Docker 仓库管理
Docker仓库,类似于yum仓库,是用来保存镜像的仓库。为了方便的管理和使用docker镜像,可以将镜像集中保存至Docker仓库中,将制作好的镜像push到仓库集中保存,在需要镜像时,从仓库中pull镜像即可。
Docker 仓库分为公有云仓库和私有云仓库
公有云仓库: 由互联网公司对外公开的仓库
- 官方
- 阿里云等第三方仓库
私有云仓库: 组织内部搭建的仓库,一般只为组织内部使用,常使用下面软件搭建仓库
- docker registory
- docker harbor
官方 Docker 仓库
将自制的镜像上传至docker仓库;https://hub.docker.com/
注册账户
访问hub.docker.com注册账户,并登录
使用用户仓库管理镜像
每个注册用户都可以上传和管理自已的镜像
用户登录
上传镜像前需要执行docker login命令登录,登录后生成~/.docker/config.json文件保存验证信息
格式
docker login [OPTIONS] [SERVER]
选项:
-p, --password string Password
--password-stdin Take the password from stdin
-u, --username string Username
范例:
#登录docker官方仓库方法1
[root@ubuntu1804 ~]#docker login -u ayaka -pP@ssw0rd! docker.io
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#登录docker官方仓库方法2
[root@ubuntu1804 ~]#docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't
have a Docker ID, head over to https://hub.docker.com to create one.
Username: ayaka
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#登录成功后,自动生成验证信息,下次会自动登录,而无需手动登录
[root@ubuntu1804 ~]#cat .docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "d2FuZ3hpYW9jaHVuOjEyMzQ1Ng=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.5 (linux)"
}
}[root@ubuntu1804 ~]#
给本地镜像打标签
上传本地镜像前必须先给上传的镜像用docker tag 命令打标签
标签格式: docker.io/用户帐号/镜像名:TAG
[root@ubuntu1804 ~]#docker tag alpine:3.11 docker.io/ayaka/alpine:3.11-v1
[root@ubuntu1804 ~]#docker images
alpine 3.11 b162eecf4da9 20 hours ago
5.59MB
上传本地镜像至官网
#如tag省略,将上传指定REPOSITORY的所有版本,如下示例
#[root@ubuntu1804 ~]#docker push docker.io/ayaka/alpine
[root@ubuntu1804 ~]#docker push docker.io/ayaka/alpine:3.11-v1
The push refers to repository [docker.io/ayaka/alpine]
5216338b40a7: Mounted from ayaka/alpine-base
3.11-v1: digest:
sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size:
528
在官网验证上传的镜像
下载上传的镜像并创建容器
在另一台主机上下载镜像
[root@centos7 ~]#docker pull ayaka/alpine:3.11-v1
3.11-v1: Pulling from ayaka/alpine
c9b1b535fdd9: Already exists
Digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45
Status: Downloaded newer image for ayaka/alpine:3.11-v1
docker.io/ayaka/alpine:3.11-v1
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
ayaka/alpine 3.11-v1 e7d92cdc71fe 12 days ago
5.59MB
[root@centos7 ~]#docker run -it --rm ayaka/alpine:3.11-v1 sh
/ # cat /etc/issue
Welcome to Alpine Linux 3.11
Kernel \r on an \m (\l)
/ # du -sh /
5.6M /
/ # exit
[root@centos7 ~]#
使用组织管理镜像
组织类似于名称空间,每个组织的名称全网站唯一,一个组织可以有多个用户帐户使用,并且可以指定不同用户对组织内的仓库不同的权限
三种不同权限
- Read-only: Pull and view repository details and builds
- Read &Write: Pull, push, and view a repository; view, cancel, retry or trigger builds
- Admin: Pull, push, view, edit, and delete a repository; edit build settings; update therepository description
创建组织
创建组织内的团队,并分配权限
上传镜像前登录帐号
[root@ubuntu1804 ~]#docker login docker.io
Login with your Docker ID to push and pull images from Docker Hub. If you don't
have a Docker ID, head over to https://hub.docker.com to create one.
