docker網絡管理與本地私有Registry建立部署
概述
上一篇博客大體描述了docker的原理與傳統虛擬機的使用,以及docker基本使用,本文主要描述docker的網絡管理及重點介紹docker本地(內部)registry倉庫的搭建及私有registry,用來統一保存與管理企業docker鏡像;html
docker網絡
docker網絡分四種類型:
closed container:封閉式容器
open container開放式:使用宿主機全部網絡接口
聯盟式網絡:即多個容器共享一個網絡
示例:node
docker run --name bbox1 -it --rm --net bridge busybox 啓動httpd -f -h /data/html 再啓一個容器bbox2的網絡關聯到bbox1 docker run --name bbox2 --rm --net container:bbox1 -it busybox 此時兩臺使用同個個網絡地址ifconfig wget localhost/index.html 即訪問本地的index.html倒是bbox1上的web內容
Bridged:橋接式 expose(DNAT)
docker 啓動後默認啓動了三個網絡接口 docker network listnginx
san@yongc-dong:~$ docker network list NETWORK ID NAME DRIVER SCOPE ba4170b93ff8 bridge bridge local 4e8802445c71 host host local d6685aeb00d4 none null local
查看docker橋接式網絡:web
san@yongc-dong:~$ docker network inspect bridge bridge:默認關聯到docker0上(私有網絡) host:使用物理主機網絡空間(開放式) none:不使用網絡,關閉網絡功能
建立不使用網絡的容器docker
$ docker run --name bbox1 -it --rm --net none busybox / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0
給容器綁定主機名和解析json
san@yongc-dong:~$ docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm --net bridge busybox / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.16.0.188 www.san.com 173.172.17.0.3 bbox1.san.com bbox1 / # hostname bbox1.san.com / # cat /etc/resolv.conf nameserver 172.16.0.188
容器內部端口暴露到宿主機
容器暴露端口 -p選項(四種方式,自動添加到iptables nat中)ubuntu
1,隨機映射成宿主機端口 docker run --name bbox1 -it --hostname bbox1.san.com --dns 172.16.0.188 --add-host www.san.com:172.16.0.188 --rm -p 80 busybox $docker port bbox1 80/tcp -> 0.0.0.0:32768 此時便可訪問宿主機ip:32768便可訪問容器web 2,-p port:port -p 80:80 3,-p host::port :將容器的port映射到宿主機指定ip的隨機端口上 -p 172.16.0.188::80 80/tcp -> 172.16.0.188:32768 4,-p host:port:port :將容器port映射到宿主機指定ip上的port 80/tcp -> 172.16.0.188:80
注意:可同進暴露多個端口;一個容器如須要暴露多個端口可以使用多個-p 進行映射
docker 網絡管理
docker daemon 修改docker網絡
建立docker網絡 docker network createcentos
san@yongc-dong:~$ docker network create -d bridge --subnet=172.31.0.0/16 --ip-range=172.31.0.0/16 --gateway=172.31.255.254 mybr0 86e7cdf8507e0c1721e16f29693c471bfd2db0e4c7bc7be90a3f72ab7d699450 san@yongc-dong:~$ docker network ls NETWORK ID NAME DRIVER SCOPE 5579bb2c46f9 bridge bridge local 4e8802445c71 host host local 86e7cdf8507e mybr0 bridge local d6685aeb00d4 none null local
網絡配置文件CentOS7保存在/etc/sysconfig/docker-network中緩存
san@yongc-dong:~$ docker run --name bbox1 --rm -it --net mybr0 busybox eth0 Link encap:Ethernet HWaddr 02:42:AC:1F:00:01 inet addr:172.31.0.1 Bcast:172.31.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2874 (2.8 KiB) TX bytes:0 (0.0 B)
爲運行中的容器添加網絡$ docker network connect bridge bbox1
查看docker網絡tomcat
$ docker network ls root@san-dong # docker network ls ID NAME DRIVER SCOPE 37f00a3e739c bridge bridge local 1cd7af35c54a host host local 75c791849a76 none null local
查看指定網絡 root@san-dong # docker network inspect 37f00a3e739c
刪除網絡$docker network disconnect mybr0 bbox1
建立疊加網絡$ docker network create
搭建本地私有registry
對企業內部使用docker若是沒有統一的私有registry倉庫;默認是從docker.io上,網絡鏈接問題,下載鏡像那是至關的痛苦;因此爲了愉快的使用docker提升工做效率;咱們須要部署本地的私有registry
部署registry方式一般有兩種;一種經過容器(registry)方式;一種安裝服務(docker-distribution)自行部署;本文主要經過安裝服務部署;
架構圖:
部署環境:
客戶端1:
ubuntu 16.04
docker 版本: 18.03.0-ce
hostname: san-dong
ip:172.16.0.188
須要服務:docker
registry服務器(客戶端2):
centos7.x_x64
docker版本:18.04.0-ce
