有仓库

//登录胜利后查BASIC_AUTH值         $ cat /root/.docker/config.json//启动界面$ docker run -d -p 8080:8080 --name web --link registry \       -e REGISTRY_URL=https://192.168.1.182:5000/v2 \       -e REGISTRY_TRUST_ANY_SSL=true \       -e REGISTRY_READONLY=false \       -e REGISTRY_BASIC_AUTH="aGVsbG86d29ybGQ=" \       -e REGISTRY_NAME=localhost:5000 hyper/docker-registry-web  

浏览器拜访：http://192.168.1.182:8080/

能够界面上删除镜像，减少delete配置

//把配置文件拷贝进去docker cp registry:/etc/docker/registry/config.yml config.yml $ vim config.ymlstorage:  cache:    blobdescriptor: inmemory  filesystem:    rootdirectory: /var/lib/registry  delete:      enabled: true    .    .    .    //指定配置文件启动  $ docker run -d -p 5000:5000 --restart=always --name registry -v `pwd`/config.yml:/etc/docker/registry/config.yml  -v `pwd`/auth:/auth   -e "REGISTRY_AUTH=htpasswd"   -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"   -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd   -v `pwd`/certs:/certs   -v /data:/var/lib/registry   -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt   -e REGISTRY_HTTP_TLS_KEY=/certs/server.key   registry:2

留神：不倡议应用删除，镜像是以层的概念，每个镜像可能依赖雷同的层，在这里删除不会物理删除

Docker Compose

装置docker-compose

$ curl -L https://github.com/docker/compose/releases/download/1.11.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose$ chmod +x /usr/local/bin/docker-compose$ docker-compose --version//列出容器$ docker-compose ps //version 1当初已不反对,倡议应用version 2//上面应用docker-compose 以服务形式 启动公有仓库和界面治理$ vim docker-compose.ymlversion: '2'services:  registry:    restart: always    image: registry:2    ports:      - 5000:5000    environment:      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/server.crt      REGISTRY_HTTP_TLS_KEY: /certs/server.key      REGISTRY_AUTH: htpasswd      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm    volumes:      - ./config.yml:/etc/docker/registry/config.yml      - ./auth:/auth      - ./certs:/certs      - /data:/var/lib/registry    networks:      - registry-net  web:    restart: always     image: hyper/docker-registry-web    ports:      - 8080:8080    environment:      REGISTRY_URL: https://registry:5000/v2      REGISTRY_TRUST_ANY_SSL: "true"      REGISTRY_READONLY: "false"      REGISTRY_BASIC_AUTH: aGVsbG86d29ybGQ=      REGISTRY_NAME: registry:5000    networks:      - registry-netnetworks:  registry-net://后盾启动$ docker-compose up -d