catalogue
Install and run docker registry
You can run using the official registry image.
Upload, search and download images in private warehouses
Configure non https warehouse address
Ubuntu 16.04+, Debian 8+, centos 7
3. Advanced configuration of private warehouse
Generate http authentication file
Test private warehouse function
4.Nexus3. Private warehouse of X
Docker host accesses image warehouse
A Repository is a place where images are stored centrally.
One confusing concept is the registration server (Registry). In fact, the registration server is a specific server that manages the warehouse. There can be multiple warehouses on each server, and there are multiple images under each warehouse. In this regard, the warehouse can be regarded as a specific item or directory. For example, for the warehouse address , docker.io/ubuntu , docker.io , is the registration server address and Ubuntu , is the warehouse name .
1.Docker Hub
At present, Docker officially maintains a public warehouse Docker Hub , which already includes more than 2,650,000 Mirror image of. Most requirements can be realized by directly downloading images in the Docker Hub.
register
You can https://hub.docker.com Register a Docker account for free.
Sign in
You can log in to the Docker Hub on the command line interface by executing the docker login command and interactively entering the user name and password. Log out through docker logout.
Pull image
You can find the image in the official warehouse through the "docker search" command, and use the "docker pull" command to download it locally.
For example, search with centos as the keyword:
$ docker search centos NAME DESCRIPTION STARS OFFICIAL AUTOMATED centos The official build of CentOS. 6449 [OK] ansible/centos7-ansible Ansible on Centos7 132 [OK] consol/centos-xfce-vnc Centos container with "headless" VNC session... 126 [OK] jdeathe/centos-ssh OpenSSH / Supervisor / EPEL/IUS/SCL Repos - ... 117 [OK] centos/systemd systemd enabled base container. 96 [OK]
You can see that many images containing keywords are returned, including image name, description, number of collections, OFFICIAL creation and AUTOMATED.
Images can be divided into two categories according to whether they are officially provided or not.
One is an image like centos, which is called a basic image or a root image. These basic images are created, verified, supported and provided by Docker company. Such images often use a single word as a name.
There is another type, such as "easy / centos7 easy" image, which is created and maintained by the registered user of Docker Hub, and often has a user name prefix. You can specify to use the image provided by a user by prefixing the user name /, such as the ansible user.
In addition, when searching, you can specify to display only images with a collection number of more than # N # through the -- filter=stars=N # parameter.
Download the official centos image to the local.
$ docker pull centos Using default tag: latest latest: Pulling from library/centos 7a0437f04f83: Pull complete Digest: sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1 Status: Downloaded newer image for centos:latest docker.io/library/centos:latest
Push image
Users can also push their own images to the Docker Hub through the docker push command after logging in.
In the following command, please replace # username # with your Docker account username.
$ docker tag ubuntu:18.04 username/ubuntu:18.04 $ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu 18.04 275d79972a86 6 days ago 94.6MB username/ubuntu 18.04 275d79972a86 6 days ago 94.6MB $ docker push username/ubuntu:18.04 $ docker search username NAME DESCRIPTION STARS OFFICIAL AUTOMATED username/ubuntu
2. Private warehouse
Sometimes it may be inconvenient to use a public warehouse such as Docker Hub. Users can create a local warehouse for private use.
Sometimes it may be inconvenient to use a public warehouse such as Docker Hub. Users can create a local warehouse for private use.
docker-registry It is an official tool that can be used to build a private image warehouse. This article is based on docker-registry v2.x version.
Install and run docker registry
You can run using the official registry image.
$ docker run -d -p 5000:5000 --restart=always --name registry registry
This will use the official "Registry" image to start the private repository. By default, the warehouse will be created in the / var/lib/registry directory of the container. You can store the image file in the specified local path through the - v} parameter. For example, the following example places the uploaded image in the local / opt/data/registry directory.
