docker學習筆記(2)- 倉庫

Hui_Tong發表於2022-03-13

Docker倉庫是映象儲存、分發、部署的關鍵,製作好應用程式映象後上傳到倉庫,使用Docker daemon從倉庫拉取後執行,我們可以使用官方共有倉庫docker hub或者搭建私有倉庫

  1. Docker Hub包含眾多映象,無需登入就可以搜尋和使用
  2. 註冊Docker Hub賬戶後可以上傳和分享我們建立的映象(https://hub.docker.com/)
  3. 支援使用者建立私有倉庫

Docker Hub

查詢Ubuntu image

  • OFFICIAL:官方維護的映象,提供最基礎的OS、程式語言、資料儲存等一系列映象,類似於PAAS。安全更新及時,並且有詳細的文件、最佳實踐、通用的設計方式。可以通過dockerfile進行學習
  • AUTOMATED:可以關聯github等原始碼倉庫,進行自動構建並上傳到Docker Hub

命令

# 查詢映象
docker search <NAME>
# 拉取映象
docker pull <NAME>
# 推送映象到倉庫,通過新增不同的tag可以推送多個映象到一個倉庫
# 推送前需要登入docker hub
docker login
docker push <hub-user>/<repo-name>:<tag>

搭建私有倉庫

如果想要構建一個基於Docker的PaaS平臺,使用Docker Hub大多時候都滿足要求,原因如下:

  • 很多公司關鍵IDC無法訪問外網,並且對於部署和分發而言網速頻寬是較大的瓶頸
  • 很多應用放到公共倉庫是不安全的
  • 可以將映象儲存和分發整合到內部的開發工作流中

registry是docker官方提供的開源元件,用於儲存和分發映象,無狀態並且可擴縮容

registry

# 啟動registry
docker run -d \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5500 \
-p 6000:5500 \
--name registry-galen \
-v /mnt/docker-registry:/var/lib/registry \
--restart always \
registry:2

本地使用

docker pull ubuntu:16.04
# 為ubuntu image附加tag,
docker tag ubuntu:16.04 localhost:6000/galen-ubuntu
# push image 到跑在 localhost:6000的registry
docker push localhost:6000/galen-ubuntu
# 刪除本地映象
docker image rm ubuntu:16.04
docker image rm localhost:6000/galen-ubuntu
# 從registry中下拉
docker pull localhost:6000/galen-ubuntu

上傳其他主機的image到倉庫(115主機->129主機)

docker pull ubuntu:16.04
docker tag ubuntu:16.04 172.17.73.129:6000/galen-115-ubuntu
# 在要上傳映象的客戶端(115)/etc/docker/daemon.json目錄下,新增insecure-registries
{
  "registry-mirror": [
    "https://hub-mirror.c.163.com",
    "https://mirror.baidubce.com"
  ],
  "insecure-registries": [
    "172.17.73.129:6000"
  ]
}
docker push 172.17.73.129:6000/galen-115-ubuntu
# 查詢registry中的倉庫
curl -X GET http://172.17.73.129:6000/v2/_catalog
{"repositories":["galen-115-ubuntu","galen-ubuntu"]}
  • 以上部署registry的方法不安全,沒有認證功能,任何可以訪問到地址的客戶端都可以上傳映象

使用nginx做認證

刪除之前registry容器,重新啟動

# 停止並刪除
docker container rm -f registry-galen
# 啟動registry
docker run -d \
-p 6000:5000 \
--name registry-galen \
-v /mnt/docker-registry:/var/lib/registry \
--restart always \
registry:2

vim /etc/nginx/conf.d/registry.conf

upstream registry-galen {
    server 127.0.0.1:6000;
}
server {
    listen 443 ssl;
    server_name www.codemachine.in;
    # 開啟ssl
    ssl on;
    # 公鑰證照
    ssl_certificate /etc/ssl/certs/docker-registry.crt;
    # 私鑰
    ssl_certificate_key /etc/ssl/private/docker-registry.key;
    # 關閉對較大image請求的限制, HTTP 413
    client_max_body_size 0;
    # 避免HTTP 411
    chunked_transfer_encoding on;
    location /v2/ {
        auth_basic "Need to login";
        auth_basic_user_file /etc/nginx/conf.d/nginx.htpasswd;
        include docker-registry.conf;
    }

    location /_ping/ {
        auth_basic off;
        include docker-registry.conf;
    }

    location /v2/_ping {
        auth_basic off;
        include docker-registry.conf;
    }
}

vim /etc/nginx/docker-registry.conf

proxy_pass                          http://registry-galen;
proxy_set_header  Host              $http_host;   # required for docker client's sake
proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_read_timeout                  900;