Username: ayaka
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@ubuntu1804 ~]#cat .docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "d2FuZ3hpYW9jaHVuOjEyMzQ1Ng=="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.5 (linux)"
}
}[root@ubuntu1804 ~]#
给本地镜像打标签
[root@ubuntu1804 ~]#docker tag alpine-base:3.11 docker.io/ayaka/alpine-base:3.11
上传镜像到指定的组织
[root@ubuntu1804 ~]#docker push docker.io/ayalinux/alpine-base:3.11
在网站看查看上传的镜像
下载上传的镜像并运行容器
root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
[root@centos7 ~]#docker pull ayalinux/alpine-base:3.11
3.11: Pulling from ayalinux/alpine-base
c9b1b535fdd9: Pull complete
327af1e87fd8: Pull complete
d88818b49372: Pull complete
Digest: sha256:7931fed46d377698dacb194d46017c53bc24f2e9ee41e893e6900c07d1153536
Status: Downloaded newer image for ayalinux/alpine-base:3.11
docker.io/ayalinux/alpine-base:3.11
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
ayalinux/alpine-base 3.11 b162eecf4da9 20 hours ago
182MB
[root@centos7 ~]#docker run -it --rm ayalinux/alpine-base:3.11 sh
/ # cat /etc/issue
Welcome to Alpine Linux 3.11
Kernel \r on an \m (\l)
/ # du -sh /
190.1M /
/ # exit
[root@centos7 ~]#
阿里云Docker仓库
注册和登录阿里云仓库
用浏览器访问http://cr.console.aliyun.com,输入注册的用户信息登录网站
设置仓库专用管理密码
创建仓库
此步可不事先执行,docker push 时可以自动创建私有仓库
上传镜像前先登录阿里云
#用前面设置的专用仓库管理密码登录
[root@ubuntu1804 ~]#docker login --username=66386638@qq.com registry.cn-beijing.aliyuncs.com
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#登录密码保存在~/.docker/config.json文件中,下次将不会需要再输入密码登录
给上传的镜像打标签
[root@ubuntu1804 ~]#docker tag alpine-base:3.11 registry.cn-beijing.aliyuncs.com/ayaka/alpine:3.11-v1
[root@ubuntu1804 ~]#docker tag centos7-base:v1 registry.cn-beijing.aliyuncs.com/ayaka/centos7-base:v1
上传镜像至阿里云
[root@ubuntu1804 ~]# docker push registry.cn-beijing.aliyuncs.com/ayaka/alpine:3.11-v1
[root@ubuntu1804 ~]#docker push registry.cn-beijing.aliyuncs.com/ayaka/centos7-base:v1
在网站查看上传的镜像
从另一台主机上下载刚上传的镜像并运行容器
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
[root@centos7 ~]# docker pull registry.cn-
beijing.aliyuncs.com/ayaka/alpine:3.11-v1
3.11-v1: Pulling from ayaka/alpine
c9b1b535fdd9: Pull complete
327af1e87fd8: Pull complete
d88818b49372: Pull complete
Digest: sha256:7931fed46d377698dacb194d46017c53bc24f2e9ee41e893e6900c07d1153536
Status: Downloaded newer image for registry.cn-
beijing.aliyuncs.com/ayaka/alpine:3.11-v1
registry.cn-beijing.aliyuncs.com/ayaka/alpine:3.11-v1
[root@centos7 ~]#docker images
REPOSITORY TAG IMAGE
ID CREATED SIZE
registry.cn-beijing.aliyuncs.com/ayaka/alpine 3.11-v1
b162eecf4da9 22 hours ago 182MB
[root@centos7 ~]#docker run -it --rm b162eecf4da9 sh
/ # cat /etc/issue
Welcome to Alpine Linux 3.11
Kernel \r on an \m (\l)
/ # du -sh /
190.1M /
/ # exit
#上传的centos7-base:v1为私有镜像,需要登录才能下载
