安装docker-compose:
curl -L https://github.com/docker/compose/releases/download/1.27.4/docker-compose-`uname -s-
uname -m` -o /usr/local/bin/docker-compose
安装和配置 Docker Registry
原本想着省事几个命令就起来的服务,用docker安装启动以后碰到了一些问题,记录一下点滴。
要配置私有 Docker Registry,请执行以下步骤
创建 Registry 目录
创建一个新目录,该目录将存储所有必需的配置文件
使用以下命令创建一个新的项目目录 myregistry 和两个子目录 nginx 和 auth
$ mkdir -p myregistry/{nginx, auth}
在 nginx 目录下创建两个子目录 conf.d 和 ssl
$ cd my-registry/
$ mkdir -p nginx/{conf.d/, ssl}
创建 Docker-Compose 脚本和服务
在 myregistry 目录下创建一个 docker-compose.yml 文件
$ vi docker-compose.yml
在 docker-compose.yml 文件中定义服务
services:
#Registry
registry:
image: registry:2
restart: always
ports:
- “19696:5000”
environment:
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry-Realm
REGISTRY_AUTH_HTPASSWD_PATH: /auth/registry.passwd
REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
volumes:
- myregistrydata:/data
- ./auth:/auth
networks:
- mynet
#Nginx Service
nginx:
image: nginx:alpine
container_name: nginx
restart: unless-stopped
tty: true
ports:
- “80:80”
- “443:443”
volumes:
- ./nginx/conf.d/:/etc/nginx/conf.d/
- ./nginx/ssl/:/etc/nginx/ssl/
networks:
- mynet
#Docker Networks
networks:
mynet:
driver: bridge
#Volumes
volumes:
myregistrydata:
driver: local
保存并且关闭文件
设置 nginx 端口转发
为 nginx 服务创建虚拟主机配置,转到上述步骤中创建的 nginx/conf.d 目录
$ cd nginx/conf.d/
创建一个 nginx 虚拟主机文件
$ vi myregistry.conf
添加以下内容
upstream docker-registry {
server registry:5000;
}
server {
listen 80;
server_name abc.xyz.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name abc.xyz.com;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
# Log files for Debug
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
location / {
if ($http_user_agent ~ “^(docker/1.(3|4|5(?!.[0-9]-dev))|Go ).*$” ) {
return 404;
}
proxy_pass http://docker-registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
}
把 server_name 参数替换为你自己的域名并保存文件
增加 nginx 文件上传大小
默认情况下,nginx 上传文件的上限为 1mb。当 docker 镜像超过这个限制时,你需要增加 nginx 配置文件中的上传大小。在本例中,我将创建一个额外的 nginx 配置文件,上传限制为 2GB。
转到 nginx 配置目录
$ cd myregistry/nginx/conf.d
$ vi additional.conf
添加以下行并保存文件
client_max_body_size 2G;
配置 SSL 证书和身份验证
创建 nginx 配置文件后,现在我们需要设置 SSL 证书。您应该拥有带有私钥的有效 SSL 证书文件。将您的证书文件和私有密钥复制到 nginx/ssl 目录,执行如下命令:
$ cd myregistry/nginx/ssl
$ cp /your-ssl-certificate-path/certificate.crt .
$ cp /your-private-key-path/private.key .