hostname: registry
ip: 172.16.0.4
須要服務:docker-distribution
nginx:1.12.2 (epel安裝,用於作反代)
安裝docker-distribution服務
[root@registry ~]# yum install docker-distribution [root@registry ~]# rpm -ql docker-distribution 其中 配置文件/etc/docker-distribution/registry/config.yml 默認存儲目錄:/var/lib/registry
配置文件:
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory #存在內存當緩存
filesystem:
rootdirectory: /var/lib/registry #存放位置
http: #http協議
addr: :5000 #偵聽在5000端口
啓動服務[root@registry ~]# systemctl docker-distribution
至此registry本地倉庫配置完成
在客戶端上推送鏡像到私有registry倉庫:
#客戶端上(模擬開發工做主機)鏡像
san@san-dong:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx tomcat e982d826d0f1 7 days ago 388MB
nginx v1.0 ea7ac1a661bf 7 days ago 388MB
centos v0.1.0 b30913017782 7 days ago 388MB
nginx latest b30913017782 7 days ago 388MB
busybox v0.1.1 549a7aba89bd 7 days ago 1.15MB
busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB
centos latest e934aafc2206 2 weeks ago 199MB
busybox latest 8ac48589692a 2 weeks ago 1.15MB
一、把要推的鏡像打上registry標籤
san@san-dong:~$ sudo docker tag centos:v0.1.0 172.16.0.4:5000/centos:latest san@san-dong:~$ sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx tomcat e982d826d0f1 7 days ago 388MB nginx v1.0 ea7ac1a661bf 7 days ago 388MB 172.16.0.4:5000/centos latest b30913017782 7 days ago 388MB
二、推送到registry
san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos The push refers to repository [172.16.0.4:5000/centos] Get https://172.16.0.4:5000/v2/: http: server gave HTTP response to HTTPS client
以上提示是須要https(默認強制https)而咱們的registry用的是http;所以須要修改客戶端與registry之間的認證即把默認的https修改成http;
#ubuntu16.04 (centos 7 docker version 18.04.0-ce):
san@san-dong:~$ cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:5000"]}
重啓docker
san@san-dong:~$ systemctl restart docker
注意這裏的deamon.json文件名其實能夠用其餘名稱,但格式必須是json格式
若是您的docker是CentOS7 且 版本是18.03-ce及以前的版本須要以下修改(沒辦法docker更新速度太快):
修改 /etc/sysconfig/docker
ADD_REGISTRY="--add-registry 172.16.0.4:5000"
INSECURE_REGISTRY="--insecure-registry 172.16.0.4:5000"
重啓docker systemctl restart docker
再次推送鏡像到registry
#成功(ubuntu 16.04)推送相似以下: san@san-dong:~$ sudo docker push 172.16.0.4:5000/centos The push refers to repository [172.16.0.4:5000/centos] 60c2902e0aff: Pushed 214c17cfa38b: Pushed 43e653f84b79: Pushed latest: digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8 size: 948
此時在服務器端能夠在/var/lib/registry下已經 存在
[root@registry centos]# pwd
var/lib/registry/docker/registry/v2/repositories/centos
[root@registry centos]# ls
_layers _manifests _uploads
面臨問題:任何人均可以訪問了~ 如是企業內部使用到這裏就夠了;若是跨IDC或安全性要求高時則此時用nginx作反代 作認證;
基於nginx反代並作基礎認證的registry私有倉庫
須要安裝nginx服務
安裝nginx
[root@registry ~]# yum install epel-release -y [root@registry ~]# yum install nginx -y [root@registry ~]# yum install httpd-tools -y ###安裝完先不啓動
添加認證用戶
[root@registry ~]# htpasswd -c -m /etc/nginx/.ngxpasswd san
修改docker-distribution偵聽接口(改成127.0.0.1)
[root@registry ~]# cat /etc/docker-distribution/registry/config.yml
....省略(和上面一致)...
http:
addr: 127.0.0.1:5000
重啓docker-distribution
[root@registry ~]# systemctl restart docker-distribution
#查看
[root@registry conf.d]# netstat -ntpul |grep registry
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 2547/registry
nginx配置:
[root@registry nginx]# egrep -v '(^#|^$)' nginx.conf
....省略....