$ docker run -d \
-p 5000:5000 \
-v /opt/data/registry:/var/lib/registry \
registryUpload, search and download images in private warehouses
After creating a private warehouse, you can use docker tag to mark an image, and then push it to the warehouse. For example, the address of the private warehouse is 127.0 0.1:5000.
First view the existing image on the local machine.
$ docker image ls REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu latest ba5877dc9bec 6 weeks ago 192.7 MB
Use the # docker tag # to mark the # Ubuntu: latest # image as # 127.0 0.1:5000/ubuntu:latest.
The format is docker tag IMAGE[:TAG] [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG].
$ docker tag ubuntu:latest 127.0.0.1:5000/ubuntu:latest $ docker image ls REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu latest ba5877dc9bec 6 weeks ago 192.7 MB 127.0.0.1:5000/ubuntu:latest latest ba5877dc9bec 6 weeks ago 192.7 MB
Upload the image of the tag using # docker push #.
$ docker push 127.0.0.1:5000/ubuntu:latest The push refers to repository [127.0.0.1:5000/ubuntu] 373a30c24545: Pushed a9148f5200b0: Pushed cdd3de0940ab: Pushed fc56279bbb33: Pushed b38367233d37: Pushed 2aebd096e0e2: Pushed latest: digest: sha256:fe4277621f10b5026266932ddf760f5a756d2facd505a94d2da12f4f52f71f5a size: 1568
Use curl to view the image in the warehouse.
$ curl 127.0.0.1:5000/v2/_catalog
{"repositories":["ubuntu"]}Here you can see {"repositories":["ubuntu"]}, indicating that the image has been uploaded successfully.
Delete the existing image first, and then try to download the image from the private warehouse.
$ docker image rm 127.0.0.1:5000/ubuntu:latest $ docker pull 127.0.0.1:5000/ubuntu:latest Pulling repository 127.0.0.1:5000/ubuntu:latest ba5877dc9bec: Download complete 511136ea3c5a: Download complete 9bad880da3d2: Download complete 25f11f5fb0cb: Download complete ebc34468f71d: Download complete 2318d26665ef: Download complete $ docker image ls REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE 127.0.0.1:5000/ubuntu:latest latest ba5877dc9bec 6 weeks ago 192.7 MB
Configure non https warehouse address
If you don't want to use 127.0 0.1:5000 as the warehouse address, for example, you want other hosts in this network segment to push the image to the private warehouse. You have to put, for example, 192.168 199.100:5000 is used as the private warehouse address. At this time, you will find that you cannot successfully push the image.
This is because Docker does not allow non HTTPS} push images by default. We can cancel this restriction through the configuration option of Docker, or view the next section to configure the private warehouse that can be accessed through HTTPS.
Ubuntu 16.04+, Debian 8+, centos 7
For systems using , systemd , see / etc / docker / daemon JSON (if the file does not exist, please create a new file)
{
"registry-mirror": [
"https://hub-mirror.c.163.com",
"https://mirror.baidubce.com"
],
"insecure-registries": [
"192.168.199.100:5000"
]
}
Note: the file must comply with the json specification, otherwise Docker cannot be started.
3. Advanced configuration of private warehouse
Prepare site certificate
If you have a domain name, major cloud service providers in China provide free site certificates. You can also use openssl to issue your own certificate.
Let's assume that the address of the private warehouse to be built is {docker domain. COM, let's introduce how to use openssl , self signed , docker domain. Site SSL certificate for com.
The first step is to create a CA private key.
$ openssl genrsa -out "root-ca.key" 4096
The second step is to create a CA root certificate request file using the private key.
$ openssl req \
-new -key "root-ca.key" \
-out "root-ca.csr" -sha256 \
-subj '/C=CN/ST=Shanxi/L=Datong/O=Your Company Name/CN=Your Company Name Docker Registry CA'
/ C , in the - subj , parameter in the above command indicates the country, such as , CN/ ST = province/ L = city or region/ O = organization name/ Cn common name.
