有时候使用Docker Hub这样的公共仓库可能不方便(有时候无法访问),用户可以创建一个本地仓库供私人使用,这里介绍如何配置使用本地仓库。网络上配置docker私有仓库的方法不少,有借助Docker Hub的,也有直接使用别人创建好的私有仓库的,这里简单介绍使用官方提供的工具docker-registry来配置私有库
服务器:centos7.x x86_64 IP:10.0.90.25 docker版本:Docker version 1.12.0, build 8eab29e
1、使用官方提供的工具来配置
docker-registry 是官方提供的工具,可以用于构建私有的镜像仓库。
首先查看原有的镜像
#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web new dcca36f7ba99 7 days ago 269.2 MB
testweb new 890b0964f807 7 days ago 194.6 MB
centos centos6 a3c09d36ab4a 3 weeks ago 194.6 MB
centos latest 970633036444 3 weeks ago 196.7 MB 2、然后获取官方 registry 镜像
#docker pull registry
Using default tag: latest
latest: Pulling from library/registry
e110a4a17941: Pull complete
2ee5ed28ffa7: Pull complete
d1562c23a8aa: Pull complete
06ba8e23299f: Pull complete
802d2a9c64e8: Pull complete
Digest: sha256:1b68f0d54837c356e353efb04472bc0c9a60ae1c8178c9ce076b01d2930bcc5d
Status: Downloaded newer image for registry:latest
查看是否pull成功
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web new dcca36f7ba99 7 days ago 269.2 MB
testweb new 890b0964f807 7 days ago 194.6 MB
centos centos6 a3c09d36ab4a 3 weeks ago 194.6 MB
centos latest 970633036444 3 weeks ago 196.7 MB
registry latest c6c14b3960bd 3 weeks ago 33.28 MB #表示已经成功了 3、基于私有仓库镜像运行容器
#docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
a08a501701eba97c8f56fbc9b63e6f356dec1283b6c07f0f931639b4514b3838
查看运行的容器
#docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0d79735868cd centos "/bin/bash" Less than a second ago Exited (137) Less than a second ago centos7
43b66a52f166 centos:centos6 "/bin/bash" Less than a second ago Exited (137) Less than a second ago server1
a08a501701eb registry "/entrypoint.sh /etc/" 3 seconds ago Up 3 seconds 0.0.0.0:5000->5000/tcp high_bardeen #已经运行了 PS:这里说明一下,默认情况下,仓库会被创建在容器的/tmp/registry目录下,但是可以通过-v参数来将镜像文件存放在本地的指定路径。
例如上面的例子是将上传的镜像放到/opt/data/registry 目录
#docker run -d -p 5000:5000 -v /opt/data/registry:/tmp/registry registry
访问私有仓库:
#curl 127.0.0.1:5000/v1/search #不知道什么原因,我测试的时候使用curl提示404
404 page not found
#curl 127.0.0.1:5000/v1/search #网上有一个例子,提示如下信息;
{"num_results": 0, "query": "", "results": []} //私有仓库为空,没有提交新镜像到仓库中 4、创建镜像链接或为基础镜像打个标签
#docker tag registry 127.0.0.1:5000/ssh #这里选择为registry镜像打标签
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web new dcca36f7ba99 7 days ago 269.2 MB
testweb new 890b0964f807 7 days ago 194.6 MB
centos centos6 a3c09d36ab4a 3 weeks ago 194.6 MB
centos latest 970633036444 3 weeks ago 196.7 MB
127.0.0.1:5000/ssh latest c6c14b3960bd 3 weeks ago 33.28 MB
registry latest c6c14b3960bd 3 weeks ago 33.28 MB 5、提交镜像到本地私有仓库中
#docker push 127.0.0.1:5000/ssh
The push refers to a repository [127.0.0.1:5000/ssh]
3bb5bc5ad373: Pushed
35039a507f7a: Pushed
d00444e19d65: Pushed
aa3a31ee27f3: Pushed
4fe15f8d0ae6: Pushed
latest: digest: sha256:51d8869caea35f58dd6a2309423ec5382f19c4e649b5d2c0e3898493f42289d6 size: 1363
注意:没报错,应该push成功了!查看私有仓库是否存在对应的镜像,依然提示404
#curl 127.0.0.1:5000/v1/search
404 page not found 二、测试私有库是否可用
说明:centos6.x x86_64 IP:10.0.90.26 docker 版本:Docker version 1.7.1, build 786b29d/1.7.1
1、在另外一台centos6.x系统测试pull功能,如下:
#docker pull 10.0.90.25:5000/ssh
Error response from daemon: invalid registry endpoint https://10.0.90.25:5000/v0/: unable to ping registry endpoint https://10.0.90.25:5000/v0/
v2 ping attempt failed with error: Get https://10.0.90.25:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://10.0.90.25:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 10.0.90.25:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/10.0.90.25:5000/ca.crt
报错了,根据提示需要创建证书或者添加--insecure-registry 10.0.90.25:5000作为docker启动参数,先测试更换启动参数,看是否可以解决问题,先kill掉docker进程,再添加参数启动,如下