client_max_body_size 0; ##重要
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://localhost:5000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Docker Registry Service";
auth_basic_user_file "/etc/nginx/.ngxpasswd";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
###檢查nginx配置
# nginx -t
[root@registry ~]# systemctl restart nginx
[root@registry ~]# netstat -ntpul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2574/nginx: master
上傳客戶端上的鏡像並推送到registry
先登陸registry
san@san-dong:~$ sudo docker login 172.16.0.4:80 #作了反代不能用http://172.16.0.4:80 Username: san Password: Login Succeeded
登陸成功後修改要推送鏡像標籤:
root@san-dong:/etc/docker# docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest b30913017782 7 days ago 388MB busybox v0.1.0 42b4837a2d1e 7 days ago 1.15MB centos latest e934aafc2206 2 weeks ago 199MB #對centos打標籤: root@san-dong:/etc/docker# docker tag centos:latest 172.16.0.4:80/san/centos:latest #推送到本地倉庫: root@san-dong:/etc/docker# docker push 172.16.0.4:80/san/centos:latest The push refers to repository [172.16.0.4:80/san/centos] 43e653f84b79: Mounted from san/nginx latest: digest: sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 size: 529
此時到鏡像倉庫中就能夠查看到/var/lib/registry/下
在registry上安裝docker並模擬客戶端從私有registry上下載鏡像
安裝docker服務這裏就再也不詳說了;可參考上一篇文章;版本是18.04-ce(更新太快,上一篇文章中版本仍是18.0.3-ce)
安裝完後啓動docker服務並修改配置
查看docker版本
[root@registry ~]# docker --version
Docker version 18.04.0-ce, build 3d479c0
[root@registry ~]# systemctl restart docker
[root@registry ~]# cat /etc/docker/deamon.json
{ "insecure-registries": [ "http://172.16.0.4:80" ] }
登陸registry(其實中本地,這裏是模擬邏輯同樣)
[root@registry ~]# docker login 172.16.0.4:80 Username: san Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Are you sure you want to proceed? [y/N] y Login Succeeded
從registry中獲取鏡像
[root@registry ~]# docker pull 172.16.0.4:80/centos
Using default tag: latest
latest: Pulling from centos
469cfcc7a4b3: Pull complete
9710c34f15fa: Pull complete
a53634549a5e: Pull complete
Digest: sha256:0e254dcca7f0ff6dfb0762e24215070b59ea78aca4d2dc9c9e25aff3cb8b64a8
Status: Downloaded newer image for 172.16.0.4:80/centos:latest
#查看下載到本地的鏡像
[root@registry ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.0.4:80/centos latest b30913017782 7 days ago 388MB
registry latest d1fd7d86a825 3 months ago 33.3MB
啓動下載的鏡像
[root@registry ~]# docker run -d -it --name centos 172.16.0.4:80/centos e11ecaf81abbbd698cdb3d58813ccaaec297c9fab490e9d0f63a7150054f2140 [root@registry ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e11ecaf81abb 172.16.0.4:80/centos "/bin/bash" 15 seconds ago Up 13 seconds 80/tcp centos
補充:
出現以下提示:
san@san-dong:~$ sudo docker push 172.16.0.4:80/san/busybox:latest The push refers to repository [172.16.0.4:80/san/busybox] 0314be9edf00: Preparing no basic auth credentials
表示沒有認證登陸
多用戶時, 用什麼帳號登陸時打標籤就用什麼用戶 push時也要對應;換用戶登出時san@san-dong:~$ docker login 172.16.0.4:80別外:通常企業內部registry不須要作認證;也能夠用ftp集中保存tar格式鏡像用時下載 load進去;
- 1. 部署私有Docker Registry
- 2. 10.部署私有 docker registry
- 3. docker建立私有registry
- 4. Docker建立私有Registry
- 5. Docker Registry建立本身私有倉庫
- 6. 5.2-搭建docker本地私有registry
- 7. 部署docker-registry私有倉庫
- 8. 私有化部署極簡 Docker Registry
- 9. 部署私有Docker Registry和使用
- 10. Docker部署私有倉庫(registry&Harbor)
- 更多相關文章...
- • Docker 倉庫管理 - Docker教程
- • Maven 自動化部署 - Maven教程
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • Docker 清理命令
-
每一个你不满意的现在,都有一个你没有努力的曾经。