咱们用server1虚拟机作实验,让他能够上网,再物理主机进行配置:html
[root@rhel7host ~]# iptables -t nat -I POSTROUTING -s 172.25.254.0/24 -j MASQUERADE^C [root@rhel7host ~]# iptables -t nat -nL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.25.254.0/24 0.0.0.0/0 [root@server1 ~]# ping baidu.com #server1能够上网了 PING baidu.com (220.181.38.148) 56(84) bytes of data. 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=46 time=28.4 ms 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=46 time=28.7 ms 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=46 time=28.7 ms
[root@server1 ~]# docker login ## 登录 Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one. Username: ^C [root@server1 ~]# docker tag busybox:latest cay718/busybox:latest ## 打标签 # 打标签必须以这种方式,【用户名/镜像】,官方镜像则不须要。 [root@server1 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE cay718/busybox latest 59788edf1f3e 19 months ago 1.15MB ## 咱们的镜像 busybox latest 59788edf1f3e 19 months ago 1.15MB gcr.io/distroless/base latest 9a255d5fe262 50 years ago 16.8MB [root@server1 ~]# docker search busybox ## 能够在社区中找到全部的busybox镜像 NAME DESCRIPTION STARS OFFICIAL AUTOMATED busybox Busybox base image. 1901 [OK] progrium/busybox 71 [OK] ... ggtools/busybox-ubuntu Busybox ubuntu version with extra goodies 0 [OK] trollin/busybox 0 [root@server1 ~]# docker push cay718/busybox:latest # 就直接把这个镜像推送到咱们的账号所属的仓库里面去了,由于咱们前面已经登录了。 咱们就能够去web界面登录dockerhub查看了
咱们如今拉去的镜像都是从国外拉取的由于docker的官网在国外。node
咱们使用docker pull 拉去镜像是比较慢的
咱们可使用阿里云提供的镜像加速器。linux
登录阿里云,注册账号,
也可使用支付宝或者淘宝等登录方式。nginx
找到镜像加速器。
p
就会生成一个加速器地址:
p
它让先创建/etc/docker 目录:web
[root@server1 ~]# ls /etc/docker/ key.json # 咱们有这个目录 而后它让编辑一个daemon.json [root@server1 ~]# cd /etc/docker/ [root@server1 docker]# vim daemon.json { "registry-mirrors": ["https://f7behxow.mirror.aliyuncs.com"] } [root@server1 docker]# systemctl daemon-reload [root@server1 docker]# systemctl restart docker
而后咱们拉取的速度就快了。由于咱们使用的是阿里云这个路径。docker
[root@server1 docker]# docker pull nginx Using default tag: latest latest: Pulling from library/nginx afb6ec6fdc1c: Pull complete b90c53a0b692: Pull complete 11fa52a0fdc0: Pull complete Digest: sha256:30dfa439718a17baafefadf16c5e7c9d0a1cde97b4fd84f63b69e13513be7097 Status: Downloaded newer image for nginx:latest ## 速度是很快的,这里没办法展现
使用私有仓库的优势:json
私有仓库使用的是registry这个镜像。ubuntu
## 下载registry [root@server1 docker]# docker pull registry Using default tag: latest latest: Pulling from library/registry 486039affc0a: Pull complete ba51a3b098e6: Pull complete 8bb4c43d6c8e: Pull complete 6f5f453e5f2d: Pull complete 42bc10b72f42: Pull complete Digest: sha256:7d081088e4bfd632a88e3f3bcd9e007ef44a796fddfe3261407a3f9f04abe1e7 Status: Downloaded newer image for registry:latest [root@server1 docker]# docker images registry latest 708bc6af7e5e 4 months ago 25.8MB [root@server1 docker]# docker history registry:latest # 查看构建历史 IMAGE CREATED CREATED BY SIZE COMMENT 708bc6af7e5e 4 months ago /bin/sh -c #(nop) CMD ["/etc/docker/registr… 0B <missing> 4 months ago /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.… 0B <missing> 4 months ago /bin/sh -c #(nop) COPY file:507caa54f88c1f38… 155B <missing> 4 months ago /bin/sh -c #(nop) EXPOSE 5000 0B #打开的是5000端口 <missing> 4 months ago /bin/sh -c #(nop) VOLUME [/var/lib/registry] 0B #数据目录 <missing> 4 months ago /bin/sh -c #(nop) COPY file:4544cc1555469403… 295B <missing> 4 months ago /bin/sh -c #(nop) COPY file:21256ff7df5369f7… 20.1MB <missing> 4 months ago /bin/sh -c set -ex && apk add --no-cache… 1.28MB <missing> 4 months ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 4 months ago /bin/sh -c #(nop) ADD file:e38375b009a2e2c9b… 4.41MB [root@server1 docker]# docker run -d -p 5000:5000 --name registry registry # 运行 e1be7cfce770c1474e6c7ad590194e77c7b38625b111dc93075cc3e196c930bf [root@server1 docker]# docker volume ls # 本地docker数据目录。 DRIVER VOLUME NAME local 79cd4dfd7a1065b487fdfd36c77ba31ad152eb1165080e07f8952470cef40621 # registry的 local 91f0897dbeda40ac75f20603dccb0459920191144c77eea663cccde1307b7f1d # 以前的 [root@server1 docker]# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3012/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3120/master tcp6 0 0 :::5000 :::* LISTEN 4972/docker-proxy ## 能够看到5000端口打开。
如今咱们上传镜像到registry中。vim