[root@centos7 ~]#docker pull registry.cn-beijing.aliyuncs.com/ayaka/centos7-base:v1
Error response from daemon: pull access denied for registry.cn-
beijing.aliyuncs.com/ayaka/centos7-base, repository does not exist or may
require 'docker login': denied: requested access to the resource is denied
[root@centos7 ~]#docker login registry.cn-beijing.aliyuncs.com
Username: yaya
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@centos7 ~]#docker pull registry.cn-
beijing.aliyuncs.com/ayaka/centos7-base:v1
v1: Pulling from ayaka/centos7-base
f34b00c7da20: Pull complete
544476d462f7: Pull complete
39345915aa1b: Pull complete
Digest: sha256:02cd943f2569c7c55f08a979fd9661f1fd7893c424bca7b343188654ba63d98d
Status: Downloaded newer image for registry.cn-
beijing.aliyuncs.com/ayaka/centos7-base:v1
registry.cn-beijing.aliyuncs.com/ayaka/centos7-base:v1
私有云单机仓库 Docker Registry
Docker Registry 介绍
Docker Registry 作为Docker的核心组件之一负责单主机的镜像内容的存储与分发,客户端的dockerpull以及push命令都将直接与registry进行交互,最初版本的registry 由Python实现,由于设计初期在安全性,性能以及API的设计上有着诸多的缺陷,该版本在0.9之后停止了开发,由新项目distribution(新的docker register被称为Distribution)来重新设计并开发下一代registry,新的项目由go语言开发,所有的API,底层存储方式,系统架构都进行了全面的重新设计已解决上一代registry中存在的问题,2016年4月份registry 2.0正式发布,docker 1.6版本开始支持registry 2.0,而八月份随着docker 1.8 发布,docker hub正式启用2.1版本registry全面替代之前版本 registry,新版registry对镜像存储格式进行了重新设计并和旧版不兼容,docker 1.5和之前的版本无法读取2.0的镜像,另外,Registry 2.4版本之后支持了回收站机制,也就是可以删除镜像了,在2.4版本之前是无法支持删除镜像的,所以如果你要使用最好是大于Registry 2.4版本的
官方文档地址: https://docs.docker.com/registry/
官方github 地址: https://github.com/docker/distribution
官方部署文档: https://github.com/docker/docker.github.io/blob/master/registry/deploying.md
以下介绍通过官方提供的docker registry 镜像来简单搭建本地私有仓库环境
环境: 三台主机
10.0.0.100: 充当registry仓库服务器
10.0.0.101: 上传镜像
10.0.0.102: 下载镜像
下载 docker registry 镜像
[root@ubuntu1804 ~]#docker pull registry:2.7.1
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
registry 2.7.1 708bc6af7e5e 6 days ago
25.8MB
搭建单机仓库
创建授权用户密码使用目录
[root@ubuntu1804 ~]#mkdir -p /etc/docker/auth
创建授权的registry用户和密码
创建registry用户,用于上传和下载镜像
[root@ubuntu1804 ~]#apt -y install apache2-utils
[root@ubuntu1804 ~]#htpasswd -Bbn wang 123456 > /etc/docker/auth/registry
[root@ubuntu1804 ~]#cat /etc/docker/auth/registry
wang:$2y$05$nlRIIYEUBTSLdN2PkzodUue4ry7X/UyscpkkEufTDhEdI8nsyJMR6
#旧版本可以按下面方法生成用户和密码文件
[root@ubuntu1804 ~]#docker run --entrypoint htpasswd registry:2.7.1 -Bbn wang 123456 > /etc/docker/auth/registry
启动docker registry 容器
[root@ubuntu1804 ~]# docker run -d -p 5000:5000 --restart=always --name registry -v /etc/docker/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/registry registry:2.7.1
998f970dd8ca6b98002f20ae27330fe607ca78f35bedcc8a6180688e48a907a7
验证端口和容器
[root@ubuntu1804 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
998f970dd8ca registry:2.7.1 "/entrypoint.sh /etc…" About a minute
ago Up About a minute 0.0.0.0:5000->5000/tcp registry