Step 3: configure CA root certificate and create Ca root-ca.cnf.
[root_ca] basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = critical, nonRepudiation, cRLSign, keyCertSign subjectKeyIdentifier=hash
Step 4 sign and issue the root certificate.
$ openssl x509 -req -days 3650 -in "root-ca.csr" \
-signkey "root-ca.key" -sha256 -out "root-ca.crt" \
-extfile "root-ca.cnf" -extensions \
root_ca
Step 5: generate the SSL} private key of the site.
$ openssl genrsa -out "docker.domain.com.key" 4096
Step 6 use the private key to generate the certificate request file.
$ openssl req -new -key "docker.domain.com.key" -out "site.csr" -sha256 \
-subj '/C=CN/ST=Shanxi/L=Datong/O=Your Company Name/CN=docker.domain.com'
Step 7 configure the certificate and create a new} site CNF file.
[server] authorityKeyIdentifier=keyid,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage=serverAuth keyUsage = critical, digitalSignature, keyEncipherment subjectAltName = DNS:docker.domain.com, IP:127.0.0.1 subjectKeyIdentifier=hash
Step 8 sign the site SSL certificate.
$ openssl x509 -req -days 750 -in "site.csr" -sha256 \
-CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial \
-out "docker.domain.com.crt" -extfile "site.cnf" -extensions server
In this way, you already have a docker domain. Http , docker domain. com. Key , and SSL certificate , docker domain. com. CRT , and CA root certificate , root-ca.crt.
Create a new # ssl # folder and add # docker domain. com. key docker.domain.com.crt , root-ca.crt , move these three files in and delete other files.
Configure private warehouse
The default configuration file for the private warehouse is located in / etc / docker / registry / config YML, let's edit config. Config locally YML, and then mount it into the container.
version: 0.1
log:
accesslog:
disabled: true
level: debug
formatter: text
fields:
service: registry
environment: staging
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
auth:
htpasswd:
realm: basic-realm
path: /etc/docker/registry/auth/nginx.htpasswd
http:
addr: :443
host: https://docker.domain.com
headers:
X-Content-Type-Options: [nosniff]
http2:
disabled: false
tls:
certificate: /etc/docker/registry/ssl/docker.domain.com.crt
key: /etc/docker/registry/ssl/docker.domain.com.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
Generate http authentication file
$ mkdir auth
$ docker run --rm \
--entrypoint htpasswd \
httpd:alpine \
-Bbn username password > auth/nginx.htpasswd
Replace the "username" and "password" above with your own username and password.
Edit docker compose yml
version: '3'
services:
registry:
image: registry
ports:
- "443:443"
volumes:
- ./:/etc/docker/registry
- registry-data:/var/lib/registry
volumes:
registry-data:
Modify hosts
Edit / etc/hosts
127.0.0.1 docker.domain.com
start-up
$ docker-compose up -d
In this way, we have built a private warehouse with authority authentication and TLS. Next, we test whether its function is normal.
Test private warehouse function
Since the self issued CA root certificate is not trusted by the system, we need to move the CA root certificate {ssl/root-ca.crt} to / etc / docker / certs d/docker. domain. Com folder.
$ sudo mkdir -p /etc/docker/certs.d/docker.domain.com $ sudo cp ssl/root-ca.crt /etc/docker/certs.d/docker.domain.com/ca.crt
Log in to the private warehouse.
$ docker login docker.domain.com
Try to push and pull images.
$ docker pull ubuntu:18.04 $ docker tag ubuntu:18.04 docker.domain.com/username/ubuntu:18.04 $ docker push docker.domain.com/username/ubuntu:18.04 $ docker image rm docker.domain.com/username/ubuntu:18.04 $ docker pull docker.domain.com/username/ubuntu:18.04
If we log out, try to push the image.
$ docker logout docker.domain.com $ docker push docker.domain.com/username/ubuntu:18.04 no basic auth credentials
You will be prompted that you are not logged in and cannot push the image to the private warehouse.
matters needing attention
If your computer occupies port 443, you can configure it Nginx agent , I won't repeat it here.