[root@server1 docker]# docker tag nginx:latest localhost:5000/nginx:lastest # 打标签 [root@server1 docker]# docker push localhost:5000/nginx # 上传 The push refers to repository [localhost:5000/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed ffc9b21953f4: Pushed lastest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948 # 存放位置在: [root@server1 repositories]# pwd /var/lib/docker/volumes/79cd4dfd7a1065b487fdfd36c77ba31ad152eb1165080e07f8952470cef40621/_data/docker/registry/v2/repositories [root@server1 repositories]# ls nginx 咱们也能够这样查看: [root@server1 repositories]# curl localhost:5000/v2/_catalog {"repositories":["nginx"]} # nginx
如今咱们使用命令行操做不方便,并且远程链接的话必须使用 tls 加密,因此咱们如今作 tls 加密。安全
[root@server1 ~]# mkdir -p certs #创建目录用来存放证书 [root@server1 ~]# openssl req \ #生成证书和key > -newkey rsa:4096 -nodes -sha256 -keyout certs/westos.org.key \ > -x509 -days 365 -out certs/westos.org.crt ...... Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shaanxi Locality Name (eg, city) [Default City]:Xi'an Organization Name (eg, company) [Default Company Ltd]:Westos Organizational Unit Name (eg, section) []:Linux Common Name (eg, your name or your server's hostname) []:westos.org Email Address []:root@westos.org # 输入证书的信息 [root@server1 ~]# ls busybox.tar containerd.io-1.2.5-3.1.el7.x86_64.rpm distroless docker docker-ce-cli-18.09.6-3.el7.x86_64.rpm nginx.tar ubuntu.tar certs container-selinux-2.21-1.el7.noarch.rpm distroless.tar docker-ce-18.09.6-3.el7.x86_64.rpm game2048.tar rhel7.tar [root@server1 ~]# ls certs/ westos.org.crt westos.org.key ## 就生成了证书和key文件 [root@server1 ~]# docker rm -f registry 删除这个容器,从新使用tls加密开启 registry [root@server1 ~]# docker run -d \ > --restart=always \ #容器开机自启 > --name registry \ #容器名 > -v "$(pwd)"/certs:/certs \ #证书目录的挂载 > -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e是编辑容器运行的参数 > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ #指定证书 > -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ # 指定key > -p 443:443 \ # 端口映射 > registry # 镜像 2775257a5127111ca9f188304a7c938b76875c841e9c5a861eac8c842bd96676 [root@server1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2775257a5127 registry "/entrypoint.sh /etc…" 7 seconds ago Up 6 seconds 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3012/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3120/master tcp6 0 0 :::22 :::* LISTEN 3012/sshd tcp6 0 0 ::1:25 :::* LISTEN 3120/master tcp6 0 0 :::443 :::* LISTEN 5381/docker-proxy ## 加密的端口已经打开了。 [root@server1 ~]# vim /etc/hosts # 写一下解析,由于咱们刚才使用的是westos这个名字 172.25.254.1 server1 westos.org # 而后咱们让每一个docker的守护进程都信任这个证书 [root@server1 ~]# mkdir -p /etc/docker/certs.d/westos.org [root@server1 ~]# cp certs/westos.org.crt /etc/docker/certs.d/westos.org/ [root@server1 ~]# cd /etc/docker/certs.d/westos.org/ [root@server1 westos.org]# mv westos.org.crt ca.crt [root@server1 westos.org]# ls ca.crt # 更名为 ca.crt
上传镜像: [root@server1 westos.org]# docker tag nginx:latest westos.org/nginx:latest #咱们刚才作了解析,不然这里不识别 [root@server1 westos.org]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost:5000/nginx lastest 9beeba249f3e 8 days ago 127MB westos.org/nginx latest 9beeba249f3e 8 days ago 127MB # 建立成功 [root@server1 repositories]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed ffc9b21953f4: Pushed latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948 [root@server1 repositories]# netstat -tnlp tcp6 0 0 :::443 :::* LISTEN 5381/docker-proxy 咱们只有443端口打开,此次就走的是443端口,使用了TLS加密
