[root@rabbit1 images]# yum list installed |grep docker
containerd.io.x86_64 1.2.10-3.2.el7 @docker-ce-stable
docker-ce.x86_64 3:19.03.5-3.el7 @docker-ce-stable
docker-ce-cli.x86_64 1:19.03.5-3.el7 @docker-ce-stable
说明:docker-ce-cli.x86_64 为docker客户端程序,docker-ce.x86_64 为docker服务端程序,
docker remove containerd.io.x86_64
yum remove docker-ce-cli.x86_64
yum install docker-ce
也可以通过如下命令查看所有版本的docker容器,根据需要安装指定版本:
yum search docker-ce --showduplicates
–showduplicates列出所有的版本
systemctl start docker
docker run -d -p 5000:5000 --restart=always --name registry \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-v /home/images:/var/lib/registry \
registry:2.7.1
注意:此示例仅用于测试环境,生产环境的registry必须通过TLS验证,理想情况下应该使用访问控制机制
docker pull ubuntu
docker tag ubuntu xxx.xxx.xxx.xxx:5000/ubuntu
docker push xxx.xxx.xxx.xxx:5000/ubuntu
执行推送操作可能会发生如下异常:
[root@rabbit1 images]# docker push xx.xx.xx.xxx:5000/ubuntu
The push refers to repository [xx.xx.xx.xxx:5000/ubuntu]
Get https://xx.xx.xx.xx:5000/v2/: http: server gave HTTP response to HTTPS client
这时我们可以在/etc/docker/daemon.json文件中添加不安全的registry注册表地址(此种方案只适合在测试环境使用,生产环境要使用TLS证书的方式,可以参考文章的下面部分):
{ "insecure-registries":["xx.xx.xx.xxx:5000"] }
然后重启docker:
systemctl restart docker
docker image remove ubuntu
docker image remove xx.xx.xx.xx:5000/ubuntu
也可以使用:
docker rmi 镜像名
拉取私服上的镜像到本地:
docker pull xx.xx.xx.xx:5000/ubuntu
docker container stop registry
docker container start registry
docker container stop registry & docker container rm -v registry
##存放registry服务中的镜像
/home/docker-registry/images
##存放生成的TLS证书
/home/docker-registry/certs
##存放用户名和密码
/home/docker-registry/auth
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /home/docker-registry/certs/registry.key \
-x509 -days 3650 -out /home/docker-registry/certs/registry.crt
docker run -d -p 5000:5000 --restart=always --name registry \
-v /home/docker-registry/images:/var/lib/registry \
-v /home/docker-registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
$ docker pull ubuntu
$ docker tag ubuntu myregistry.domain.com/my-ubuntu
$ docker push myregistry.domain.com/my-ubuntu
$ docker pull myregistry.domain.com/my-ubuntu
实现访问限制的最简单的方法是通过基本身份验证(这与其它web服务器的基本身份验证机制非常相似)。
注意:不能将基本身份验证与以明文形式发送用户凭证的身份验证方案一起使用,你必须先配置TLS才能使用本地基本身份验证
##存放registry服务中的镜像
/home/docker-registry/images
##存放生成的TLS证书
/home/docker-registry/certs
##存放用户名和密码
/home/docker-registry/auth
##生成用户名和密码,单个>会覆盖文件,两个>>会在文件中追加用户名和密码
docker run --rm\
--entrypoint htpasswd \
registry:2 -Bbn admin2 admin2 >> /home/docker-registry/auth/htpasswd
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout /home/docker-registry/certs/registry.key \
-x509 -days 3650 -out /home/docker-registry/certs/registry.crt
docker run -d -p 9527:5000 --restart=always --name registry \
-v /home/docker-registry/images:/var/lib/registry \
-v /home/docker-registry/certs:/certs \
-v /home/docker-registry/auth:/auth \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
registry:2
docker login xx.xx.xx.xx:5000
登录之后会报异常,如下:
Error response from daemon: Get https://xx.xx.xx.com:5000/v2/: x509: certificate signed by unknown authority
这是因为客户端没有安装证书的原因:
linux系统:将registry.crt复制到文件/etc/docker/certs.d/域名或者主机名:5000/ca.crt,无需重启docker(主机名的话需要在/etc/hosts文件做映射)
windows版客户端:直接右键安装就可以了,安装后要重启docker
mac版客户端:将registry.crt证书复制到/.docker/certs.d/域名或者主机名:5000/ca.crt,跟linux系统客户端安装证书方式一样
如果报下面的错误,那说明是客户端未登录:
Error response from daemon: Get https://xx.xx.xx:5000/v2/mycentos7/manifests/latest: no basic auth credentials
docker logout xx.xx.xx.xx:5000
docker container stop registry && docker container rm -v registry
curl -XGET http://xxxx.xx.xx.xx:5000/v2/_catalog
curl -XGET http://xxxx.xx.xx.xx:5000/v2/镜像名称/tags/list
成功:
docker run -it -p 9528:8080 --name registry-web --link registry \
-e REGISTRY_URL=https://registry:5000/v2 \
-e REGISTRY_TRUST_ANY_SSL=true \
-e REGISTRY_BASIC_AUTH="YWRtaW46YWRtaW4=" \
-e REGISTRY_NAME=emisdockerhub.eastmoney.com:9027 \
-e REGISTRY_READONLY=false \
hyper/docker-registry-web
参考1:https://hub.docker.com/_/registry
参考2:https://docs.docker.com/registry/deploying/
API参考:https://docs.docker.com/registry/spec/api/
insecure registry参考:https://docs.docker.com/registry/insecure/