如果您没有购买的有效 ssl 证书,您可以生成自己的自签名 ssl 证书,不建议在生产环境中使用自签名 ssl 证书。
要生成自签名的 SSL 证书,请运行以下命令:
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/ssl/private/nginx-private.key -out /etc/ssl/certs/nginx-certificate.crt
您将被要求提交一些详细信息,如国家代码,域名,电子邮件,填写详细信息并继续。
设置基本身份验证
转到 auth 目录
$ cd auth
执行如下命令,创建密码文件,用户名为:linuxtechi
$ htpasswd -Bc registry.password linuxtechi
如果系统提示 htpasswd command not found ,请在终端执行以下命令,然后重试
$ sudo apt install apache2-utils -y
输入强密码并再次输入以确认密码
运行 Docker Registry
您已经完成了安装,现在可以使用 docker-compose 命令构建 Registry
转到 myregistry 目录
$ cd myregistry
运行如下命令,构建镜像
$ docker-compose up -d
Docker Registry 已经启动,使用以下命令验证
$ docker ps -a
从 Docker Hub 拉镜像到私有 Registry
要从 Docker hub 存储镜像到私有 Registry,使用 Docker pull 命令从 Docker hub 拉取Docker 镜像。在这个例子中,我将拉出 centos 的 docker 镜像。
$ docker pull centos
成功地从 docker hub 提取镜像后,将其标记为私有 registry
标记语法:
$ docker image tag [image name] http://abc.xyz.com/[new-image-name]
示例如下:
$ docker images tag centos abc.xyz.com/linuxtechi-centos
验证 docker 镜像在本地是否可用
$ docker images
推镜像到私有 registry
现在您需要将本地镜像推到私有 registry,首先使用以下命令登录到私有 registry
$ docker login https://abc.xyz.com/v2/
使用自己的 registry url 替换 https://abc.xyz.com
系统将提示输入用户名和密码,您将得到登录成功的消息
htpasswd -Bc registry.passwd admin
现在您可以将镜像推到私有 registry 中,使用如下命令
$ docker push abc.xyz.com/linuxtechi-centos
推送完成后,在浏览器中访问 url
https://abc.xyz.com/v2/_catalog
从私有 Registry 拉取镜像
您已经将本地 docker 镜像推到私有 docker registry,用同样的方法,你可以把 docker 镜像从 docker 私有 registry 拉到本地服务器。
运行以下命令,登录您的私有 registry 服务器
$ docker login https://abc.xyz.com
运行以下命令,拉取镜像
$ docker pull abc.xyz.com/linuxtechi-centos
url:https://www.zhihu.com/question/586213880/answer/2928017179?utm_id=0
几个问题:
- author 404 问题:Docker login报错账号密码没错的情况下,
htpasswd -Bc registry.passwd adminabc
测试下来这个文件registry.passwd 不是registry.password
- 502网关报错:
在测试机上面有本地安装nginx 443业务在跑着,docker也会开启nginx并做443服务,看了一下从docker启动nginx相对简单一些,就把本地的配置迁到docker挂载的路径下面,但是启动以后原来的站点报502网关错误,查看了一下配置原来配置了转发
location / {
proxy_pass http://localhost:20048;
}
在docker下面启动本地肯定是访问不到的,那么要访问原来的20048端口,就要换一下这个转发地址:
location / {
proxy_pass http://192.168.2.96:20048;
}
这样应该可以正常了。
3.cat /etc/docker/daemon.json
{
“insecure-registries”: [“abc.xyz.com”],
“registry-mirrors”: [“http://hub-mirror.c.163.com"],
“debug”: true,
“iptables”:false,
“experimental”: true
}
4.切换docker存储路径,默认一般在/var/lib/docker下面。
查看本机安装路径
sudo docker info | grep “Docker Root Dir”
sudo docker info | grep “Docker Root Dir”
WARNING: No swap limit support
WARNING: The devicemapper storage-driver is deprecated, and will be removed in a future release.
Refer to the documentation for more information: https://docs.docker.com/go/storage-driver/
WARNING: devicemapper: usage of loopback devices is strongly discouraged for production use.
Use --storage-opt dm.thinpooldev
to specify a custom block storage device.