利用htpasswd工具建立使用者認證的使用者名稱和密碼,將密碼加密後生成到檔案中

[root@localhost nginx]# htpasswd -bc /etc/nginx/conf.d/nginx.htpasswd
galendocker p@ssw0rd
Adding password for user galendocker

建立私有SSL證照

go 1.15 版本開始廢棄 CommonName需要使用SAN證照

使用OpenSSL建立私有CA,CA包含公鑰和私鑰,公鑰用於他人驗證證照有效性,私鑰用於給其他證照籤名

使用openssl生成帶有SAN擴充套件的證照請求檔案,編輯/etc/pki/tls/openssl.cnf

req_extetions = v3_req

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = www.codemachine.in
DNS.2 = www.galen.codemachine.com

生成CA

mkdir /etc/pki/CA/ && cd /etc/pki/CA/ && mkdir certs && mkdir newcerts && touch index.txt
# 指定第一個頒發證照的序列號
echo 01 > serial
# 生成CA私鑰檔案,輸入密碼
openssl genrsa -des3 -out ca-key.pem 2048
# 生成CA自簽證照,指明私鑰檔案,證照儲存路徑,有效期限等
openssl req -new -x509 -days 365 -key private/ca-key.pem -out private/ca-cert.pem
>
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Jiangsu
Locality Name (eg, city) [Default City]:Nanjing
Organization Name (eg, company) [Default Company Ltd]:bigtera
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:codemachine
Email Address []:937013596@qq.com

CA簽署具有SAN(Subject Alt Name)擴充套件的伺服器證照

# 生成伺服器私鑰檔案
openssl genrsa -des3 -out server-key.pem 2048
# 生成伺服器證照籤署請求檔案,預設國家,省,公司名稱三項必須和CA一致
openssl req -new -key server-key.pem -out server.csr -extensions v3_req
>
Enter pass phrase for server-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Jiangsu
Locality Name (eg, city) [Default City]:Nanjing
Organization Name (eg, company) [Default Company Ltd]:bigtera
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:codemachine
Email Address []:937013596@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 簽發證照
openssl ca -in server.csr -keyfile ca-key.pem -cert ca-crt.pem -extensions v3_req -out server.crt
>
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca-key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 11 09:15:27 2022 GMT
            Not After : Mar 11 09:15:27 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Jiangsu
            organizationName          = bigtera
            commonName                = codemachine
            emailAddress              = 937013596@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.codemachine.in, DNS:www.galen.codemachine.com
Certificate is to be certified until Mar 11 09:15:27 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 刪除server-key中的pass phrase
openssl rsa -in server-key.pem -out server-key.pem
# 安裝server-key和server.crt到我們nginx配置開啟ssl的目錄下
cp server.crt /etc/ssl/certs/docker-registry.crt
mkdir /etc/ssl/private
cp server-key.pem /etc/ssl/private/docker-registry.key

開啟nginx

systemctl start nginx

客戶端使用

實驗中沒有配置DNS server,所以需要在hosts檔案中新增www.codemachine.in與主機IP地址的對映:172.17.73.129 www.codemachine.in

  • windows: C:\Windows\System32\drivers\etc\hosts
  • linux:/etc/hosts

docker客戶端

為了Docker能夠正常地訪問Nginx,傳送ca證照到客戶端,重啟docker與registry容器

update-ca-trust force-enable
scp ca-crt.pem root@172.17.73.115:/etc/pki/ca-trust/source/anchors/ca-cert.crt
update-ca-trust extract
# 修改tag  
docker tag busybox:latest www.codemachine.in/busybox:latest
# 未登入推送
docker push www.codemachine.in/centos:galen
>
Using default tag: latest
The push refers to repository [www.codemachine.in/busybox]
797ac4999b67: Preparing
no basic auth credentials
# 登入
docker login -u galendocker -p p@ssw0rd www.codemachine.in
# 再次推送
>
Using default tag: latest
The push refers to repository [www.codemachine.in/busybox]
797ac4999b67: Pushed
latest: digest: sha256:14d4f50961544fdb669075c442509f194bdc4c0e344bde06e35dbd55af842a38 size: 527

使用windows瀏覽器

使用瀏覽器開啟 https://www.codemachine.in/v2/_catalog

相關文章