4.Nexus3. Private warehouse of X
Warehouses created using Docker's official Registry face some maintenance problems. For example, after some images are deleted, the space will not be recycled by default. You need some commands to recycle the space and restart the Registry. It is a common practice in enterprises to put some internal toolkits into Nexus. The latest version is Nexus 3 X) fully support Docker's private image. So use Nexus3.x It is a wise choice to use software to manage , Docker, Maven, Yum, PyPI , etc.
Start Nexus container
$ docker run -d --name nexus3 --restart=always \
-p 8081:8081 \
--mount src=nexus-data,target=/nexus-data \
sonatype/nexus3
You need to wait 3-5 minutes for the first run. You can use {docker logs nexus3 -f} to view the log:
$ docker logs nexus3 -f 2021-03-11 15:31:21,990+0000 INFO [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - ------------------------------------------------- Started Sonatype Nexus OSS 3.30.0-01 -------------------------------------------------
If you see the above content, it indicates that Nexus has been started successfully. You can open it with a browser http://YourIP:8081 I visited # Nexus #.
For the first time, please obtain the initial password through the following command:
$ docker exec nexus3 cat /nexus-data/admin.password 9266139e-41a2-4abb-92ec-e4142a3532cb
The default account for starting Nexus for the first time is admin, and the password is obtained by the above command. Click the upper right corner to log in. The initial password needs to be changed for the first time.
After logging in, you can click the gear button at the top of the page and set it according to the following method.
Create warehouse
To create a private Repository: Repository - > repositories click the right menu Create repository and select docker (hosted)
- Name: name of warehouse
- HTTP: separate access port of the warehouse (for example: 5001)
- Hosted - > deployment poll: Please select Allow redeploy, otherwise the Docker image cannot be uploaded.
Please explore other warehouse creation methods. You can also create a docker (proxy) type warehouse and link it to DockerHub. Then create a warehouse of type , docker (group) and add , hosted , and , proxy , together. The host downloads the image in the private warehouse by default when accessing. If it does not link to the DockerHub, download it and cache it in Nexus.
Add access
Menu # security - > realms # move the Docker Bearer Token Realm to the box on the right and save it.
Add user rules: from the menu , security - > roles - > create role , search for docker in the , privleges , move the corresponding rules to the box on the right and save them.
Add user: select the rule just created in the menu "security - > users - > create local user" in the "Roles" option, move it to the window on the right and save it.
NGINX encryption agent
For certificate generation, see Private warehouse advanced configuration There is a section on certificate generation.
The NGINX sample configuration is as follows
upstream register
{
server "YourHostName OR IP":5001; #The port is the port number of the HTTP option set when adding the private image warehouse above
check interval=3000 rise=2 fall=10 timeout=1000 type=http;
check_http_send "HEAD / HTTP/1.0\r\n\r\n";
check_http_expect_alive http_4xx;
}
server {
server_name YourDomainName;#If there is no DNS server for resolution, please remove this option and use the local IP address for access
listen 443 ssl;
ssl_certificate key/example.crt;
ssl_certificate_key key/example.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
client_body_buffer_size 512k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 128k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 512k;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://register;
proxy_read_timeout 900s;
}
error_page 500 502 503 504 /50x.html;
}
Docker host accesses image warehouse
If you do not enable SSL encryption, you can Previous chapters Add a non https warehouse address to the Docker configuration file, and then restart Docker.
After using SSL encryption, if the program needs access, it can't modify the configuration. The specific methods are as follows:
$ openssl s_client -showcerts -connect YourDomainName OR HostIP:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >ca.crt $ cat ca.crt | sudo tee -a /etc/ssl/certs/ca-certificates.crt $ systemctl restart docker
Use docker login YourDomainName OR HostIP to test, and fill in the user name and password set in Nexus above.