[root@server1 ~]# mkdir auth # 创建用户认证目录 [root@server1 ~]# docker run \ > --entrypoint htpasswd \ > registry -Bbn admin westos > auth/htpasswd [root@server1 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9207ef348e06 registry "htpasswd -Bbn admin…" 7 seconds ago Exited (0) 6 seconds ago clever_proskuriakova 2775257a5127 registry "/entrypoint.sh /etc…" 34 minutes ago Up 34 minutes 0.0.0.0:443->443/tcp, 5000/tcp registry [root@server1 ~]# docker rm -f clever_proskuriakova # 运行完删除它 clever_proskuriakova [root@server1 ~]# cat auth/htpasswd admin:$2y$05$cBCyZDWgWoU8rnmvOCU7rO2XTCvVP6kIJ6fdeOV2l5Di8Gyg6hG1i ## 生成咱们须要的用户和加密字符就行了。 # 咱们还能够在追加一个用户。 [root@server1 ~]# docker run --rm --entrypoint htpasswd registry -Bbn cay caoaoyuan >> auth/htpasswd [root@server1 ~]# cat auth/htpasswd admin:$2y$05$cBCyZDWgWoU8rnmvOCU7rO2XTCvVP6kIJ6fdeOV2l5Di8Gyg6hG1i cay:$2y$05$nBO8Or64HGWvRQhYgEYnouWZ4NAeQxOTaKuMwIVJdGwvCMuIUXTKu 从新运行registry: [root@server1 ~]# docker rm -f registry registry [root@server1 ~]# docker run -d \ > --restart=always \ > --name registry \ > -v "$(pwd)"/certs:/certs \ > -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ > -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/westos.org.crt \ > -e REGISTRY_HTTP_TLS_KEY=/certs/westos.org.key \ > -p 443:443 \ > -v "$(pwd)"/auth:/auth \ # 用户认证目录挂载 > -e "REGISTRY_AUTH=htpasswd" \ # 认证文件 > -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ # > -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ #认证路径 > registry
测试:
[root@server1 ~]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Preparing 2f4accd375d9: Preparing ffc9b21953f4: Preparing no basic auth credentials #没有基础的用户认证,因此不能上传 [root@server1 ~]# docker login westos.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@server1 ~]# docker push westos.org/nginx The push refers to repository [westos.org/nginx] 6c7de695ede3: Pushed 2f4accd375d9: Pushed # 登录后就能够上传了 ffc9b21953f4: Pushed latest: digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b size: 948
两个用户就都登录成功了。
registry 工做原理:
它有三个角色:Docker index 、registry、client
index起用户认证和索引的做用。registry是仓库,client是客户端
docker pull 发起请求, index进行认证和索引,查找到请求的镜像的地址,而后返回给客户端。
客户端从registry去下载镜像,这时 registry 会先去 index 服务器上作 token 合法性校验,给一个镜像的token(校验码),而后 registry 用 token 去 index 上看这个 token 和用户想要下载的镜像的 token 是否一致,若是匹配,就拉起镜像。
开启server2主机进行远程链接。
#先写本地解析: [root@server2 ~]# vim /etc/hosts 172.25.254.1 server1 westos.org #再把证书从server1上拷贝到server2上,远程链接须要认证 [root@server1 ~]# scp -r /etc/docker/certs.d server2:/etc/docker/ [root@server2 certs.d]# ls westos.org [root@server2 certs.d]# cd westos.org/ [root@server2 westos.org]# ls ca.crt [root@server2 westos.org]# docker login westos.org Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded #就登陆进去了 [root@server2 westos.org]# docker pull westos.org/nginx #能够下载镜像。 Using default tag: latest latest: Pulling from nginx afb6ec6fdc1c: Pull complete b90c53a0b692: Pull complete 11fa52a0fdc0: Pull complete Digest: sha256:8269a7352a7dad1f8b3dc83284f195bac72027dd50279422d363d49311ab7d9b rStatus: Downloaded newer image for westos.org/nginx:latest [root@server2 westos.org]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE westos.org/nginx latest 9beeba249f3e 9 days ago 127MB [root@server2 westos.org]# docker run -d --name nginx -p 80:80 westos.org/nginx 21d271bdfc9cde7c5ed6279a2093e4e9d7fe74e4caf365c7da4b9091e34301f6 [root@server2 westos.org]# docker ps # 正常运行 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 21d271bdfc9c westos.org/nginx "nginx -g 'daemon of…" 3 seconds ago Up 2 seconds 0.0.0.0:80->80/tcp nginx [root@server2 westos.org]# curl localhost # 而且能够访问 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style>