#/usr/bin/docker -d --insecure-registry 10.0.90.25:5000 &
# ps aux | grep docker
root 1980 0.1 1.5 583928 16184 pts/0 Sl 17:16 0:02 /usr/bin/docker -d --insecure-registry 10.0.90.25:5000
已经启动了,继续pull私有仓库的镜像到本地
#docker pull 10.0.90.25:5000/ssh
INFO[0006] POST /v1.19/images/create?fromImage=10.0.90.25%3A5000%2Fssh%3Alatest
latest: Pulling from 10.0.90.25:5000/ssh
9b7301678506: Pull complete
d912f6ed534e: Pull complete
664daba008e5: Pull complete
33e9a84661e7: Pull complete
5366f93a80af: Pull complete
8d1f9ff6843f: Pull complete
79a50c6b6f41: Pull complete
94c689ffd50b: Pull complete
ad8da6d14f6d: Pull complete
Digest: sha256:a80c28adf17579da93b681893f663bf7625e0012c53c304294f1c328a0d27d9b
Status: Downloaded newer image for 10.0.90.25:5000/ssh:latest
查看
#docker images
INFO[2107] GET /v1.19/images/json
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos6 429d551fa7ee Less than a second ago 194.6 MB
centos latest b62568c09fa0 Less than a second ago 196.7 MB
10.0.90.25:5000/ssh latest ad8da6d14f6d Less than a second ago 33.28 MB
可以看到pull成功了。 2、测试push一个centos镜像并在centos6.x测试pull
先在centos7.x操作,上传一个centos6镜像到私有库中:
#docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web new dcca36f7ba99 7 days ago 269.2 MB
testweb new 890b0964f807 7 days ago 194.6 MB
centos centos6 a3c09d36ab4a 3 weeks ago 194.6 MB
centos latest 970633036444 3 weeks ago 196.7 MB
127.0.0.1:5000/ssh latest c6c14b3960bd 3 weeks ago 33.28 MB
registry latest c6c14b3960bd 3 weeks ago 33.28 MB
[root@docker ~]# docker tag centos:centos6 127.0.0.1:5000/centos6 #标记centos6镜像为127.0.0.1:5000/centos6
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web new dcca36f7ba99 7 days ago 269.2 MB
testweb new 890b0964f807 7 days ago 194.6 MB
127.0.0.1:5000/centos6 latest a3c09d36ab4a 3 weeks ago 194.6 MB
centos centos6 a3c09d36ab4a 3 weeks ago 194.6 MB
centos latest 970633036444 3 weeks ago 196.7 MB
127.0.0.1:5000/ssh latest c6c14b3960bd 3 weeks ago 33.28 MB
registry latest c6c14b3960bd 3 weeks ago 33.28 MB
上传到私有库
[root@docker ~]# docker push 127.0.0.1:5000/centos6 #会看到push的进度
The push refers to a repository [127.0.0.1:5000/centos6]
6b5c6954e3d5: Pushing [==========================> ] 102.6 MB/194.6 MB
push完成之后,显示如下信息
[root@docker ~]# docker push 127.0.0.1:5000/centos6
The push refers to a repository [127.0.0.1:5000/centos6]
6b5c6954e3d5: Pushed
latest: digest: sha256:f7378a219c2a1d189e2e6a9bedc1b05ed3bb60de32ad24a9ad8e8ef8152c52c4 size: 529 然后到centos6.x去pull这个centos6镜像:
#docker pull 10.0.90.25:5000/centos6 #pull进度可以看到
INFO[2640] POST /v1.19/images/create?fromImage=10.0.90.25%3A5000%2Fcentos6%3Alatest
latest: Pulling from 10.0.90.25:5000/centos6
3690474eb5b4: Pull complete
c12ea02d7eb2: Extracting [===================================> ] 48.46 MB/68.76 MB
334af8693ca8: Download complete
273a1eca2d3a: Download complete
成功之后,显示如下:
#docker pull 10.0.90.25:5000/centos6
INFO[2640] POST /v1.19/images/create?fromImage=10.0.90.25%3A5000%2Fcentos6%3Alatest
latest: Pulling from 10.0.90.25:5000/centos6
3690474eb5b4: Pull complete
c12ea02d7eb2: Pull complete
334af8693ca8: Pull complete
273a1eca2d3a: Pull complete
Digest: sha256:3e4b73f8e13d8527f06cfd34d6c2cfdd16cce76ee7215a29379ae82015b312c9
Status: Downloaded newer image for 10.0.90.25:5000/centos6:latest
查看新pull的centos6镜像
# docker images
INFO[2650] GET /v1.19/images/json
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
10.0.90.25:5000/centos6 latest 273a1eca2d3a Less than a second ago 194.6 MB
centos centos6 429d551fa7ee Less than a second ago 194.6 MB
centos latest b62568c09fa0 Less than a second ago 196.7 MB
10.0.90.25:5000/ssh latest ad8da6d14f6d Less than a second ago 33.28 MB
如上信息,可以看到centos6已经在镜像列表中了!