Docker Root Dir: /var/lib/docker
修改安装路径
# 停止docker
systemctl stop docker.socket
systemctl stop docker
# 移动docker所有文件
mv /var/lib/docker /data/docker
# 建立软连接
ln -s /data/docker /var/lib/docker
# 重启docker
systemctl restart docker
docker logs –details 容器ID,挺好用的
2.搭建Harbor私有镜像仓库
安装docker-compose
curl -L “https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)” -o/usr/local/bin/docker-compose
下载比较慢,也可以从已经做好的机器上面copy过来。
chmod +x /usr/local/bin/docker-compose
[root@slave1 bin]# docker-compose –version
docker-compose version 1.24.0, build 0aa59064
下载harbor.tar包,https://github.com/goharbor/harbor/releases
[root@slave1 harbor]# ll
total 94912
drwxr-xr-x 3 root root 20 May 6 15:00 common
-rw-r–r– 1 root root 3643 Apr 8 13:24 common.sh
-rw-r–r– 1 root root 5845 May 6 15:02 docker-compose.yml
-rw-r–r– 1 root root 13976 May 6 15:01 harbor.yml
-rw-r–r– 1 root root 13972 Apr 8 13:24 harbor.yml.tmpl
-rwxr-xr-x 1 root root 1975 Apr 8 13:24 install.sh
-rw-r–r– 1 root root 11347 Apr 8 13:24 LICENSE
-rw——- 1 root root 97124352 May 6 15:08 nginx1.7.81.zip
-rwxr-xr-x 1 root root 1882 Apr 8 13:24 prepare
修改yml文件cp harbor.yml.tmpl harbor.yml && vim harbor.yml
测试机器没用443端口及证书,自签证书安装和上面一样,自签证书未经任何受信任的证书颁发机构验证,浏览器会发出安全警告,线上业务强烈建议使用由受信任的证书颁发机构签发的证书,确保访问者的安全性和信任。
运行.prepare 和 ./install.sh
repare base dir is set to /home/tools/harbor/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
启动,关闭直接docker-compose start/stop即可。
打包docker 镜像:
docker save -o nginx1.7.8.zip nginx:1.7.8
还原docker镜像:
docker load <nginx1.7.8.zip
查看镜像:
Docker images|grep1.7.8
nginx 1.7.8 a343d51dff65 9 years ago 91.7MB
root@slave1 harbor]# docker login 192.168.2.102:8888
Username: admin
Password:
Error response from daemon: Get https://192.168.2.102:8888/v2/: http: server gave HTTP response to HTTPS client
vim /etc/docker/daemon.json
添加:
“insecure-registries”: [
“192.168.2.102:8888”,”harbor”
]
说明:添加的insecure-registries,表示内网访问harbor时走的是http,指定地址是安装harbor机器的ip
docker login 192.168.2.102:8888
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Docker 推送镜像仓库时候注意:
docker image tag nginx:1.7.8 192.168.2.102:8888/nginx:1.7.8
[root@slave1 harbor]# docker push 192.168.2.102:8888/nginx:1.7.8
The push refers to repository [192.168.2.102:8888/nginx]
5f70bf18a086: Retrying in 17 seconds
242390e67cbf: Retrying in 17 seconds
fc521005216a: Retrying in 17 seconds
6f0124c2157c: Retrying in 17 seconds
5a29dcc5d0b4: Retrying in 17 seconds
6607e4d8ecb7: Waiting
8b116ab6d885: Waiting
一直推送不上去,后来知道是这样的:
在推送之前,需要注意第一列,这个完整格式是
regisry.stnrs.com/library/hello-word:latest
镜像中心域名 项目名称 名称 版本
如果镜像只放在本地存储REPOSITORY写什么都可以,但推送到镜像仓库就必须指定仓库中心地址。
所以,先打重命名REPOSITORY,其实就是引用源镜像标记了一个目标镜像
docker image tag nginx:1.7.8 192.168.2.102:8888/library/nginx-1.7.8
[root@slave1 harbor]# docker push 192.168.2.102:8888/library/nginx-1.7.8
Using default tag: latest
The push refers to repository [192.168.2.102:8888/library/nginx-1.7.8]
5f70bf18a086: Pushed
242390e67cbf: Pushed
fc521005216a: Pushed
6f0124c2157c: Pushed
5a29dcc5d0b4: Pushed
6607e4d8ecb7: Pushed
8b116ab6d885: Pushed
latest: digest: sha256:5e3e9ea21051fcb23c6ede0b2c59b950bea07701db6360cff5e556636d3d48f2 size: 3012
当然可以建立新项目prod,推送镜像如下:
docker tag centos:7 192.168.2.102:8888/prod/centos7
[root@192.168.2.101 /home/tools/test]$docker push 192.168.2.102:8888/prod/centos7
The push refers to repository [192.168.2.102:8888/prod/centos7]
174f56854903: Pushed
latest: digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f size: 529
从192.168.2.102:8888拉取镜像:
[root@slave1 harbor]# docker pull 192.168.2.102:8888/prod/centos7
Using default tag: latest
latest: Pulling from prod/centos7
2d473b07cdd5: Pull complete
Digest: sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f
Status: Downloaded newer image for 192.168.2.102:8888/prod/centos7:latest
192.168.2.102:8888/prod/centos7:latest
[root@slave1 harbor]# docker images|grep centos
192.168.2.102:8888/prod/centos7 latest eeb6ee3f44bd 2 years ago 204MB
至此私有镜像仓库搭建测试完成,不过用云厂商提供的镜像仓库,容器服务和kubernetes业务搭配更便利,根据项目选择。