登录仓库
直接登录报错
#docker login 默认使用https登录,而docker registry为http,所以默认登录失败
[root@ubuntu1804 ~]#docker login 10.0.0.100:5000
Username: wang
Password:
Error response from daemon: Get https://10.0.0.100:5000/v2/: dial tcp
10.0.0.100:5000: connect: connection refused
将registry仓库服务器地址加入service 单元文件
官方文档
https://docs.docker.com/retired/
范例
#修改配置让docker login支持http协议
[root@ubuntu1804 ~]#vim /lib/systemd/system/docker.service
[root@ubuntu1804 ~]#grep ExecStart /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
--insecure-registry 10.0.0.100:5000
#或者修改下面文件
[root@ubuntu1804 ~]#vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"],
"insecure-registries": ["10.0.0.100:5000"]
}
[root@ubuntu1804 ~]#systemctl daemon-reload
[root@ubuntu1804 ~]#systemctl restart docker
[root@ubuntu1804 ~]#ps aux|grep dockerd
root 2092 1.3 8.4 757088 83056 ? Ssl 19:19 0:00
/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --
insecure-registry 10.0.0.100:5000
再次登录验证成功
在10.0.0.101主机上执行下面登录
[root@ubuntu1804 ~]#docker login 10.0.0.100:5000
Username: wang
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@ubuntu1804 ~]#
打标签并上传镜像
在10.0.0.101主机上执行打标签上传
[root@ubuntu1804 ~]#docker tag centos7-base:v1 10.0.0.100:5000/centos7-base:v1
[root@ubuntu1804 ~]#docker push 10.0.0.100:5000/centos7-base:v1
The push refers to repository [10.0.0.100:5000/centos7-base]
2073413aebd6: Pushed
6ec9af97c369: Pushed
034f282942cd: Pushed
v1: digest:
sha256:02cd943f2569c7c55f08a979fd9661f1fd7893c424bca7b343188654ba63d98d size:949
下载镜像并启动容器
在10.0.0.102主机上下载镜像并启动容器
先修改docker的service 文件
[root@ubuntu1804 ~]#vim /lib/systemd/system/docker.service
[root@ubuntu1804 ~]#grep ExecStart /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
--insecure-registry 10.0.0.100:5000
[root@ubuntu1804 ~]#systemctl daemon-reload
[root@ubuntu1804 ~]#systemctl restart docker
登录registry仓库服务器
[root@ubuntu1804 ~]#docker login 10.0.0.100:5000
Username: wang
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
下载镜像并启动容器
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
[root@ubuntu1804 ~]#docker pull 10.0.0.100:5000/centos7-base:v1
v1: Pulling from centos7-base
f34b00c7da20: Pull complete
544476d462f7: Pull complete
39345915aa1b: Pull complete
Digest: sha256:02cd943f2569c7c55f08a979fd9661f1fd7893c424bca7b343188654ba63d98d
Status: Downloaded newer image for 10.0.0.100:5000/centos7-base:v1
10.0.0.100:5000/centos7-base:v1
[root@ubuntu1804 ~]#docker images
REPOSITORY TAG IMAGE ID CREATED
SIZE
10.0.0.100:5000/centos7-base v1 34ab3afcd3b3 2 days
ago 403MB
[root@ubuntu1804 ~]#docker run -it --rm 34ab3afcd3b3 bash
[root@2bcb26b1b568 /]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@2bcb26b1b568 /]# exit
exit
[root@ubuntu1804 ~]#docker ps
CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES
[root@ubuntu1804 ~]#