使用该镜像创建一个容器,进行测试
#docker run -d -it --privileged=false -p 80:80 --name webserver 10.0.90.25:5000/centos6 /bin/bash
INFO[2804] POST /v1.19/containers/create?name=webserver
63e4642a253a592bcf0eb3a9dd12a6363eb7c018b00eced66b9d20c1f4ca0898
INFO[2804] POST /v1.19/containers/63e4642a253a592bcf0eb3a9dd12a6363eb7c018b00eced66b9d20c1f4ca0898/start
[root@test ~]# docker ps -a
INFO[2810] GET /v1.19/containers/json?all=1
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
63e4642a253a 10.0.90.25:5000/centos6 "/bin/bash" 6 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp webserver
进入该容器
# docker attach 63e4642a253a
INFO[2838] GET /v1.19/containers/63e4642a253a/json
INFO[2838] POST /v1.19/containers/63e4642a253a/resize?h=68&w=207
INFO[2838] POST /v1.19/containers/63e4642a253a/attach?stderr=1&stdin=1&stdout=1&stream=1
[root@63e4642a253a /]#
安装httpd并启动
[root@63e4642a253a /]# yum install httpd -y
[root@63e4642a253a ~]# service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.1 for ServerName
[ OK ]
[root@63e4642a253a ~]# netstat -tunlp #端口已经启动
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::80 :::* LISTEN 119/httpd 三、关于tls证书在centos6.x和centos7.x报错的一些解决方法
PS:配置docker私有仓库,在pull私有仓库时会遇到tls相关的问题,报错信息类似:
Error response from daemon: invalid registry endpoint https://10.0.90.25:5000/v0/: unable to ping registry endpoint https://10.0.90.25:5000/v0/
v2 ping attempt failed with error: Get https://10.0.90.25:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://10.0.90.25:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 10.0.90.25:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/10.0.90.25:5000/ca.crt 根据提示信息可以大致了解到是和证书有关系,解决方式也给到了,要么添加额外参数直接信任,要么直接通过其他反方(比如openssl)生成证书,这里介绍添加参数来解决这个报错。
1、在centos6.x系统
第一种方式:
在centos6.x系统上安装的docker-io是会在/etc/init.d/下生成启动脚本文件docker的,修改这个文件,如下:
#vi /etc/init.d/docker #找到如下行;
prog="docker"
exec="/usr/bin/$prog"
将其修改为如下
prog="docker"
exec="/usr/bin/$prog --insecure-registry 10.0.90.25:5000" #相当于在-d参数后面添加--insecure-registry参数
保存退出,重新启动docker,如下:
# service docker restart
Stopping docker: [ OK ]
/etc/init.d/docker: line 43: [: too many arguments #会提示这个,忽略
Starting docker: [ OK ]
[root@test ~]# ps aux | grep docker
root 3240 2.2 1.1 222248 12184 pts/0 Sl 22:19 0:00 /usr/bin/docker --insecure-registry 10.0.90.25:5000 -d
root 3295 0.0 0.0 103244 860 pts/0 R+ 22:19 0:00 grep docker
然后再使用pull的时候,就不会报错了! 第二种方式:
在centos6.x系统上安装的docker,会在/etc/sysconfig/目录下生成docker文件,在其中修改other_args参数就可以(原本是空的other_args=),如下:
#vi /etc/sysconfig/docker #将other_args修改为这样:
other_args="--insecure-registry 10.0.90.25:5000"
然后重启docker
#service docker restart
Stopping docker: [ OK ]
Starting docker: [ OK ]
查看进程
# ps aux | grep docker
root 3588 0.5 2.0 387316 20532 pts/0 Sl 22:29 0:02 /usr/bin/docker -d --insecure-registry 10.0.90.25:5000
root 3932 0.0 0.0 103244 864 pts/0 S+ 22:36 0:00 grep docker PS:自己创建的私有库,如果只供自己使用的话,使用这2种方式是可行的,如果是要让公网的其他人也使用,就需要tls(配置证书)认证了!
2、在centos7.x系统
如果没有配置证书信任,执行pull私有库的时候,也会出现和centos6.x系统上一样的错误。虽然不像centos6.x系统可以修改/etc/sysconfig/docker来添加docker启动参数,但是也是有文件可以修改的
#cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target
修改文件中的ExecStart=/usr/bin/dockerd,修改为:
ExecStart=/usr/bin/dockerd --insecure-registry x.x.x.x:5000
然后重启docker,查看进程
# ps aux | grep docker
root 15431 6.8 0.6 514268 25448 ? Ssl 16:42 0:00 /usr/bin/dockerd --insecure-registry x.x.x.x:5000 #这里的x.x.x.x是私有库的ip地址
root 15438 0.8 0.1 144220 5916 ? Ssl 16:42 0:00 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc
root 15543 0.0 0.0 112652 976 pts/0 S+ 16:42 0:00 grep --color=auto docker 这样再次在centos7.x上pull私有库的时候,就不会报tls(证书)相关的错误了。
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-29 07:53:34
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